Akankasha Dewan 29 September 2020 09:47:07 AEST 3 MIN READ

Warning: Email purporting to be from “Principal Solicitor” delivers phishing attack; employs Google reCAPTCHA to evade detection

MailGuard has intercepted a phishing email masquerading as a notification from a “Principal Solicitor”. Titled “Approval letters for revised contract”, the email appears to be sent from a “Principal Solicitor” at “Troylab Property Lawyers”. This organisation doesn’t actually exist. The email actually comes from a compromised mailbox of another company.

The email body includes an image of a .PDF file at the top, designed to look like an attachment. However, it is actually a link to an external page. Claiming to be “acting on behalf of” a client, the email invites the recipient to view “the above attached information” and to “confirm this is agreed”.

Here’s what the email looks like:

Scam 2809

Unsuspecting recipients who click on the link to view the information are led to a redirect page that contains a Google reCAPTCHA feature, asking the user to confirm that he or she is not a robot. This feature is likely included to evade detection of the phishing page by preventing automated checks from email security filters.


Once users pass the reCAPTCHA test, they are led to a fake Microsoft-branded login page, asking for their username & password, as per the below:

Scam 2809_3

This login page is a phishing page that appears to be a compromised site. Once the user’s credentials are entered and submitted, they are harvested for later use, and the user is met met with an error saying that they were unable to login.

Whilst MailGuard is stopping this email scam from reaching Australian businesses, we encourage all users to be extra vigilant against this kind of email and whatever happens, do not respond to it.

The phishing email contains several typical elements that attempt to trick recipients into falling for the scam:

  • purporting to be from a relevant authority to inspire false trust; the use of the signature from a “Principal Solicitor”,
  • and the inclusion of the Google reCAPTCHA feature; this is a safety feature typically employed by many well-established organisations, again boosting the email’s credibility,

Despite these elements, the email in itself contains several tell-tale signs that commonly belong to fraudulent emails and should help eagle-eyed recipients point to its illegitimacy. These include spacing and formatting errors, as well as the fact that the domains of the URLs of both the intermediary & login pages aren’t familiar.

Cybercriminals frequently exploit the branding of global companies like Microsoft in their scams, because their good reputation lulls victims into a false sense of security. Because of the large number of users globally, Microsoft is a regular victim of these scams.

As a precaution, MailGuard urges you not to click links within emails that:

  • Are not addressed to you by name.
  • Appear to be from a legitimate company but use poor English, or omit personal details that a legitimate sender would include.
  • Are from businesses that you were not expecting to hear from.
  • Take you to a landing page or website that is not the legitimate URL of the company the email is purporting to be sent from. 

Phishing attacks can be enormously costly and destructive, and new scams are appearing every week. Don’t wait until it happens to your business; protect your business and your staff from financial and reputational damage, now.

One email is all that it takes

All that it takes to break into your business is a cleverly-worded email message. If scammers can trick one person in your company into clicking on a malicious link they can gain access to your data.

For a few dollars per staff member per month, you can protect your business with MailGuard's predictive and advanced email security.

Talk to a solution consultant at MailGuard today about securing your company's network.

Why not stay up-to-date with MailGuard's latest blog posts by subscribing to free updates? Subscribe to weekly updates by clicking on the button below.

Keep Informed with Weekly Updates