A sophisticated phishing campaign has recently shifted its focus to target Mac users, demonstrating the evolving nature of cyber threats in response to improved security measures.
The attack, which previously targeted Windows users by masquerading as Microsoft security alerts, now employs similar tactics against the Apple ecosystem.
This campaign aims to steal user credentials by creating convincing illusions that victims’ computers have been compromised and subsequently locked.
.png
)
The attack follows a familiar pattern where compromised websites display fake security warnings, claiming that the user’s system has been compromised.
Simultaneously, malicious code freezes the webpage, creating the perception that the entire computer is locked.
This deception compels users to enter their credentials, which are then harvested by the attackers.
LayerX Labs researchers identified this strategic pivot occurring within just two weeks of Microsoft rolling out new anti-phishing defenses in February 2025.
The security team observed a drastic 90% drop in Windows-targeted attacks following the implementation of new “anti-scareware” features in Edge, Chrome, and Firefox browsers, prompting attackers to redirect their efforts toward Mac users who weren’t covered by these protections.
“This attack campaign underscores two critical points: Mac and Safari users are now prime targets, and cybercriminals are highly adaptable,” noted the LayerX research team.
The campaign’s persistence demonstrates the continuous nature of the cybersecurity battle, as attackers consistently modify their tactics in response to new defenses.
Infection Mechanism
The infection process begins when victims attempt to access legitimate websites but mistakenly enter typos in URLs, leading them to compromised domain parking pages.
.webp)
These pages then redirect users to the phishing sites hosted on Microsoft’s Windows.net platform, lending an appearance of legitimacy to the attack.
The phishing pages have been redesigned to appear authentic to Mac users, with code adjustments specifically targeting macOS and Safari users by leveraging HTTP OS and user agent parameters.
What makes this campaign particularly effective is its use of randomized, quickly-changing subdomains under the reputable windows.net domain.
This technique helps circumvent traditional protection mechanisms like Secure Web Gateways (SWGs) that assess page risk based on domain reputation.
Despite enterprise security measures, the attack has successfully bypassed conventional defenses, highlighting the need for advanced browser-level security solutions that can analyze web page behavior in real-time.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
