A long-running campaign phishing for credentials through scareware recently switched to targeting macOS users.
March 19, 2025 By Ionut Arghire
A scareware campaign phishing for login credentials recently switched from targeting Windows to macOS, Israeli cybersecurity firm LayerX reports.
Throughout 2024 and in early 2025, the attacks targeted Windows users, relying on compromised websites to serve fake Microsoft security alerts claiming that users’ computers had been compromised and locked.
The malicious code caused the webpages to freeze, creating the illusion of an issue, and the victim was instructed to provide their Windows username and password, LayerX explains.
As part of the campaign, the threat actors hosted their phishing pages on the legitimate Azure application hosting platform Windows.net, adding a sense of legitimacy to the fake prompts.
The use of a trusted hosted service for the underlying infrastructure allowed the attackers to bypass anti-phishing defenses that check the reputation of the Top-Level Domain (TLD).
“In this case, the TLD (windows[.]net) is a well-known and highly-used platform by a reputable provider (Microsoft), with a high TLD reputation score. As a result, these pages were able to circumvent traditional protection mechanisms,” LayerX explains.
Randomized, rapidly-morphing subdomains were also used to serve malicious code, and the attackers carefully crafted their phishing pages to look as professional as possible, and included anti-bot and CAPTCHA verification on them, likely to delay automated page classification solutions.
Recently, Chrome, Firefox, and Microsoft Edge received new anti-scareware capabilities, which led to a 90% drop in Windows-targeted attacks, and forced the threat actors to switch focus to macOS users, who are not protected by these defense mechanisms.
