In the cybersecurity space, we know that phishing and business email compromise (BEC) attacks are becoming increasingly cunning and evasive. But how exactly do threat actors keep evolving their tactics? Recently, our team identified a new type of phishing campaign that’s not only highly targeted but also evasive and requires a gated CAPTCHA to proceed from the initial email to the actual phishing site. 

Below, we walk through our investigative process and the noteworthy findings that emerged.

‍

Investigative Process

1. Alert: Microsoft Phishing Prevented

After an alert was fired for a Microsoft phishing attempt, our team investigated the steps leading up to the phishing page visit. Keep Aware prevents the user from interacting with the phishing site, but we want to safeguard users as early on in a malicious campaign as possible. So what happened?

‍

Tracing back the users’ browser activities, we identified that the user clicked on an email link—a phrase of text stating, “View message by clicking here.”, was hyperlinked to a newly registered domain.

‍

‍

2. Link Redirects to Newly-Registered Domains

Analyzing our logs, we noticed an immediate redirect commonly seen in evasive malicious campaigns. A quick WHOIS check stated that the initial domain was newly-registered and less than one day old, which is an immediate red flag. It redirected the browser to another domain that was also registered at the same time as the original domain. Double red flags.

3. The “Keyed” CAPTCHA Gate 

After traversing these redirects, the user encountered a CAPTCHA challenge. However, this CAPTCHA was unique and different from what our team normally sees. Not only did it ask for the expected “type what you see” prompt, but it also required the target to enter the “passcode” or “key” provided in the original email.

This is a clever trick. By requiring a unique password or key—one that seems to be exclusive to the recipient—phishers add an extra layer of trust and believability. At the same time, it ensures that scanners or automated crawlers that stumble upon the URL can’t simply click through and see the final malicious landing page. Only someone with the right “passcode” would be allowed to submit the verification.

‍

4. Hidden Redirect URL

Without the unique passcode, our team scoured the web page to identify the code that directs the victim to the next step in this phishing sequence. If we can find the client-side code, we may be able to bypass the CAPTCHA form altogether. 

However, we found evidence that the instructions and subsequent phishing URL are not stored client-side. As the below JavaScript code snippet shows, the page receives instructions provided by the response from the attacker’s web server. If the form is completed with a valid “key”, the web page will display the targeted company’s logo and wait 3000ms (3 seconds) before redirecting to the next URL.

‍

…
                success: function(response) {
                    if (response.status === 'invalid_captcha') {
                        document.getElementById('message').innerText = 'Incorrect Captcha Code, Try Again';
                        document.getElementById('message').style.color = 'red';
                        document.getElementById('message').style.display = 'block';

                        // Refresh the captcha image
                        document.getElementById('captchaImage').src = response.captcha;
                    }
                    else if (response.status === 'invalid_baseurl') {
                        document.getElementById('message').innerText = 'Invalid Base64 Key';
                        document.getElementById('message').style.color = 'red';
                        document.getElementById('message').style.display = 'block';
                    }
                    else if (response.status === 'success') {
                        showPopup(response.fetchTitle + ' <p>Accessing Document for Your Company...</p>', response.fetchLogo);

                        // Wait 3 seconds before redirecting
                        setTimeout(() => redirect(response.final_url), 3000);
                    }
                }
…

‍

5. The Suspicious Email: BEC and Base64 “Passcode”

Upon review of the email in question, it resembled an official message from a legitimate business. However, a few oddities stuck out:

• It claimed to be from Mimecast, but it wasn’t.
• The subject stated that there was a “New Message” from the sending company and even referenced a proposal number. (These are social engineering tactics we see regularly.)
• The sender address was, in fact, a legitimate business email—one that had likely fallen victim to an earlier business email compromise (BEC) attack.
• The email encouraged the user to “view a secure message” by clicking a link and using the provided “passcode.”

We then discovered the “passcode” was actually the victim’s email address but base64-encoded. This mechanism of requiring a unique key to proceed to the next step in a phishing campaign filters out a lot of automated and out-of-band security tools. It also personalizes the experience: once the correct “key” is entered, the phishing site can tailor messages or subsequent pages to the user’s organization by displaying, in this case, the appropriate company logo—making the whole ruse seem more authentic.

‍

6. The Phishing Page: Considered “Safe”

After the CAPTCHA accepts the unique “key” submitted by the user, the browser displays “Accessing Document for Your Company...” along with the targeted company’s logo. From there, another rapid redirect leads to a fake Microsoft login page.

Interestingly, the domain hosting the final phishing page has existed for about three months. And, despite being a months-old phishing domain, all reporting security vendors on VirusTotal, including Google Safebrowsing, mark it as “clean”.

‍

So why have so many automated security tools missed this phishing site? 

1. Automatic Redirection: When visited directly (i.e., without the specific redirect sequence), the site sends the browser to the benign example.com. This evasion technique ensures that casual scanners, curious analysts, and out-of-band tools end up at a benign site—minimizing the chance of it being flagged and placed on threat intelligence feeds.
2. Layered Redirects and CAPTCHA: Security tools that don’t follow the chain of redirects and provide the base64-encoded “key” will never see the actual phishing login page.

When organizational security depends upon out-of-band analysis tools and threat intelligence feeds, zero-day phishing will persist as a prominent security gap.

‍

Overarching Findings

Why the Email Reached the Inbox

Phishing emails sometimes fail to pass advanced security checks because they arrive from suspicious or unrecognized senders. However, in this case, the attacker sent the email from a compromised, legitimate business email account with an existing “good” reputation. Also, text was appended to the phishing email making this appear to be an existing email chain—further duping security filters. 

So, the recipient’s email filters allowed it into the inbox, and the user’s trust was hijacked into clicking links they shouldn’t, highlighting the need for defense-in-depth security.

Churn-and-Burn Tactic

In under 48 hours, the young, initial sites in this campaign appear to be down. However, the older sites that appear after the gated CAPTCHA remain up and running. This behavior suggests that bad actors are churning and burning initial intermediary phishing sites, which are more likely to be flagged as suspicious or malicious, while keeping their final, gated landing pages operating smoothly in the shadows.

As attackers innovate their evasive techniques in phishing campaigns, detecting and preventing zero-day phishing sites is a must for proactively protecting against modern-day attacks.

‍

Highly Targeted Attack, Evidence Conveys

Upon successful CAPTCHA submission, the site's JavaScript code indicates it will show the company's logo, depending upon what (encoded) email address was provided. This evidence suggests the phishing attack was targeted

Additionally, the "From" email address and the image used in the email are from a business operating in the same region as the targeted company, suggesting the phishing attack may have been highly targeted.

By tailoring social engineering tactics and leveraging trusted relationships, attackers are blurring the line between good and bad—requiring effective security strategies to take a nuanced approach.

‍

The Path Ahead: Defending Against Evolving Phishing Threats

This new phishing campaign illustrates just how inventive cybercriminals have become. Leveraging a previously compromised business email and a multi-step phishing process—spanning multiple domains, a gated CAPTCHA requiring a unique “key,” and redirections to a fake Microsoft login—showcases a sophisticated approach to evading detection.

Ultimately, this campaign’s process mimics what we see at Keep Aware each day: bad actors leveraging trusted relationships, chaining together a series of evasive techniques, and relying on social engineering tactics to quietly dupe a user into providing business-essential credentials. At Keep Aware, we not only observe these evolving tactics but actively stop them by continuously refining our detection methods—striving to safeguard users from malicious sites as early as possible in an attack chain.

By sharing our investigative process and analysis, we hope to illuminate the complexity of modern phishing campaigns—and underscore the importance of inline security tools and the need for protection against zero-day phishing.

‍

Read more about how we analyze the complexities of browser threats and their attack tactics here.

‍

‍

‍

‍