Analysts believe the influx of emails stemming from contact forms indicates the attackers may have automated the process by bypassing CAPTCHA protections. Microsoft Security issued an alert today over the discovery. It seems that every CAPTCHA devised has been compromised, Years ago phpBB endured attacks from bots that could get past all of the CAPTCHAs tried. Resorting to questions and answers was the final salvation.

Microsoft threat analysts have been tracking activity where contact forms published on websites are abused to deliver malicious links to enterprises using emails with fake legal threats. The emails instruct recipients to click a link to review supposed evidence behind their allegations, but are instead led to the download of IcedID, an info-stealing malware.

Microsoft Defender for Office 365 detects and blocks these emails and protects organizations from this threat.

Misleading messages with threats are designed to trick uses with evidently legitimate forms and messages. Recall the spam campaign from AppSpot. The evidence is overwhelming that Google needs to overhaul its security focus.