Cybercriminals are using CAPTCHA tests to break into enterprise Office 365 accounts

Cybersecurity specialists have detected an attack in which threat actors steal Office 365 access credentials using CAPTCHA tests, usually used to determine whether the users of a website are humans or automated programs (bots). In previous attacks, malicious hackers have proven capable of using these tools to bypass automated tracking systems.

The goal of this attack is to use three CAPTCHA controls to redirect users to a fake Microsoft Office 365 login page.

According to the experts at the Menlo Security firm, threat actors try to make this phishing site look as real as possible, as users often associate CAPTCHA tests with the security of their information. This attack also allows hackers to bypass automated tracking systems that try to locate phishing attacks on the network.

The implementation of multiple CAPTCHA tests is common, because in case the first challenge is defeated, the rest can function as a better security measure, employing different images. In this case, the user is redirected to a second CAPTCHA that requires them to select, for example, all the image tiles that match bikes, followed by a third CAPTCHA that asks them to identify another image.

In the attack, users who pass all CAPTCHA tests implemented by threat actors are redirected to a phishing site disguised as an Office 365 login page, where their credentials will be extracted. Malicious hackers have previously used similar attacks to access Microsoft accounts. Months ago security specialists also detected a phishing campaign using sites disguised as subpoenas delivering site but actually was stealing Office 365 users’ credentials.

According to the researchers, this phishing campaign shows that cybercriminals keep improving their tactics aiming to steal victims’ credentials.