A new phishing wave has emerged that targets Microsoft advertisers through deceptive ads on Google Search. This cyberattack aims to steal credentials from users trying to access Microsoft’s advertising services.

The Attack Methodology

The attackers place malicious ads on Google's platform, which appear legitimate and attract unsuspecting users searching for "Microsoft Ads" (previously Bing Ads). These ads redirect users to fake Microsoft login pages designed to harvest their information.

Phishing Infrastructure

Through our investigation using shared artifacts, we found a network of phishing domains targeting Microsoft accounts for years. These domains are an integral part of the attackers' infrastructure, which we have reported to Google.

Genuine vs. Deceptive Strategies

While Microsoft invests in advertisements on Google's search engine, these fraudulent ads bypass security measures to masquerade as genuine sponsored results.

Techniques Used by Attackers

To bypass detection, attackers employ tactics such as redirection and cloaking. These techniques filter out bot traffic and direct unwanted IPs, like those from VPNs, to innocuous marketing pages, thereby disguising malicious intent.

Real users face a Cloudflare challenge to authenticate their humanity, which diverts them if they fail. Unlike other malicious verifications, Cloudflare is legitimately used here.

Phishing Execution

After verification, genuine users are redirected to a convincingly fraudulent Microsoft Ads login page, which imitates the legitimate URL (ads.microsoft.com). The phishing page prompts users to reset passwords under false pretenses, potentially getting around two-factor authentication (2FA).

Broader Campaign Insights

The campaign’s infrastructure hints at widespread phishing activities not limited to Microsoft; similar tactics likely target other platforms such as Facebook. This demonstrates extensive, sophisticated operations present within the advertising ecosystem.

Users can protect themselves by:

  • Carefully verifying URLs for discrepancies before entering login details.
  • Utilizing 2FA while staying alert to any suspicious requests.
  • Monitoring advertising accounts for unauthorized changes or irregular activities.
  • Reporting suspicious ads to platforms to help safeguard others.

These preventive measures, combined with vigilance, are essential in mitigating the threat of phishing through malicious advertising.

Indicators of Compromise

The following domains are associated with this phishing campaign and should be avoided for security:

  • 30yp[.]com
  • aboutadvertselive[.]com
  • aboutblngmicro[.]cloud
  • account-microsoft[.]online
  • account-microsoft[.]site
  • account-mircrosoft-ads[.]com

This list aims to assist threat hunters and cybersecurity professionals in identifying malicious activity linked to this phishing scheme.

The link has been copied!