Phishing attack targets Microsoft advertisers through fake Google ads

Cybersecurity researchers have identified a malvertising campaign that targets Microsoft advertisers through fraudulent Google ads designed to redirect them to phishing pages capable of harvesting login credentials.

According to reports, the malicious ads, appearing in Google Search, aim to steal login details from users attempting to access Microsoft's advertising platform. The discovery follows a previous Malwarebytes report exposing a similar campaign using Google Ads to target advertisers on the platform.

The latest attacks lure users searching for terms such as 'Microsoft Ads' on Google Search, leading them to sponsored ads containing malicious links. The threat actors behind the scheme employ various evasion tactics, including redirecting traffic from virtual private networks (VPNs) to fake marketing websites and using Cloudflare challenges to filter out automated security scans.

Users attempting to visit the final phishing page, 'ads.mcrosoftt[.]com,' directly are redirected to a YouTube video featuring the “Rickroll” internet meme. The phishing site closely resembles the legitimate 'ads.microsoft[.]com' page and is designed to capture login credentials and two-factor authentication (2FA) codes, potentially allowing attackers to hijack accounts.

Malwarebytes reported that the phishing infrastructure has been active for years and may have targeted other advertising platforms, including Meta. Many of the identified phishing domains are hosted in Brazil or use the '.com.br' top-level domain, similar to a previous campaign targeting Google Ads users, which primarily operated on the '.pt' domain.