Security News > 2021 > March > Fake Google reCAPTCHA Phishing Attack Swipes Office 365 Passwords

Microsoft users are being targeted with thousands of phishing emails, in an ongoing attack aiming to steal their Office 365 credentials.

The attackers add an air of legitimacy to the campaign by leveraging a fake Google reCAPTCHA system and top-level domain landing pages that include the logos of victims' companies.

Once victims "Pass" the reCAPTCHA test, they are then redirected to a phishing landing page, which asks for their Office 365 credentials.

Another phishing attack in February purported to be sent from a voicemail service and contained a link to play the voice message "Play Audi Date.wav," eventually redirecting victims to a malicious site with a reCAPTCHA message.

Both of the above examples show that reCAPTCHA continues to be used in phishing attacks, as the tactic successfully adds legitimacy to the attack: "Similar phishing campaigns utilizing fake Google reCAPTCHAs have been observed for several years, but this specific campaign targeting executives across specific industry verticals started in December 2020," noted researchers.

Microsoft Office 365 users have faced several sophisticated phishing attacks and scams over the past few months.

News URL

https://threatpost.com/google-recaptcha-phishing-office-365/164566/