A sophisticated tech support scam campaign has emerged, exploiting malicious advertisements on Bing search results to redirect victims to fraudulent websites hosted on Microsoft’s Azure Blob Storage platform.
The attack, first detected on February 2, 2026, affected users across 48 organizations in the United States within hours, demonstrating the effectiveness of weaponizing legitimate advertising channels for cybercrime.
The scam begins when users search for common terms like “amazon” on Bing and click on what appear to be legitimate sponsored results.
These malicious advertisements redirect victims to a newly registered domain, highswit[.]space, which hosts an empty WordPress site server as an intermediary.
From there, users are redirected to Azure Blob Storage containers displaying fake technical support warning pages.
This attack technique, known as malvertising, has become increasingly sophisticated as threat actors exploit search engine advertising platforms to position their malicious content at the top of search results.
By purchasing ad space, criminals bypass the need for search engine optimization and automatically achieve premium visibility.
Infrastructure and Scale
All malicious URLs followed a consistent pattern: xxxxxxxxxxxxxxxxxx.blob.core.windows.net/yyyyyyyyy/werrx01USAHTML/index.html, indicating a standardized deployment method.
Researchers identified over 70 unique Azure Blob Storage container domains associated with this campaign.
The scam pages instructed victims to call phone numbers, including 1-866-520-2041 and 1-833-445-4045, where fraudsters would claim the victim’s computer was infected and demand payment for unnecessary services.
Azure Blob Storage has become an attractive platform for threat actors due to its legitimate infrastructure and the difficulty in distinguishing malicious content from legitimate uses.
Microsoft Threat Intelligence has warned about increased malicious activity targeting Azure services, with criminals exploiting misconfigurations and over-permissive access controls.
Industry Impact and Response
The campaign affected multiple sectors including healthcare, manufacturing, and technology. Netskope Threat Labs detected the campaign through their monitoring systems, which flagged the pages as “ET PHISHING Microsoft Support Phish Landing Page”.
All reported Azure Blob Storage domains were disabled by Microsoft following disclosure.
Tech support scams remain a persistent threat, with search engines continuously battling fraudulent advertisers.
Microsoft previously banned third-party tech support ads from Bing in 2018 after blocking over 15 million malicious ads.
However, this incident demonstrates that threat actors continue finding ways to circumvent protective measures by disguising their ads and exploiting legitimate cloud infrastructure.
Security experts recommend typing website addresses directly into browsers rather than relying on search results to avoid malicious advertisements entirely.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
