Mimecast Logo
Get a Quote

    Scattered Spider using fake CAPTCHA to evade detection

    22 May 2025

    By Samantha Clarke, Rikesh Vekaria, Ankit Gupta, Hiwot Mendahun and Jared Van Loon

    Key Points

    What you'll learn in this notification

    • More than150k phishing campaigns impersonating service providers including, SendGrid, HubSpot, Google and Okta
    • Predominately sent from white-labelled SendGrid accounts
    • Use of fake CAPTCHA to evade detection
    • Recent campaigns predominately targeting Retail and Software as a Services businesses in US and UK
    • Campaign Objective: Credential harvesting

    The Mimecast Threat Research team has been monitoring several related phishing campaign clusters that began in February and continuing into May 2025. These campaigns impersonate legitimate email service providers (ESPs), primarily SendGrid, to deliver fraudulent notifications to end users. The campaigns often include urgent messaging about account restrictions, login alerts, or compliance warnings, encouraging recipients to click on a call-to-action. The aim of these campaigns appears to be harvesting credentials for distributing further phishing emails. As part of our Threat Research process, we have reported this to SendGrid.

    Okta Phishing Campaigns Against SaaS Providers

    Between April and May 2025, we identified a shift toward spear phishing campaigns targeting specific Software-as-a-Service (SaaS) organizations with several samples imitating the Okta login flows. Okta is an identity and access management (IAM) platform used by thousands of organizations worldwide and serves as the front gate to a company's digital environment. The phishing pages include single sign-on (SSO)-themed styling designed to exploit user trust and harvest credentials within enterprise environments. The campaigns appear to be targeting senior employees with possible elevated access into internal system.

    This tactic aligns closely with methods attributed to the Scattered Spider threat actor group highlighted by Silent Push, known for their use of advanced social engineering and adversary-in-the-middle (AiTM) phishing kits. By impersonating Okta and other SSO portals, the group seeks to compromise high-value SaaS platforms—such as customer relationship and support systems—by capturing authentication credentials and session tokens. The objective is often to gain privileged access to sensitive environments, bypass multi-factor authentication (MFA), and enable lateral movement within enterprise networks.

    Scattered Spider Attacks Image 1.png Scattered Spider Attacks Image 2.png

     

    Tactic: Fake Cloudflare CAPTCHA Interstitials

    These campaigns employ fake Cloudflare CAPTCHA interstitials as a key evasion mechanism. The attackers display a fake Cloudflare page with a static Ray ID before redirecting users to the phishing landing page. This technique mimics a legitimate browser challenge to bypass automated email and URL scanners.

    Scattered Spider Attacks Image 3.png

     

    Fake Cloudflare Ray ID as seen in Sendgrid phishing campaigns. In samples seen across the phishing campaigns, the Ray ID remains static but may appear in different types of HTML tags.

    Scattered Spider Attacks Image 4.png

     

    Real Cloudflare Ray-ID as seen in an unrelated campaign, which contains a real Ray ID within <code>tags.

    Scattered Spider Attacks Image 5.png

     

    Legitimate CAPTCHA services, such as Cloudflare and Google reCAPTCHA, typically require API keys linked to verified domains and enforce rate limits and bot protections. By using fake CAPTCHAs, threat actors can bypass these restrictions, giving them greater control and flexibility in deploying their phishing campaigns.

    In addition, multiple phishing campaigns impersonating services like SendGrid and Okta have consistently reused templates built with Create React App (CRA). CRA is a development framework that allows attackers to quickly deploy React-based pages with minimal setup or configuration. These pages often retain default metadata and assets from the Create React App template, serving as a strong indicator of kit-based phishing infrastructure. Common across these fake login portals are <meta name="description" content="Web site created using create-react-app">, <link rel="apple-touch-icon" href="/logo192.png">, and <link rel="manifest" href="/manifest.json">, along with uncustomized <title> elements such as “React App” or “SendGrid Verification.” The reuse of static assets like main.[hash].js and main.[hash].css suggests the attackers are deploying cloned builds with only minor cosmetic changes.

    Scattered Spider Attacks Image 6.png

     

    The phishing URLs observed in these campaigns follow consistent structural patterns designed to impersonate trusted enterprise services. Many domains include keywords like sso, login, account, or security, and often mimic cloud infrastructure naming conventions (e.g., aws-us3-manageprod.com, portal-sendgrld.com). Typo squatting is common, with slight alterations to brand names such as SendGrid or Google.

    A large number of domains in these phishing campaigns are registered through NICENIC INTERNATIONAL GROUP CO., LIMITED, a registrar frequently linked to abuse and notably favored by Scattered Spider in campaigns since late 2024. Its appeal lies in low-friction registration with minimal identity checks, and delayed abuse response, which extends the lifespan of malicious sites. NICENIC also offers WHOIS privacy by default, making attribution and tracking more difficult. Mimecast threat researchers undertook manual checks around who registered the domains in the IOC section confirmed these patterns, aligning with details mentioned in the silent push article. This blend of accessibility and anonymity makes it an attractive option for threat actors looking to rapidly deploy and cycle through domains.

    In the recent campaigns the Mimecast Threat Research team observed harvested credentials being transmitted. The phishing site hosted at sendgr.id-unlink[.]com captures login details and sends them via a POST request to the IP address 185.208.156.251.

    The IP address 185.208.156.251 is actively involved in phishing operations, serving a Let's Encrypt TLS certificate that secures multiple suspicious domains seen below. The certificate, valid from May 7 to August 5, 2025 for only a few months and is hosted on infrastructure provided by Global-Data System IT Corporation, a hosting provider known for offering virtual private servers (VPS).

    Scattered Spider Attacks Image 7.png

    The use of a valid TLS certificate from Let's Encrypt lends an appearance of legitimacy to these phishing sites, potentially deceiving users into trusting them. The clustering of multiple phishing-related domains under a single certificate and IP address suggests a coordinated campaign, likely utilizing a shared backend infrastructure to streamline operations.

     

    Mimecast Protection

    We have identified several attributes in the recent campaigns which have been added to our detection capabilities. We continue to monitor for changes in techniques used by this Threat Actor.

    Targets:

    Predominantly US, UK, Retail, SaaS

    IOC’s

    Domains identified in February 2025

    complete-sendgrid[.]com
    response-crmsg[.]com
    response11-sendgrid[.]com through response20-sendgrid[.]com
    responseinquiry-tos[.]com
    responsesendgrid[.]com
    review-termsconditions[.]com

    Domains identified in April 2025

    aws-us3-manageprod[.]com
    internal-ssologin[.]com
    legalcompliance-login[.]com
    login-request[.]com

    login-enterprisesso[.]com
    mange-accountsecurity[.]com
    myhubservices[.]com
    password-internal[.]com
    portal-sendgrld[.]com
    production-us12[.]com
    service-settings[.]com
    sso-accountservices[.]com
    services-goo[.]com
    sso-gservices[.]com
    ssologinservices[.]net
    signon-directory[.]com
    grid-authority[.]com
    grid-network[.]com
    grid-sso[.]com
    sendgr.id-unlink[.]com
    appeal.grid-secureaccount[.]com
    grid-secureaccount[.]com
    send.grid-secureaccount[.]com
    Sgupgradegold[.]com
    grid-sso.com

    Recently created domains with possible links to Scattered Spider

    oktacheck.it[.]com
    okta.ubzbpmwxvmskewyqbhsgbcxhdfmetr.micraclefoundations.it[.]com
    okta.athuymircrosovfts365ovaw.it[.]com

    IP

    185.208.156.251
    84.200.205.9

    Recommendations

    • User awareness training
      • The first line of defense against any form of phishing is equipping your staff to not trust all links and to identify malicious links or webpages
      • Conduct regular phishing simulations that include Okta permissions scenarios
      • Ensure users actively recognize MFA fatigue attacks and know how to prevent them
    • Security Policy Revision
      • Implement strong MFA, prioritizing phishing-resistant methods. Disable less secure authentication to significantly reduce credential theft, though sophisticated attackers may still attempt it.
      • Enforce conditional access policies to grant authentication and authorization only to organization-issued devices, significantly reducing unauthorized access.
    • Proactive threat hunting
      • Search URL Protect Logs using specific filters for the domains and RAY ID identified, as this represents a key indicator of compromise.
      • Hunt for authentication events from unfamiliar IP ranges, particularly those associated with known attacker infrastructure
      • Scan for React-based phishing pages with telltale metadata like "Web site created using create-react-app"
      • Search through mail receipts logs for messages associated with Sendgrid
    Back to Top