Security firm LayerX Labs says a sophisticated phishing campaign has recently began targeting Mac browser users following new security features for Windows browsers being rolled out by Microsoft, Chrome, and Firefox.
For the past few months, LayerX has been monitoring a sophisticated phishing campaign that initially targeted Windows users by masquerading as Microsoft security alerts. The campaign’s goal was to steal user credentials by employing deceptive tactics that made victims believe their computers were compromised.
Originally, the phishing attacks involved compromised websites displaying fake security warnings claiming that the user’s computer had been “compromised” and “locked.” Users were then prompted to enter their Windows username and password. The malicious code also caused the webpage to freeze, creating the illusion that the entire computer was locked.
The campaign was quite effective, thanks to the phishing pages being hosted on Microsoft’s Windows.net platform, lending the page credibility. The use of a legitimate infrastructure also helped bypass security tools that asses a website’s risk based on domain reputation.
Once browser developers for Chrome, Firefox, and Edge rolled out anti-scareware protections in early 2025, LayerX saw a 90% drop in Windows-targeted attacks.
The pages targeting Mac browsers use a similar visual design as the original attacks, but are tailored for macOS and Safari users. Victims typically arrive at the phishing pages by typos in a URL, which load compromised domain parking pages that then rapidly redirect the user’s browser through multiple websites before finally arriving at a malicious page.
“While phishing campaigns targeting Mac users have existed before, they have rarely reached this level of sophistication,” says LayerX. The security firm expects to see “a resurgent wave of attacks” as the threat actors continue to adapt their techniques to overcome new security protections.
Mac users are advised to double-check website URLs when typing them into their browser, and should use a security tool that can detect browser threats.
