Hello team,

I recently analyzed a targeted SMS registration attack against our mobile application and discovered something puzzling. Despite clear indicators of malicious behavior, Google reCAPTCHA v3 assigned these requests a relatively high score of 0.7 (with 1.0 being completely trusted human users).

Attack Overview:

• Traffic originated from multiple hosting provider IPs across different continents
• All requests used identical app version but varied device models
• Systematic targeting of both registration and activation endpoints
• The attack focused on specific activation code patterns

The Confusion: Why would reCAPTCHA v3 score these obvious automated attack requests from hosting servers as 0.7? Shouldn't this receive a very low score? Our threshold is set at 0.5, so these requests were considered "probably legitimate" by the system, just slightly suspicious.

Discussion Questions:

1. Is this a known limitation of the reCAPTCHA v3 algorithm?
2. Has anyone experienced similar situations?
3. Any recommendations for optimizing our reCAPTCHA implementation to better identify such attacks?

Thank you for your insights and suggestions!