---
title: "CAPTCHA Forms Become Hackers’ New Tool for Stealing Credentials | DuoCircle"
description: "Cybersecurity experts have Avanan discovered in February 2022 that the CAPTCHA forms scam that began in April 2021 has resurfaced with a more credible and more."
image: "https://www.duocircle.com/images/og-default.png"
canonical: "https://www.duocircle.com/blog/email-security/captcha-forms-become-hackers-new-tool-for-stealing-credentials/"
---

Quick Answer

Avanan reported in February 2022 that a CAPTCHA-based phishing scheme first seen in April 2021 had returned with stronger credibility. The technique: attackers send a phishing email that appears to contain a fax or document attachment. Clicking the attachment routes the recipient through a Google reCAPTCHA challenge before landing on a fake Microsoft OneDrive login page that harvests credentials. The reCAPTCHA does two things for the attacker. It blocks automated security scanners (which can't solve CAPTCHA challenges), so the attached content never gets analyzed. It also lends credibility to the user, who reads the CAPTCHA as a normal security step. The 2022 escalation added a compromised university email domain as the sending source, so the message passes domain-reputation checks and looks legitimate at the inbox. Defenses: check the URL for typos (the fake login pages substituted zero for the letter O in 'Storage' and misspelled 'Outlook'), question password-protected attachments where the content type doesn't justify a password, and verify out of band when faxed documents arrive from unexpected senders.

Share 

[ ](https://www.linkedin.com/sharing/share-offsite/?url=undefined%2Fblog%2Femail-security%2Fcaptcha-forms-become-hackers-new-tool-for-stealing-credentials%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=CAPTCHA%20Forms%20Become%20Hackers%E2%80%99%20New%20Tool%20for%20Stealing%20Credentials&url=undefined%2Fblog%2Femail-security%2Fcaptcha-forms-become-hackers-new-tool-for-stealing-credentials%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=undefined%2Fblog%2Femail-security%2Fcaptcha-forms-become-hackers-new-tool-for-stealing-credentials%2F "Share on Facebook") [ ](https://reddit.com/submit?url=undefined%2Fblog%2Femail-security%2Fcaptcha-forms-become-hackers-new-tool-for-stealing-credentials%2F&title=CAPTCHA%20Forms%20Become%20Hackers%E2%80%99%20New%20Tool%20for%20Stealing%20Credentials "Share on Reddit") [ ](mailto:?subject=CAPTCHA%20Forms%20Become%20Hackers%E2%80%99%20New%20Tool%20for%20Stealing%20Credentials&body=Check out this article: undefined%2Fblog%2Femail-security%2Fcaptcha-forms-become-hackers-new-tool-for-stealing-credentials%2F "Share via Email") 

![Hackers](https://media.mailhop.org/duocircle/images/2022/03/smtp-service-7456.jpg) 

_Cybersecurity experts have Avanan discovered in February 2022 that the CAPTCHA forms scam that began in April 2021_ has resurfaced with a more credible and more robust attack scheme. While the initial attack scheme took advantage of scanners’ trust in Google’s reCAPTCHA product, this time around, the adversaries have used the **compromised domain of a university** to send legitimate-looking emails to end-users which culminate in CAPTCHA scams.

## What are CAPTCHAs?

While browsing online for articles, registering ourselves on various websites, or creating accounts online, we are often asked to check a box that checks if we are a robot. This test is accompanied by a seemingly redundant test of intelligence which usually asks us to solve a basic math problem, detect the square boxes with traffic lights, or do other cognitively easy tasks. These tests are known as _CAPTCHAs which stands for Completely Automated Public Turing test to tell Computers and Humans Apart_.

_Google’s reCAPTCHA is regarded as one of the most popular CAPTCHA forms._ Since Google is a trusted name among **security scanners**, using its reCAPTCHA service ensures that the threat actors make a swift entry into many allowlists.

[![phishing emails](https://media.mailhop.org/duocircle/images/2022/03/spf-permerror-7457.jpg)](https://media.mailhop.org/duocircle/images/2022/03/spf-permerror-7457.jpg)

## What Happened Earlier?

In April 2021, Avanan demonstrated how adversaries could bypass secure email gateways (SEGs) using CAPTCHA forms. Typically, reCAPTCHA services make connections to Google’s IP addresses and remain in an SEG’S allowlist. [Avanan reported](https://www.avanan.com/blog/using-captcha-forms-to-bypass-filters) that the adversaries could exploit this blindspot by sending [phishing emails](/content/email-phishing-protection/how-to-stop-phishing-emails) to end-users and redirecting them to a **phished website** where they need to fill out a CAPTCHA form to prove that they are not crawlers and scanners.

Thus, a scam does not become apparent until the user solves the **CAPTCHA challenge** and heads to the next page, which asks them to log in to their Microsoft account. In other words, the adversaries misused the trust scanners placed on Google’s reCAPTCHA product in this attack scheme.

## What is the Present Attack Vector?

In the present attack, the attackers use CAPTCHA forms to bypass scanners. This attack comes after a year of the CAPTCHA exploitation demonstration by Avanan. _The adversaries have used the same technique and enhanced their credibility by bringing a University domain into the picture_.

The threat actors have used a previously compromised University email domain to **send phishing emails** to users. These emails are aimed at credential harvesting using impersonation and CAPTCHA forms. _The attack scheme can affect anyone on the internet and be a severe threat actor_. Because the phishing emails come from legitimate domains, adversaries can easily fool scanners and get into users’ inboxes. Then, all a user needs to do is open the malicious email and follow its instructions.

## How is the Attack Executed?

_The attackers have used CAPTCHA forms to evade phishing detection filters in the current attack_. In such a CAPTCHA-themed attack, the end-users first receive a legitimate-looking email that claims to contain a faxed document as a PDF attachment. Trying to open the PDF leads users to a fake site with a CAPTCHA form. Once users solve the CAPTCHA, they are directed to a Microsoft OneDrive login page, where they are asked to enter their email address and password to access the PDF.

In essence, the [phishing email](/phishing-protection/how-to-stop-phishing-emails-and-protect-your-organization-from-cyber-criminals/) contains a seemingly harmless reCAPTCHA that the mail client won’t be able to solve. Hence, the attachment will not be scanned for malicious contents. Further, the email comes from a legitimate domain (a compromised university site) which acts as yet another proof of the **email’s authenticity**.

This is how the adversaries steal user credentials. The stolen credentials can be easily used to launch targeted [phishing attacks](/resources/identify-and-neutralize-phishing-attacks) or even be sold on the dark web, which pushes victims towards other cyber threats.

## Detecting The Attack

The site URL where users are redirected to (after clicking on the attached document), the word ‘Storage’ has a zero, not an ‘O’. In addition, the term ‘Outlook’ has also been misspelled. Therefore, _users need to observe, scan and analyze the URL to detect these purposely committed errors_.

[![phishing emails](https://media.mailhop.org/duocircle/images/2022/03/hosted-email-server-7459.jpg)](https://media.mailhop.org/duocircle/images/2022/03/hosted-email-server-7459.jpg)

## Protect from these CAPTCHA Scams

Since solving CAPTCHA codes is an elementary (and often mandatory) **security process** to ensure that bots do not intrude into website operations, it might not be possible to do away with CAPTCHA forms just because adversaries are trying to conduct **credential theft**. _Users need to be more aware of their actions online and constantly question_ whether a website or URL leads them to what it promises or whether there is some ambiguity in the content displayed. As such, there are some [security measures](/email-security/why-its-crucial-to-adopt-email-security-measures-during-the-tax-season/) that Avanan recommends for users to ensure protection against these attacks.

- End-users should check the URLs for genuinity before filling out CAPTCHA forms.
- _Try reasoning out whether a PDF file should really be password protected_. For instance, a password-protected copy of the account statement makes sense, but a company brochure with **password protection** should ring the alarm bells.
- If a faxed document is received, the recipient should always confirm with the sender if they are in the office. Anyone working from home will not be able to send a fax, and that should be enough to stay away from such emails.

## Final Words

_This scam heavily relies on Google’s free reCAPTCHA service to evade security scanning systems_. Avanan explains that since security systems can’t possibly block Google, the reCAPTCHA is sure to get delivered. As for the end-users, they may not be able to see the risk associated with solving the CAPTCHA challenge and might be looking at it as a **standard security measure**. This increases the chance of credential thefts and makes this CAPTCHA form scam such a severe security issue.

![Brad Slavin](https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg) 

Brad Slavin 

General Manager

General Manager at DuoCircle. Product strategy and commercial lead across the email security portfolio.

## Secure your email infrastructure

Protect, authenticate, and deliver. Contact our team to find the right solution.

[Contact Sales](/contact/) [Explore Products](/products/) 

## Related Articles

[  Email Security 8m  BIMI in 2026: What the Certificate Authority Does, and What Your DMARC Tool Does  May 5, 2026 ](/blog/bimi-2026-what-the-ca-does-what-your-dmarc-tool-does/)[  Email Security 8m  Designing A Custom Dkim Architecture For High-Volume Email Senders  Apr 28, 2026 ](/blog/designing-custom-dkim-architecture-for-high-volume-email-senders/)[  Email Security 12m  DMARC, SPF, and DKIM in 2026: Why Email Authentication Is Now a Regulatory Requirement, Not Just a Best Practice  Apr 29, 2026 ](/blog/dmarc-spf-dkim-2026-email-authentication-regulatory-requirement-best-practice/)[  Email Security 5m  Email Monitoring Tools: A Complete Guide to Protecting Your Email Ecosystem  May 7, 2026 ](/blog/email-monitoring-tools-guide-protecting-your-email-ecosystem-security/)

```json
{"@context":"https://schema.org","@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}],"sameAs":["https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.facebook.com/duocirclellc","https://www.g2.com/products/phish-protection-by-duocircle/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://support.duocircle.com"},"knowsAbout":["Email Security","Email Authentication","SPF","DKIM","DMARC","Phishing Protection","Spam Filtering","SMTP Relay","Email Deliverability","Email Forwarding"]}
```

```json
{"@context":"https://schema.org","@type":"WebSite","name":"DuoCircle LLC","url":"https://www.duocircle.com","description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}
```

```json
[{"@context":"https://schema.org","@type":"BlogPosting","headline":"CAPTCHA Forms Become Hackers’ New Tool for Stealing Credentials","description":"Cybersecurity experts have Avanan discovered in February 2022 that the CAPTCHA forms scam that began in April 2021 has resurfaced with a more credible and more.","url":"https://www.duocircle.com/blog/email-security/captcha-forms-become-hackers-new-tool-for-stealing-credentials/","datePublished":"2022-03-28T21:05:41.000Z","dateModified":"2025-05-09T13:50:09.000Z","dateCreated":"2022-03-28T21:05:41.000Z","author":{"@type":"Person","@id":"https://www.duocircle.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://www.duocircle.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin runs DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. His focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://www.duocircle.com/blog/email-security/captcha-forms-become-hackers-new-tool-for-stealing-credentials/"},"articleSection":"email-security","keywords":"","wordCount":934,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/duocircle/images/2022/03/smtp-service-7456.jpg","caption":"Hackers","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}},{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https://www.duocircle.com/blog/"},{"@type":"ListItem","position":2,"name":"Email Security"},{"@type":"ListItem","position":3,"name":"CAPTCHA Forms Become Hackers’ New Tool for Stealing Credentials","item":"https://www.duocircle.com/blog/email-security/captcha-forms-become-hackers-new-tool-for-stealing-credentials/"}]}]
```

```json
{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://www.duocircle.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://www.duocircle.com/blog/"},{"@type":"ListItem","position":3,"name":"Email Security","item":"https://www.duocircle.comundefined"},{"@type":"ListItem","position":4,"name":"CAPTCHA Forms Become Hackers’ New Tool for Stealing Credentials","item":"https://www.duocircle.com/blog/email-security/captcha-forms-become-hackers-new-tool-for-stealing-credentials/"}]}
```

```json
{"@context":"https://schema.org","@type":"BlogPosting","headline":"CAPTCHA Forms Become Hackers’ New Tool for Stealing Credentials","description":"Cybersecurity experts have Avanan discovered in February 2022 that the CAPTCHA forms scam that began in April 2021 has resurfaced with a more credible and more.","url":"https://www.duocircle.com/blog/email-security/captcha-forms-become-hackers-new-tool-for-stealing-credentials/","datePublished":"2022-03-28T21:05:41.000Z","dateModified":"2025-05-09T13:50:09.000Z","dateCreated":"2022-03-28T21:05:41.000Z","author":{"@type":"Person","@id":"https://www.duocircle.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://www.duocircle.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin runs DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. His focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://www.duocircle.com/blog/email-security/captcha-forms-become-hackers-new-tool-for-stealing-credentials/"},"articleSection":"email-security","keywords":"","wordCount":934,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/duocircle/images/2022/03/smtp-service-7456.jpg","caption":"Hackers","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}}
```