Verify You are Human: How Legitimate CAPTCHAs are Concealing Phishing Attacks
Between June 23 and 30, the phishing we detected in enterprise browsers clustered around two 2026-7-2 03:19:8 Author: pixmsecurity.com(查看原文) 阅读量:8 收藏

Between June 23 and 30, the phishing we detected in enterprise browsers clustered around two themes that also dominated the week’s security headlines: fake e-card “invitations” that harvest corporate credentials and fake “virus” warnings that push victims to phone a scammer. Both leaned on infrastructure users are trained to trust to slip past reputation filters, including CAPTCHAs to conceal attacks and gain user trust. Here’s what we saw.

Malicious Domains Observed

  • qavniro[.]vu
  • hovex[.]sbs
  • metrxevent51[.]top
  • celeebrationpartyy[.]one
  • check.apucv[.]vu
  • bakersflame[.]in (second-stage Google credential page)
  • viruswarning0625uski6ky2[.]z13[.]web[.]core[.]windows[.]net
  • viruswarning0626uspv0rkm[.]z13[.]web[.]core[.]windows[.]net
  • viruswarning0626usshj03g[.]z13[.]web[.]core[.]windows[.]net
  • viruswarning0630usphtcaw[.]z13[.]web[.]core[.]windows[.]net
  • 1012qhjrwepzzclfwtpzgghq-bqadcfaghxhvcegy[.]z03[.]azurefd[.]net
  • strmnflxsd.chf.40-81-246-96[.]cpanel[.]site

Scam callback numbers observed: +1 (888) 951-8555, +1 (888) 495-7216, +1 (888) 725-4102, +1 (877) 291-7893 (Windows), and +1-855-920-5991 (Mac).

Party Invitations That Steal Your Password — and Your OTP

The most persistent thread was a family of invitation- and document-themed lures. We detected pages skinned as Paperless Post, Punchbowl Post, Greenvelope, and Adobe Document Cloud — all real services — each fronting the same credential-harvesting kit.

On June 23, qavniro[.]vu presented a “Paperless Post” invitation; on June 24, hovex[.]sbs used a “Punchbowl Post” skin; on June 25, metrxevent51[.]top ran a “Greenvelope” version; and on June 29, check.apucv[.]vu dressed itself as an “Adobe Document Cloud” shared file. Different wrappers, identical machinery underneath.

The flow is always the same: pick your email provider (Outlook, Office 365, Yahoo, AOL, Gmail), then a login box appears.

Fake invitation page prompting the victim to choose an email provider to “view” the invite.

Enter your password and the page returns “Incorrect Password” — on purpose — to farm a clean second attempt. Then it asks for the one-time code “sent to your phone,” some versions running a five-minute countdown to rush you. Capturing that OTP is what lets an attacker walk straight past MFA.

The same kit’s fake “Incorrect Password” error, designed to capture a second, clean password entry.

Two details made the operation pop. First, the Greenvelope variant’s “Gmail” button peeled off to a separate second-stage Google phishing page at bakersflame[.]in — a reminder these kits chain across hosts. Second, and more telling: every one of these invitation domains hid behind Cloudflare.

On disposable TLDs — .vu, .sbs, .top, .one — not one of them resolved to the attacker’s own server. Each pointed at Cloudflare’s edge (the 104.21.x, 172.67.x, and 2606:4700:: addresses Cloudflare hands out), so the real origin stayed invisible and any reputation check saw nothing but Cloudflare. The Adobe-skinned check.apucv[.]vu went a step further and switched on Cloudflare’s genuine “Verify you are human” challenge — not a look-alike graphic, but the real managed-challenge gate, complete with a live __cf_chl token in the URL. That gate pulls double duty: it makes the page feel legitimate to a victim, and it turns away the automated crawlers and sandboxes that would otherwise flag the phish, helping it stay up longer.

This matches what consumer outlets reported all week. NBC Los Angeles documented a Southern California victim who lost more than $5,000 to an e-invitation phish, and by late June, warnings were circulating about combined Punchbowl and Paperless Post lookalikes. Paperless Post has confirmed it is aware of campaigns impersonating its brand. The tell is simple: real invitation services never make you log into your email to view a card.

Fake Virus Warnings, Hosted on Microsoft’s Own Cloud

The second theme was tech-support scareware delivered through paid ads. Between June 25 and 30 we repeatedly detected near-identical “Windows Support” pages on Microsoft Azure Blob Storage, all reached through Facebook ad links — the URLs carry Facebook’s utm_source=fb and fbclid tags. Each page cloned the Microsoft Support site, then buried it under cascading fake “System Error / Memory access violation” dialogs, a fake SmartScreen block naming “Trojan.Spy.Win32,” a “Windows Firewall has locked your session” prompt, and a scripted “Microsoft Support” chat — all funneling to a toll-free number. The pages were effectively identical; only the callback number rotated between deployments.

Fake Microsoft “Windows Support” scareware page hosted on Azure Blob Storage, reached via a Facebook ad.

This is the same playbook Netskope documented in February, when an ad-driven campaign staged Microsoft tech-support scams in Azure Blob containers and hit dozens of U.S. organizations within hours. Five months later it is still running — and still on Azure.

Mac users weren’t spared. On June 29 we detected a variant on Azure Front Door, Microsoft’s CDN, that flipped the branding to Apple: an “Apple_MacOS locked due to unusual activity” alert with a fake antivirus scan and the number +1-855-920-5991. This one fought back — it spawned runaway browser workers to freeze the tab if you tried to leave, looped an alarm sound, and offered a live chat to reach “an expert.” Hosting a fake Apple warning on Microsoft’s cloud is the entire point: the domain looks trustworthy.

Fake Apple/macOS “virus alert” scareware hosted on Azure Front Door.

A Netflix Look-Alike on Shared Hosting

Rounding out the week, on June 26 we detected a Netflix credential clone on a cpanel.site subdomain. It skipped the email step entirely — the victim’s address was already filled in, so it only asked for the password — and wrapped a fake reCAPTCHA “verification required” gate around the form to look legitimate and slow down analysis. The page was heavily obfuscated, a reminder that even a simple streaming-login phish now ships with evasion baked in.

Netflix credential-harvesting clone with a pre-filled email and a fake reCAPTCHA gate.

What to Do

  • Filter the trusted-cloud subdomains. Treat *.web.core.windows.net, *.azurefd.net, and *.cpanel.site links arriving via email or ads with suspicion, and block the specific domains and disposable TLDs above (.vu, .sbs, .top, .one).
  • Reset the “invitation” instinct. Legitimate invitation and document services never require you to log into your email provider to view a card or file — and a real virus alert never asks you to call a phone number.
  • Assume the OTP is a target too. A login page that returns “incorrect password” and then asks for a texted code may be harvesting both. Enforce phishing-resistant MFA (FIDO2/passkeys) that a fake OTP prompt cannot relay.
  • Distrust the trust cues. Cloudflare and Azure hosting, genuine “verify you are human” challenges, reCAPTCHA gates, and cloned support chats are all deployed specifically to make a scam look safe — and a Cloudflare address in a reputation check tells you nothing about who is behind it.
  • Judge the page, not the domain. Deploy browser-level protection that evaluates what a page looks like and how it behaves at the point of click — reputation is exactly what these campaigns borrow.

If you are interested in seeing how PIXM can help prevent attacks like these for your organization, book a demo here: pixmsecurity.com/request-demo/


文章来源: https://pixmsecurity.com/blog/blog/verify-you-are-human-how-legitimate-captchas-are-turning-the-tables-and-concealing-phishing-attacks/
如有侵权请联系:admin#unsafe.sh