Immunity Evasion: Defeating Security with Active Measures & Long-Lived Domains

June 18, 2025

By: Jacob Malimban, Intelligence Team

Starting in Q1 2025, Cofense Intelligence detected a unique tactic combination for bypassing secure email gateways (SEGs). Threat actors have combined a long-lived domain with a unique CAPTCHA page and anti-automated analysis measures. Each technique is effective in hampering automated and manual analysis; however, the combination of techniques demonstrates remarkable sophistication from the threat actor.

Long-lived domains (LLDs) are effective at not triggering a security response as these domains typically have a history of being benign. This benefits a threat actor who can compromise such domains and use it to host or redirect to malicious content. The second technique, custom CAPTCHAs, is likely to block automated analysis as defense programs may not have learned to solve it. Manual analysis is also thwarted when operating from a VPN. The third technique, active anti-automated analysis, prevents security technology from reaching the CAPTCHA page. By detecting automated user agents, threat actors can replace malicious webpages with benign ones for scanning software.

Key Points

  • Threat actors can detect user-agents used by SEGs and block them from analyzing their phishing websites.
  • Long-lived domains are more trusted than newly registered domains, which provides an opportunity for threat actors to smuggle malicious content.
  • Old CAPTCHAs can be automatically solved. However, newer CAPTCHAs and custom-made CAPTCHAs may not be automatically solved and can bypass security measures.

What are Long-Lived Domains?

Immunity-Evasion-Defeating-Security-with-Active-Measures-Long-Lived-Domains_Figure1.PNG

Figure 1: Domain information shows it was registered over 10 years ago.

Cybersecurity professionals typically view newly registered domains (NRDs) with suspicion. This is because threat actors can easily create these new sites to host malware or deliver credential phishing pages. Conversely, there are long-lived domains which are treated with less suspicion by SEGs, security tools, and analysts because they have a long history of hosting benign content. For this report, an LLD is a domain that was registered over 10 years ago. In this campaign, threat actors appear to have compromised several LLDs. Some were registered up to 15 years ago but are now the initial step in a credential phishing attack.

Attack Flowchart

In general, attacks from this campaign using LLDs for credential phishing follow this process:

  1. A credential phishing email bypasses a SEG and is successfully delivered to an end-user.
  2. The email contains a link to an intermediary site: a compromised LLD.
  3. The LLD is abused by the threat actor to redirect to a page with a custom CAPTCHA.
  4. The custom CAPTCHA page can detect and block some SEG automated analysis. Successful completion of this CAPTCHA redirects the victim to a spoofed Microsoft Teams landing page.
  5. After entering their email in the Teams-spoofing page, the victim is redirected to the credential phishing page.

The credential phishing page spoofs a Microsoft Live login. Credentials are exfiltrated to a threat actor endpoint. 

Immunity-Evasion-Defeating-Security-with-Active-Measures-Long-Lived-Domains_Figure2.PNG

Figure 2: Infection chain of this technique-combination campaign.

 

The Campaign with Long-Lived Domains

Immunity-Evasion-Defeating-Security-with-Active-Measures-Long-Lived-Domains_Figure3.PNG

Figure 3: The intermediary site before redirecting used to be a legitimate church’s page.

After clicking on a phishing link, the victim usually lands on an allow-listed page. In this campaign, the intermediary allow-listed page is an LLD like gracebaptist-church[.]org. This LLD is used to bypass SEG security and obfuscate malicious sites. Upon visiting the LLD, the victim is immediately redirected to the next step, a customized CAPTCHA page with more anti-SEG measures.

Defeating Automated Analysis

After redirecting from the LLD, the victim reaches a customized CAPTCHA page, illustrated in Figure 5. Certain SEGs’ analysis tools would reach an unremarkable, benign page instead. Figure 4 depicts JavaScript used to detect and block the user agents associated with multiple SEG link analysis tools. This is done because the attacker only wants internet browser user agents like Google Chrome and Microsoft Edge.

Immunity-Evasion-Defeating-Security-with-Active-Measures-Long-Lived-Domains_Figure4.PNG

Figure 4: JavaScript to detect certain SEG user agents and prevent automated analysis.

For other SEGs’ automated analysis, they still need to pass the custom CAPTCHA. This CAPTCHA detects mouse movement. Humans have imperfect and rough movement. Automated analysis is performed by computers, typically with smooth and millisecond-fast precision. Therefore, it is unlikely that the automated analysis will pass the custom CAPTCHA, if it can even reach it.

Immunity-Evasion-Defeating-Security-with-Active-Measures-Long-Lived-Domains_Figure5.PNG

Figure 5: Custom CAPTCHA to confirm the user is a human.

After successfully passing this step, the victim is redirected to a “Teams voicemail” and asked to confirm their email address. After clicking enter, they are sent to a Microsoft-spoofing website. Credentials inputted into that site are exfiltrated to the threat actor and likely sold on the dark web.

Immunity-Evasion-Defeating-Security-with-Active-Measures-Long-Lived-Domains_Figure6.PNG

Figure 6: Teams "voicemail" before Microsoft-spoofing login page.