Threat actors have developed a sophisticated phishing campaign using long-lived domains combined with custom CAPTCHA pages and anti-automated analysis techniques to bypass secure email gateways. This multi-layered approach effectively thwarts both automated and manual security analyses, facilitating credential theft via Microsoft login spoofing. #LongLivedDomains #CustomCAPTCHA #CredentialPhishing
Keypoints
- Threat actors exploit long-lived domains (LLDs), which have a benign history, to bypass security detection in phishing campaigns.
- Custom CAPTCHAs prevent automated analysis by recognizing human-like mouse movements and blocking non-browser user agents.
- Secure email gatewaysβ user-agent detection is circumvented by redirecting automated tools to benign pages instead of malicious content.
- Phishing emails deliver links to compromised LLDs that serve as intermediaries before redirecting victims to credential-phishing sites.
- The final phishing page spoofs Microsoft Live login, collecting credentials that are then exfiltrated to threat actor endpoints.
- Newer CAPTCHA implementations and anti-automated measures make traditional security responses ineffective.
- This campaign demonstrates a high level of sophistication by combining long-lived domains, CAPTCHA challenges, and user-agent filtering.
MITRE Techniques
- [T1566] Phishing β Use of credential phishing emails that bypass secure email gateways by leveraging compromised long-lived domains.
- [T1588.001] Obtain Capabilities: Phishing β Deployment of custom CAPTCHA pages and anti-automated analysis measures to evade detection.
- [T1221] Template Injection β Spoofed Microsoft Teams and Live login pages used to collect credentials from victims.
- [T1204.002] User Execution: Malicious Link β Victims tricked into clicking links that lead through compromised LLDs to phishing pages.
Indicators of Compromise
- [Domains] Compromised long-lived domains β gracebaptist-church[.]org and other similar LLDs used as intermediaries in the phishing chain.
- [JavaScript] User-agent detection scripts β JavaScript code used to block secure email gateway user agents and prevent automated analysis.
- [URLs] Phishing redirect URLs β Links embedded in phishing emails redirecting users through LLDs to custom CAPTCHA and credential harvesting pages.
Read more: https://cofense.com/blog/immunity-evasion-defeating-security-with-active-measures-long-lived-domains