Visual traps have already been adapted for the Apple audience without drawing much attention.
A phishing campaign disguised as Microsoft system notifications has shifted its focus and is now targeting macOS users. Initially, the attacks were aimed at Windows device owners, but at the beginning of 2025, specialists from LayerX, a platform specializing in browser security, detected a change in attack direction. The campaign had been actively evolving throughout 2024, gaining significant momentum toward the end of the year.
The first waves of attacks involved showing potential victims fake websites that mimicked system warnings from Microsoft.
Users were informed that their device was allegedly "locked" and "compromised," prompting them to enter their Windows credentials. Simultaneously, an imitation of a "browser freeze" was triggered to heighten the sense of panic. These tactics pressured victims into hastily providing their credentials.
What made these attacks particularly dangerous was that the fraudulent websites were hosted on the Windows.net platform—subdomains belonging to Microsoft itself. This created an illusion of legitimacy, deceiving even cautious users. The attackers also leveraged legitimate hosting services, allowing them to bypass security filters and detection mechanisms focused on suspicious sources.
An additional layer of disguise was achieved through the constant rotation of subdomains. Each subdomain had a short lifespan before being replaced by a new one. Even if a particular address was added to a blacklist of malicious links, the attack would quickly resume from a "clean" page. According to LayerX, this strategy enabled cybercriminals to maintain high effectiveness over an extended period.
However, by early 2025, the number of attacks on Windows users had dropped by nearly 90%. LayerX attributes this decline to improvements in security mechanisms in popular browsers. Chrome and Firefox have strengthened their defenses against phishing sites, while Microsoft Edge introduced a new feature to combat "scareware"—programs designed to create a false sense of threat and pressure users into taking action.
After losing effectiveness on Windows platforms, the attackers shifted their focus to Apple device owners. The campaign adopted a new visual style tailored for macOS but retained its core structure: fake system warnings and interface freezing intended to manipulate users into responding. LayerX notes that despite these visual changes, the attack's fundamental strategy remains unchanged.
Analysis of the campaign’s infrastructure and distribution methods suggests that this phase is merely preparation for a new wave of attacks. Experts warn that these attacks will likely resume soon, exploiting newly discovered vulnerabilities in Microsoft’s latest security mechanisms. The adaptability, scalability, and resilience of the attackers' architecture indicate a high level of organization behind the campaign.
At present, it remains unclear which macOS browsers have been targeted in these new attacks, and no precise data on the number of victims has been disclosed. However, given the structure and history of the previous phase, it is likely that all major browsers without additional security extensions remain vulnerable.
It is still unknown which group is behind this operation. No domains or registered accounts used to launch the fraudulent pages have been disclosed. However, the fact that legitimate tools and resources are being used suggests a well-prepared operation aimed at long-term persistence.