Phishing Attack Using Fake Google reCAPTCHA to Steal Credential from Microsoft Users

Microsoft Google
Advisory ID:
March 16, 2021


A Microsoft-themed phishing campaign is using phony Google reCAPTCHA in an attempt to steal credentials from senior employees of various organizations. At least 2,500 such emails have been sent to senior-level employees, over the past three months. The emails first take recipients to a fake Google reCAPTCHA system page. Once victims “pass” the reCAPTCHA test, they are then redirected to a phishing landing page, which asks for their Office 365 credentials. After filling out the fake reCAPTCHA system, victims are then directed to what appears to be a Microsoft login screen.

Description & Consequence

The campaign begins with attackers sending victims phishing emails that appear to come from a unified communications system used for streamlining corporate communication. This email contains a malicious email attachment. Once the victims open the attached HTML file, they are redirected to a. xyz phishing domain which is disguised as a legitimate Google reCAPTCHA page in order to trick the users. After the reCAPTCHA is verified, the victims are sent to a fake Microsoft login phishing page. The login pages also contain different logos from the companies where the victims work. This reveals that attackers have done their homework and are customizing their phishing landing pages to fit their victims’ profile, in order to make the attack appear more legitimate. Once the victims have entered their login credentials on the attackers' site, a fake message "validation successful," is prompted to add legitimacy to the campaign.

Successful exploitation will allow the attackers to steal victims’ login credentials that will grant them access to valuable company assets.


  1. Avoid opening untrusted email attachments
  2. Avoid emails with .xyz, .online, etc domain extension.
  3. Educate employees and conduct training sessions with mock phishing scenarios.
  4. Keep all systems updated with the latest security patches.
  5. Deploy a web filter to block malicious websites.
  6. Encrypt all sensitive company information.
  7. Install an antivirus solution, schedule signature updates, and monitor the antivirus status on all equipment.



Related Articles