AgriLife Information Technology

Don’t Get CAPTCHA’d By This New Phishing Technique!

Microsoft warns that attackers are now employing a more sophisticated email phishing attack technique.

The attack uses links that redirect to a CAPTCHA page before again redirecting to a realistic-looking login website to get you to enter your credentials twice.

Multiple redirects and the CAPTCHA page used in this type of attack:

  • Help it to go undetected by avoiding spam/phishing protections.
  • Disguises the true target destination of the attacker website.

How the attack works

The phishing emails will appear to be from a widely used service, such as Microsoft or Zoom.

If you hover over the links in the email, you might not notice the malicious website buried within the lengthy URL.

Check out these examples:

If you click the link in the email, you are redirected to a CAPTCHA page.


  • This helps the attacker verify that you are a human, and not an automated email scanner.
  • Once you solve the CAPTCHA, a realistic looking login page is loaded.

    Your first login attempt fails, which forces you to enter the password twice.


  • The attackers want to ensure that they harvest your password without typos.
  • The final redirect takes you to a legitimate Sophos website that claims to have “released” the email.


    This leads you to believe that the email was legitimate and that no malicious action was carried out.


    It also reduces the chances of you reporting it.

    Takeaways & AgriLife IT Recommendations

    • Being mindful of this attack pattern and knowing what to look for is an excellent defense
    • AgriLife IT utilizes advanced email protection that is able to detect and block this form of phishing attack in AgriLife Email resources
    • Hover the cursor over email links, before clicking them
    • Carefully check long links in emails, especially when accessing personal email on work devices
    • If you receive an email that you were not expecting, here are some strategies based on the email’s appearance:
      • Obviously suspicious/spam (spelling mistakes or odd sender address)
    • If you are uncertain or think it may be legitimate (email tries to convey urgency, or says the account is locked)
      • Verify with your IT representative or FirstCall
      • Visit the website directly by typing the address into the Web Browser (ex. and then checking your account)
      • Ignore the email and see if you get a follow-up (malicious senders virtually never send a follow-up)