A recent report by LayerX Labs has uncovered a sophisticated phishing campaign that initially targeted Windows users but has now shifted its focus to macOS users.

The attackers, who have been active for months, originally posed as Microsoft security alerts to steal user credentials. By embedding fake security warnings on compromised websites, they deceived victims into believing their systems were locked and required immediate action. These phishing pages froze users’ browsers, creating the illusion of a complete system lockdown and prompting them to enter their login credentials.

The campaign’s effectiveness stemmed from several strategic tactics, as highlighted by LayerX Labs. The phishing pages were hosted on Microsoft’s Windows.net platform, making them appear credible to unsuspecting users. Additionally, attackers leveraged reputable hosting services and frequently changed subdomains to bypass security defenses. They even integrated anti-bot technologies and CAPTCHAs to prevent detection by automated security tools, ensuring their fraudulent pages remained online longer.

In early 2025, Microsoft, along with Chrome and Firefox, introduced new anti-scareware measures, leading to a sharp 90% decline in Windows-targeted phishing attempts. In response, the attackers adapted their methods to exploit macOS vulnerabilities, launching a surge of Mac-specific attacks within two weeks. These attacks used similar deception techniques but were modified to target Safari users. Victims often encountered these phishing pages through typo-squatted domains, landing on malicious websites after misspelling URLs. Despite organizations using Secure Web Gateways, some attacks still bypassed defenses, though LayerX’s AI-based detection system successfully blocked several attempts.

The growing threat of browser-based phishing has been further highlighted by Menlo Security’s recent State of Browser Security report, which recorded a 140% rise in phishing attacks compared to 2023. Zero-hour phishing incidents, where new scams emerge rapidly before security measures can respond, have also spiked by 130%. Attackers frequently impersonate major brands like Facebook, Microsoft, and Netflix to deceive users. Thomas Richards, a security expert at Black Duck, emphasized the importance of user vigilance, warning that legitimate antivirus services will never request login credentials to remove a threat. He urged users to treat unexpected pop-ups claiming their computer is compromised as suspicious and to avoid interacting with them.