A sophisticated phishing campaign targeting Microsoft advertising account holders through malicious Google Ads has been identified, employing fake sponsored search results that impersonate legitimate Microsoft advertisements to capture login credentials. The attack follows a broader pattern of increasingly sophisticated credential theft campaigns targeting major technology platforms.
The attack methodology involves cybercriminals creating sponsored Google search results that appear when users search for terms like “Microsoft Ads” and “Bing Ads.” To avoid detection, the attackers use cloaking techniques that direct suspicious traffic to innocuous pages while routing genuine users through a Cloudflare verification checkpoint.
Once users pass verification, they encounter phishing pages that closely replicate Microsoft’s advertising login portals. These pages typically prompt users to reset their passwords, enabling attackers to capture sensitive credentials. Some phishing kits employed in this campaign have demonstrated capability to bypass two-factor authentication (2FA), a concerning development given that major platforms have been strengthening their 2FA implementations to combat such threats.
The campaign’s infrastructure suggests a long-running operation, with connections to domains hosted in Brazil and other regions. Attackers use URLs that closely mimic Microsoft’s domains, incorporating subtle misspellings or substitutions such as “ads.microsoftt[.]com” or “ads-mlcrosoft[.]com”. The technique proves particularly effective as it exploits users’ trust in Google’s advertising platform, which has recently enhanced its security measures to combat malicious actors across its ecosystem.
“Luring targets into clicking on nefarious sponsored links, which redirect to a phishing page resembling the ‘ads.microsoft[.]com’ site that seeks users’ login credentials and two-factor authentication codes,” explained Jerome Segura, senior director of research at Malwarebytes.
The campaign’s scope extends across Microsoft’s advertising ecosystem, which generated $12.2 billion from search and news advertising in 2023. Security experts recommend several protective measures, including careful URL verification before entering credentials, implementation of two-factor authentication, regular monitoring of advertising accounts, and prompt reporting of suspicious advertisements. The rise of such sophisticated attacks has led many organizations to consider adopting more robust authentication methods like passkeys.
Brazil has been identified as the primary location for hosting phishing domains used in this campaign, indicating the operation’s global reach. Both Google and Microsoft have been notified of the security breaches.
Sources: Search Engine Land, SC World, GB Hackers
Follow Us