Does your business run on industries like finance, tech, hospitality, governmental, or with oil and gas? Then you should be extremely careful of the ongoing Office 365 phishing attacks that may target you soon.

They make use of visual CAPTCHAs and its perceived trustability to avoid detection and trick victims. As you might know already, CAPTCHAs are used for big-sized websites to determine whether a recently logged in user is human or not.

Some of them show several pictures on a grid to choose from, or just plainly ask “Are you a human?” asking for checkmark the confirmation box.

But cybercriminals have game CAPTCHAs an equally efficient but malicious purpose: defeat crawling systems and make the phishing landing page looks real.

How Does the Microsoft Office 365 Phishing Campaign Looks Like

Office 365 phishing CAPTCHA

To increase their chances of going unnoticed, those in charge of the campaign powered it with multiple fake CAPTCHAs (three, to be exact) that you would land on before hitting the landing page… Which is a replica of the Office 365 login page.

As with almost every other phishing attempt, the goal here is to steal usernames and passwords of corporate accounts. Maybe to reach and steal individuals, or to compromise full networks with damages or leaking ransomware. 

The campaign has been discovered and detailed by cybersecurity researchers at Menlo Security and involves phishing emails containing links that direct to a webpage posing as a Microsoft Office 365 login portal. 

It’s very probable that the fake CAPTCHAs used here are customized for specific targets.

According to researchers at Menlo security (those behind many of the details reported today), the first CAPTCHA check only shows the mentioned checkmark box with the text “I’m not a robot” on it.

The second stage asks almost every time for the identification of bicycle pictures, while the third one contains a crosswalk. 

Office 365 phishing landing page

There is a good side and a bad side to this story. 

After all these years, cybercriminals keep using the same tactics, and just by changing a few parts, they succeed with high rates. 

This applies to all online and email-based attacks, as it does with phishing.

For example, a few days ago we reported about a fake Windows 7 “upgrade” scam.

And it goes back to 2019, with fake Google reCAPTCHA hiding a malicious landing page, way back to the early 2000s… So, while I’m not sure who’s behind this one, I can at least guarantee that this one is still running. 

Cybersecurity experts estimate that “the campaign started on September 21, 2020. Being currently active and ongoing, but with a lower success rate as security vendors would have hopefully added protections for this campaign by now.

My thoughts are, that even if this Microsoft Office 365 phishing campaign stopped, then it’s likely that new industries will be targeted now.

You can’t predict the future, but we can do something to avoid today’s consequences. First and foremost, as with every other threat present in the world wide web, phishing can be avoided quite easily with great awareness.

Here’s a brief guide we created about avoiding the consequences of Phishing.

It goes from several emails and calls phishing examples, preventing them both.

But this is not the only thing that we want from you, or what’s available to you.

Because then, you can finally migrate an email safely to the Office 365 platform.

This is a prominent communication channel that won’t go far, anytime soon. Our idea here is to help you recover peace of mind with our cybersecurity and IT experts.