A sophisticated phishing and scareware campaign has pivoted from Windows to macOS users, exposing Safari users and enterprises to a new wave of cybersecurity risks.
For much of 2024 and into early 2025, cybercriminals focused on Windows users. Their strategy relied on hijacked websites delivering fake Microsoft security alerts. These alerts claimed the user’s device was compromised and locked — creating a false sense of urgency designed to extract login credentials.
To make the threat feel real, malicious code forced the browser to freeze, simulating a system failure. Victims were then urged to enter their Windows username and password, unknowingly handing over sensitive details to the attackers.
What made this operation highly effective was the attackers’ use of Microsoft’s windows[.]net platform — a legitimate Azure hosting service. By operating under a well-known domain with a strong reputation score, they successfully bypassed many anti-phishing defenses that rely heavily on domain trust.
The campaign further used rapidly changing subdomains and integrated anti-bot mechanisms along with CAPTCHA checks, making automated detection much harder for security systems.
Recent security improvements in Chrome, Firefox, and Microsoft Edge introduced powerful anti-scareware protections. As a result, Windows-focused attacks dropped by an estimated 90%, forcing attackers to recalibrate their strategy.
Within weeks of these browser upgrades, cybercriminals redirected their efforts toward macOS users — a group lacking comparable protections against scareware-driven phishing attacks.
The phishing tactics remained largely the same but were adapted for macOS environments. Attackers designed new layouts and messaging tailored to Apple users while modifying the malicious code to target Safari specifically.
Victims often landed on these phishing pages after mistyping URLs of legitimate websites. These typos redirected them through a chain of compromised ‘parking’ pages until they faced a professional-looking phishing site hosted on windows[.]net.
In one reported incident, a macOS user working for an enterprise was lured into the trap while using Safari. Despite the company employing a Secure Web Gateway (SWG) to filter threats, the attack slipped through undetected.
According to cybersecurity experts, corporate environments face even greater risks from this campaign. While a personal account breach typically impacts just one user, compromising an enterprise account could expose large volumes of sensitive data — potentially causing significant organizational damage.
Eyal Arazi, Head of Product Marketing at LayerX, emphasized the growing sophistication of this campaign. He explained,
“Whereas the compromise of a personal, non-corporate account is typically limited to the exposure of that individual user, the compromise of a corporate or enterprise account can result in data exposure at the organizational level, making the threat much more severe.”
Arazi also highlighted the adaptive nature of the attack, stating,
“As the change of attack vectors from Windows to Mac demonstrates, this campaign is a highly professional, persistent, and adaptive attack campaign, which poses significant threats to enterprise users.”
Cybersecurity analysts believe this group will continue refining its operations, making macOS users — especially those within organizations — prime targets. By leveraging existing infrastructure with slight modifications, attackers have proven their ability to adapt swiftly to changing security landscapes.
As these threats evolve, businesses and individuals alike are urged to stay vigilant, ensure their security tools are up-to-date, and educate users about scareware tactics designed to exploit human error.
