New Phishing Campaign Targets macOS Users with Fake Security Alerts
A recent report by LayerX Labs has revealed a new phishing campaign that was initially designed to deceive Windows users but lately focused on targeting macOS users.
The campaign, which LayerX Labs monitored for several months, originally posed as Microsoft security alerts, aiming to steal user credentials. In the attack, attackers employed deceptive tactics, creating fake security warnings on hacked websites that claimed the user’s computer was “compromised” and “locked.” Victims were encouraged to enter their Windows username and password, while malicious code froze the webpage, mimicking a complete system lockdown.
According to LayerX’s analysis, shared with Hackread.com, several factors contributed to the campaign’s initial effectiveness. Firstly, the phishing pages were hosted on Microsoft’s Windows.net platform, making the fake security warnings appear legitimate.
Also, attackers utilized trusted hosting services, exploiting the fact that traditional anti-phishing defences often rely on top-level domain reputation. Furthermore, they employed randomized, rapidly changing subdomains, making it difficult for security tools to track and block the malicious pages, which themselves were professionally designed, and frequently updated to evade detection. Some even incorporated anti-bot and CAPTCHA technologies to hinder automated web crawlers.
When Microsoft, along with Chrome and Firefox, introduced new anti-scareware features in early 2025, a dramatic 90% drop in Windows-targeted attacks was noticed. In response, the attackers adapted their strategy, shifting their focus to macOS users, unprotected by these new defences.
Within two weeks, LayerX Labs observed a surge in Mac-based attacks, much similar to the Windows-targeted ones but with slight code adjustments aiming to specifically target macOS and Safari users. Victims were lured to the phishing pages via compromised domain “parking” pages, often after making a typo in a URL.
In one instance, a macOS and Safari user from a LayerX enterprise customer was targeted. Although the organization employed a Secure Web Gateway, the attack bypassed it. However, LayerX’s AI-based detection system, which analyzes web pages using numerous parameters at the browser level, successfully blocked the attack.
This campaign highlights the increasing sophistication of phishing attacks targeting macOS users. Menlo Security’s recent State of Browser Security report further highlights this trend, revealing a dramatic increase in browser-based attacks, especially since the popularity of generative AI.
The report found a whopping 140% increase in browser-based phishing attacks compared to 2023, with a 130% increase specifically in zero-hour phishing attacks and the impersonation of major brands like Facebook, Microsoft, and Netflix.
Menlo Security’s analysis of over 752,000 browser-based phishing attacks reveals that one in five attacks now employs evasive techniques to bypass traditional security measures.
Thomas Richards, Principal Consultant, Network and Red Team Practice Director at Black Duck, a Burlington, Massachusetts-based provider of application security solutions, commented on the latest development stating, “In the past few weeks, we’ve seen an uptick in browser-based phishing attacks that use legitimate hosting services to trick users into falling for the attack and the ruse they use is a fairly old one and quite common.”
“If you ever get an unknown random pop-up saying your computer is compromised, it should be treated as suspicious and ignored,” Thomas warned. “Anti-virus services will never ask you to enter a username and password to remove a threat.”
