Service Update
| Availability | November 7th, 2024 |
| Product(s) | Email Security Cloud Integrated (CI) |
| Who's affected | Email Security Cloud Integrated (CI), Administrators |
Overview
Mimecast is pleased to announce the launch of our initial phase of CAPTCHA Abuse Detection. Mimecast has noticed an increase in reports concerning malicious websites that host content behind CAPTCHA or verification pages. Attackers exploit this method as it forces security scanners to simulate multiple human interactions. In this initial phase, Mimecast will employ a combination of detection techniques to identify and mitigate links and payloads associated with fraudulent CAPTCHA pages.
Mimecast scanning uses various services to determine if a URL or website is malicious, or hosting malicious content. In our research, we found that almost 95% of all CAPTCHA-based attacks are using the Cloudflare Turnstile CAPTCHA. Cloudflare CAPTCHAs can be easily purchased, and hold credibility as they are highly recognized globally for their presence in the internet space.
During our scanning process, we pull the fully qualified domain name (FQDN) of a site; we use this to establish if this CAPTCHA has been in place for a long period of time or is newly created (over 90% of CAPTCHA-based attacks come from sites with a very low FQDN age). While fetching this information, we are simultaneously inspecting the link for redirects, user interactions, malicious executables, and downloading the Document Object Model (DOM) of the site.
We combine various features using our advanced YARA rules created by our threat research team. Mimecast Threat Research monitored this rule in evaluation mode prior to pushing to production; this allowed us to modify and reduce/eliminate any false positives while maintaining detection of true positives. Our unique approach to CAPTCHA abuse has resulted in large true positive detection rates, with a low false positive rate (below 1%).
What's changing
As part of the URL protection policy, CAPTCHA Abuse Detection will automatically be enabled. Only an active URL protection policy is required, and no changes to the scanning or rewriting modes are necessary. Product Suites is Supported both in Email Security Cloud Integrated, and Email Security Cloud Gateway.
The following guidelines will apply to the update:
Currently, only Cloudflare Turnstile CAPTCHA is supported.
The reCAPTCHA feature is currently not supported.
Recommended Actions
This is an efficacy enhancement for all customers, all that is required is an active URL scanning policy. The response to these detections depends on the configuration settings for URL detection.
In case of a false positive or false negative, it is recommended that the URL be reported using the same workflow.
See Outlook End User Reporting for more information..
Comments
Please sign in to leave a comment.