Mimecast is pleased to announce the launch of our initial phase of CAPTCHA Abuse Detection. Mimecast has noticed an increase in reports concerning malicious websites that host content behind CAPTCHA or verification pages. Attackers exploit this method as it forces security scanners to simulate multiple human interactions. In this initial phase, Mimecast will employ a combination of detection techniques to identify and mitigate links and payloads associated with fraudulent CAPTCHA pages.

Mimecast scanning uses various services to determine if a URL or website is malicious, or hosting malicious content. In our research, we found that almost 95% of all CAPTCHA-based attacks are using the Cloudflare Turnstile CAPTCHA. Cloudflare CAPTCHAs can be easily purchased, and hold credibility as they are highly recognized globally for their presence in the internet space.
During our scanning process, we pull the fully qualified domain name (FQDN) of a site; we use this to establish if this CAPTCHA has been in place for a long period of time or is newly created (over 90% of CAPTCHA-based attacks come from sites with a very low FQDN age). While fetching this information, we are simultaneously inspecting the link for redirects, user interactions, malicious executables, and downloading the Document Object Model (DOM) of the site. 
We combine various features using our advanced YARA rules created by our threat research team. Mimecast Threat Research monitored this rule in evaluation mode prior to pushing to production; this allowed us to modify and reduce/eliminate any false positives while maintaining detection of true positives. Our unique approach to CAPTCHA abuse has resulted in large true positive detection rates, with a low false positive rate (below 1%).