New Phishing Campaign Targets macOS Users with Sophisticated Tactics

A recent report by LayerX Labs has uncovered a phishing campaign that initially targeted Windows users but has now shifted its focus to macOS users. This campaign originally masqueraded as Microsoft security alerts, aiming to steal user credentials by displaying fake security warnings on compromised websites. These warnings claimed that the user’s computer was “compromised” and “locked,” prompting victims to enter their Windows username and password. Malicious code would freeze the webpage, mimicking a complete system lockdown.

Several factors contributed to the campaign’s initial success:

• Legitimate Infrastructure: The phishing pages were hosted on Microsoft’s Windows.net platform, which made the fake alerts appear legitimate.
• Trusted Hosting Services: Attackers exploited the fact that traditional anti-phishing defenses often rely on top-level domain reputation.
• Randomized Subdomains: They used rapidly changing subdomains, making it difficult for security tools to track and block the malicious pages.
• Professional Design: The pages were well-designed and frequently updated to evade detection.
• Anti-Bot and CAPTCHA Technologies: Some versions included these technologies to hinder automated web crawlers.

After Microsoft, Chrome, and Firefox introduced new anti-scareware features in early 2025, the campaign saw a 90% drop in Windows-targeted attacks. In response, the attackers quickly adapted their strategy to target macOS users, who were not covered by these new protections. Within two weeks, LayerX Labs observed a surge in Mac-based attacks, with slight code adjustments to target macOS and Safari users.

Victims were typically lured to the phishing pages via compromised domain “parking” pages, often after making a typo in a URL. Despite employing a Secure Web Gateway, one macOS and Safari user was targeted, but LayerX’s AI-based detection system successfully blocked the attack.

How to Protect Yourself

To protect themselves from sophisticated phishing attacks, macOS users can take several proactive steps:

Protection Strategies

• Keep macOS and Browsers Updated:
  • Regularly update macOS and Safari to ensure you have the latest security patches and features. This helps protect against known vulnerabilities.
• Use Antivirus Software:
  • Install reputable antivirus software to scan for malware and other threats. This can help detect and block malicious code.
• Verify URLs:
  • Always ensure that the website URL is correct before entering sensitive information. Be cautious of typos that might redirect you to compromised sites.
• Use Password Managers:
  • Password managers can alert you if you’re about to enter credentials into a suspicious site. They also help generate and store unique, strong passwords.
• Enable Multi-Factor Authentication (MFA):
  • MFA adds an extra layer of security, making it harder for attackers to access your accounts even if they obtain your credentials.
• Stay Educated:
  • Participate in security awareness training to learn how to spot phishing attempts. Be wary of urgent language, suspicious pop-ups, and unfamiliar URLs.
• Avoid Clicking Links in Pop-ups:
  • If you see a security warning, navigate directly to your system or browser settings instead of clicking embedded links.
• Use Secure Web Gateways (SWG) and AI-Based Detection Tools:
  • Consider using SWGs and AI-based tools that can analyze web pages for suspicious activity at the browser level.
• Be Cautious with Phone Calls:
  • Be wary of phone calls claiming to be from tech support. Legitimate companies rarely contact users unsolicited for security issues.
• Monitor Account Activity:
  • Regularly check your account activity for any suspicious transactions or login attempts.
• By following these steps, macOS users can significantly reduce their risk of falling victim to sophisticated phishing attacks