Mimecast scanning uses various services to determine if a URL or website is malicious, or hosting malicious content. In our research, we found that almost 95% of all CAPTCHA-based attacks are using the Cloudflare Turnstile CAPTCHA. Cloudflare CAPTCHAs can be easily purchased, and hold credibility as they are highly recognized globally for their presence in the internet space.
During our scanning process, we pull the fully qualified domain name (FQDN) of a site; we use this to establish if this CAPTCHA has been in place for a long period of time or is newly created (over 90% of CAPTCHA-based attacks come from sites with a very low FQDN age). While fetching this information, we are simultaneously inspecting the link for redirects, user interactions, malicious executables, and downloading the Document Object Model (DOM) of the site.
We combine various features using our advanced YARA rules created by our threat research team. Mimecast Threat Research monitored this rule in evaluation mode prior to pushing to production; this allowed us to modify and reduce/eliminate any false positives while maintaining detection of true positives. Our unique approach to CAPTCHA abuse has resulted in large true positive detection rates, with a low false positive rate (below 1%).

As part of the URL protection policy, CAPTCHA Abuse Detection will automatically be enabled. Only an active URL protection policy is required, and no changes to the scanning or rewriting modes are necessary. Product Suites is Supported both in Email Security Cloud Integrated, and Email Security Cloud Gateway.

The following guidelines will apply to the update:

See Reporting URLs for more information.