Hunting off the Red Banner

Analyzing Fake CAPTCHA Phishing

The emergence of fake CAPTCHA pages powered by AI-native development platforms represents a highly effective and evolving threat to an organization's security posture. This is not a classic malware delivery campaign. It's a sophisticated social engineering effort designed to build psychological trust and bypass traditional security defenses.

Adversaries are exploiting the very tools designed to simplify web development-platforms like Vercel and Netlify-to create highly convincing and disposable phishing infrastructure. The primary business risk is twofold: data theft, particularly of credentials, and the potential for long-term reputational damage. The credibility of these platforms, with their legitimate subdomains (e.g., *.vercel.app), makes it incredibly difficult for an unsuspecting user to distinguish a malicious site from a benign one.

The consequence of inaction is a significant blind spot. Relying solely on perimeter defenses like URL filtering and email gateways is insufficient, as these automated systems are often fooled by the initial CAPTCHA landing page, which is not flagged as malicious.

As a security team, we must ask: "What should we do about this threat?" We need to shift our focus from a purely technical defense to a layered, human-centric one. This includes updating our security awareness training to educate employees on the deceptive nature of these scams. It also means enhancing our technical capabilities to not only block initial domains but to also analyze redirect chains and monitor trusted subdomains for signs of abuse. A proactive stance is necessary to counter this blend of technical ingenuity and human manipulation.

Hunting Controls & Observations

Observing the behaviors associated with fake CAPTCHA pages requires looking at telemetry from multiple sources, as the attack chain spans from initial email delivery to web browsing and finally to the potential for credential exfiltration.

  • Email Gateway Logs: The initial entry point is the email. Look for emails with suspicious sender addresses, urgent subject lines (e.g., "Password Reset Required"), and embedded URLs that lead to known legitimate subdomains of platforms like Vercel and Netlify.
  • DNS & Web Proxy/Gateway Logs: A key behavioral indicator is a web request to a newly created or low-reputation subdomain on a legitimate hosting platform. Look for requests to *.vercel.app, *.netlify.app, and *.lovable.app that are outside of a known, sanctioned business use case. The chain of redirects from the initial URL to the final credential-harvesting page is a critical artifact to examine.
  • Endpoint EDR/AV Telemetry: While the initial activity is web-based, if a user provides credentials and an account is compromised, the threat actor's follow-on actions could be visible on the endpoint. This includes new process executions, file writes, or network connections from the compromised system.
  • Cloud Provider Audit Logs (Azure, AWS, GCP): If the phishing page successfully harvests credentials for a cloud environment (e.g., a Microsoft 365 login page), monitor for suspicious login attempts from new or unusual geographic locations, attempts to escalate privileges, or unusual API calls.


Additional observations of the attack included the following indicators:

  • Browser processes spawning with suspicious command-line arguments.
  • Network traffic to newly registered domains (NRDs).
  • Script execution from CAPTCHA-like forms not tied to trusted providers.


MITRE Enterprise ATT&CK Tactics and Techniques

The Static Tundra methodology aligns with several MITRE ATT&CK techniques, focusing on persistence and stealthy data exfiltration rather than noisy, destructive attacks.

Initial Access (TA0001):

  • T1566: Phishing: The core of the attack. Phishing emails with urgent themes redirect users to malicious URLs.

Execution (TA0002):

  • T1204.001: User Execution: Malicious Link: The user is tricked into clicking the URL, initiating the attack chain.

Persistence (TA0003):

  • T1136: Account Creation: Use of stolen credentials to create backdoor accounts.

Defense Evasion (TA0005):

  • T1036: Masquerading: The use of legitimate-looking subdomains (*.vercel.app) to bypass reputation-based security controls and deceive users.
  • T1497: Virtualization/Sandbox Evasion: The fake CAPTCHA challenge is used to evade automated scanners and sandboxes, which often only see the initial page and do not follow the redirect to the final phishing site.

Credential Access (TA0006):

  • T1552.001: Steal Credentials from Web Browsers: The final phishing page harvests credentials directly from the user's input.

Discovery (TA0007):

  • T1016: System Network Configuration Discovery, using native commands like show cdp neighbors to map the internal network without active scanning.

Collection (TA0009):

  • T1005: Data from Local System: The stolen credentials are a form of data collection.

Source and Credits

This summary is based on professional threat intelligence analysis from Trend Micro, which highlights a new wave of phishing attacks using AI-native development platforms. The article is titled "How AI-Native Development Platforms Enable Fake Captcha Pages."

The content was last referenced on September 22, 2025.



Back to the Blog