The moment macOS detects a new network and cannot associate it with the previously known ones, it automatically starts the Captive Portal utility. With this programme, macOS analyses the new network. An attacker could deliberately trigger this behaviour and thus redirect a Mac to a website with malware. For this reason, it is recommended to disable this feature.

This behaviour can be deactivated via Terminal as follows.

sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool false