A phishing attack that previously hit Windows users has now switched its target to the Mac. In a report published Wednesday, security provider LayerX Labs explains how and why the attackers are now eager to scam Mac users.
Also: What is vishing? Voice phishing is surging – expert tips on how to spot it and stop it
In the initial campaign launched against Windows users, the scammers set up websites to display fake security warnings claiming that the person’s computer had been compromised and locked. After prompting the potential victim to enter their Windows username and password, the scammers would run code to freeze the page, tricking people into thinking their computers had locked up.
The scam has proven effective for several reasons, according to LayerX.
Hosted on a Microsoft platform: The phishing pages were hosted on Microsoft’s Windows.net platform, an open environment designed for Azure applications. This made the security warnings look and seem legitimate. Using a trusted hosting service also allowed the pages to sneak past the typical security defenses that would otherwise have detected them as malicious.
Quick change sub-domains: The scammers set up random sub-domains under Windows.net to serve up the actual code. Even if a specific page was identified as malicious, the attackers could quickly replace it with another URL on a different sub-domain without interrupting the campaign.
Sophisticated design: The phishing pages themselves were well-designed and looked professional. They were also frequently updated to avoid security detection.
Anti-bot and CAPTCHA methods: The code for the phishing pages contained anti-bot and CAPTCHA verification. The purpose was to block automated web crawlers security professionals use to find malicious pages.
Based on the initial success, the scammers ramped up their activities throughout 2024 and early 2025. But earlier this year, the attack finally caught the eye of Microsoft, which added anti-scareware protection to its Edge browser. Google Chrome and Firefox adopted their own tools to fend off such attacks. Collectively, these responses resulted in a 90% drop in attacks targeting Windows, LayerX said.
So what’s a poor cybercriminal gang to do? Right, they just changed their target to the Mac. A mere two weeks after Microsoft gave Edge the new anti-scareware defense, the attackers had switched gears to Mac users. Though mostly similar to the Windows campaign, the Mac-focused attack differs in a few ways.
Also: Google Maps yanks over 10,000 fake business listings – how to spot the scam
The phishing pages and messages have been revamped to look more legitimate to Mac users. The underlying code has been tweaked to target Mac and Safari users. But the pages continue to be hosted on Windows.net to appear legit and evade detection.
In the new campaign, potential victims are redirected to the phishing pages through compromised domain parking pages. A parking page is a placeholder page registered through a domain with no valid content. The page then redirects the person through multiple sites before taking them to the actual attack page.
For example, an employee working for a LayerX enterprise customer used macOS and Safari. The attack got through even though the company used a Secure Web Gateway (SWG). LayerX’s AI-based detection system was able to block the page before causing any trouble.
“In terms of the attack itself, it seems the malicious actors were targeting the Apple ID credentials of users, not the physical device or OS passwords,” LayerX product marketing head Eyal Arazi told ZDNET. “If you look at screenshots of the attack page, that’s what they ask for in the ‘security warning.’ Such access could give them access to the user’s iCloud account, including files, pictures, phone backups, and more. Moreover, once hackers have one password belonging to a user, they often try to do ‘credential stuffing’ across multiple systems and services.”
With Firefox and Chrome identifying and blocking the phishing pages in response to the Windows campaign, Arazi said he expects the MacOS versions of both browsers to also offer similar protection. That would leave Safari, the most popular Mac browser, at a higher risk, at least until Apple adds similar measures.
Also: How to protect yourself from phishing attacks in Chrome and Firefox
“Phishing attacks are evolving, and despite the fact that Macs are traditionally less susceptible to viruses, Mac users are no exception to many modern threats,” Keeper Security CEO and co-founder Darren Guccione told ZDNET. “Cybercriminals are opportunistic — when one attack vector gets blocked, they pivot to the next. This campaign demonstrates how quickly attackers adapt, leveraging trusted infrastructure and sophisticated deception to bypass traditional security measures.”
How can organizations and individuals combat these types of phishing scams?
“Individual users and businesses cannot rely on built-in protections alone,” Guccione said. “Users should be equipped with tools that prevent credential theft, such as password managers and multi-factor authentication (MFA), but just as importantly, they need continuous security awareness training and education. The best defense is knowing how to spot and respond to phishing attempts, which includes keeping an eye out for urgent language, avoiding clicking on suspicious links and pop-ups, and visiting trusted websites directly.”
Stay ahead of security news with Tech Today, delivered to your inbox every morning.
(Except for the headline, this story has not been edited by PostX News and is published from a syndicated feed.)
