Check Point Email Security | Blog

CAPTCHA This: Bypassing SEGs via reCAPTCHA

Written by Jeremy Fuchs | April 21, 2021

Traditional SEGs scan emails through filters that check URLs in emails against various static lists to determine how to treat each URL. Based on the decisions made by an SEG’s URL scan engine, the URL will either be allowed, securely wrapped, redacted, or the whole email itself will be kept from a user’s inbox.

There's one method that bypasses this universally accepted method (amongst SEGs) of URL scanning by introducing a simple obstacle that is designed to be unbeatable by machines: Captchas, more specifically, Google’s reCAPTCHA. 

One of the main tasks of reCAPTCHA challenges is to make content inaccessible to crawlers and scanners that do not pass the verification process; therefore, the malicious nature of the target websites will not be apparent until the CAPTCHA challenge is solved. Furthermore, the reCAPTCHA service makes connections to IP addresses that belong to Google and are already in an SEG’s allow list.

In the example explored here, the email has no body text—it only has an HTM attachment file. In the last month, Avanan has seen 1.2 million HTM or HTML email attachments and 1.1 million of those emails were clean which tells us that end-users are used to seeing this file type and might trust downloading it.

Modern email clients nowadays will sometimes display the content of an attachment as a preview in the mail client itself. However, because the content of this attachment is a seemingly harmless reCAPTCHA, and the mail client will not be able to solve the CAPTCHA, the email client will have no way of determining the safety of the actual attachment’s content and therefore showing the preview of the attachment unnecessarily expands an end-user’s risk. Without the preview, the end-user would need to download the attachment and open the file.

Here's the source code of the HTM file:

 

This attack used a very common obfuscation methodology of URL encoding with the use of the javascript `unescape` function. Here's the string in the above screenshot decoded:

 

 

The malicious website, seen in the screenshot above, is where the end-user is served the reCAPTCHA:

 

Once the human verification process is completed, the victim gets redirected to the real phishing page which resembles a Microsoft login page and has the victim’s credentials already filed in:

 

Businesses need to be protected with a sophisticated security solution that leverages AI to find malicious emails. Avanan’s AI was able to recognize this email as phishing with the highest confidence level due to the following reasons:

  • Links that have a suspicious pattern (suspicious as defined by the AI)
  • URL and UTF Encoding in the email’s headers and attachments
  • SPF-failure
  • Low sender reputation