A recent phishing campaign has emerged, targeting Microsoft advertisers by leveraging Google Ads.
The attackers are deploying malicious sponsored results on Google Search to steal login credentials for Microsoft’s advertising platform.
This follows a similar attack aimed at Google Ads accounts, highlighting the persistent vulnerabilities in online advertising ecosystems.
The phishing scheme involves fake ads mimicking legitimate Microsoft Ads (formerly Bing Ads).
These ads redirect unsuspecting users to malicious websites designed to harvest sensitive information.
Despite Google’s security measures, these fraudulent ads managed to bypass detection, exposing users to significant risks.
Phishing Infrastructure
The attackers employ sophisticated evasion tactics, including redirection and cloaking mechanisms.
When bots or security scanners attempt to access these malicious links, they are redirected to benign “white pages” to avoid detection.
Genuine users, however, are subjected to a Cloudflare verification challenge before being redirected to phishing pages disguised as Microsoft Advertising login portals.
The phishing pages imitate Microsoft’s legitimate domain (ads.microsoft.com) and prompt users with fake error messages, urging them to reset their passwords.
These pages are also equipped to bypass two-factor authentication (2FA), a standard feature in modern phishing kits due to the widespread adoption of 2FA by users.
Investigative Findings
Investigations by Malware Bytes revealed that this campaign is part of a larger operation targeting Microsoft accounts over several years.
The infrastructure supporting these attacks includes multiple domains, some hosted in Brazil or using Brazilian top-level domains (.com.br).
The campaign’s scale suggests that other platforms, such as Facebook, may also be vulnerable.
Notably, the attackers use unique identifiers like favicon.ico files and URL patterns to expand their malicious network.
Researchers have identified numerous related domains, indicating the extensive reach of this operation.
While tech companies like Google and Microsoft continue to enhance their security measures, users must remain vigilant.
Key steps to protect against such threats include:
- Verifying URLs: Always check for inconsistencies or misspellings in website addresses before entering credentials.
- Using 2FA Wisely: While 2FA adds an extra security layer, users must scrutinize access requests carefully.
- Monitoring Accounts: Regularly review advertising accounts for suspicious activities or unauthorized changes.
- Reporting Suspicious Ads: Reporting malicious ads helps improve the overall security ecosystem.
This campaign underscores the ongoing challenges of securing online advertising platforms against phishing attacks.
As threat actors refine their techniques, both companies and users must adopt proactive measures to mitigate risks.
The findings suggest that this may only be the “tip of the iceberg,” with broader implications for digital advertising security across various platforms.
