According to the Researchers, The attack specifically aims at users searching for "Microsoft Ads" on Google, displaying malicious sponsored ads that appear legitimate. Once victims click on these ads, they are taken to a phishing page that closely resembles the official Microsoft Ads login portal. The attackers also attempt to capture two-factor authentication (2FA) codes, allowing them to hijack accounts entirely. Researchers identified that this campaign has been active for years and may have also targeted other platforms like Meta.

To evade detection, the threat actors employ multiple techniques, including filtering traffic through Cloudflare challenges and redirecting VPN users to unrelated marketing websites. Additionally, users who attempt to visit the final phishing domain directly ("ads.mcrosoftt[.]com") are humorously redirected to a Rickroll video on YouTube, possibly to mislead security analysts. Most of the phishing infrastructure is hosted in Brazil, with domains ending in ".com.br," mirroring previous campaigns that targeted Google Ads users and were hosted on Portuguese domains. Despite Google's enforcement of security measures, such malicious ads continue to appear, exploiting gaps in ad verification processes.

Alongside the Microsoft Ads campaign, another large-scale phishing operation is targeting mobile users through SMS phishing (smishing) attacks impersonating the United States Postal Service (USPS). Victims receive messages claiming a failed package delivery, urging them to open an attached PDF file to update their address. According to the researcher, Within the PDF, a "Click Update" button redirects them to a phishing page where they are prompted to enter sensitive personal and financial information. Attackers exploit an advanced obfuscation technique to evade detection, embedding malicious links within PDFs without using standard tags, making it harder for security solutions to analyze the URLs.

The USPS smishing campaign has been linked to a well-known phishing-as-a-service (PhaaS) toolkit called Darcula, which has been widely used to impersonate postal services worldwide. Notably, attackers have devised methods to bypass Apple's iMessage security measures that prevent links from being clickable unless the sender is known. By instructing recipients to reply to a specific number, they manipulate iMessage into marking the message as trusted, making the phishing attempt more convincing. This tactic has been associated with a Chinese-speaking threat group known as the Smishing Triad, which has extensively targeted victims across different countries.

Both campaigns highlight how cybercriminals are refining their techniques to exploit security gaps in advertising platforms and mobile communications. The Microsoft Ads phishing operation uses sophisticated malvertising strategies, while the USPS-themed smishing attack leverages social engineering and technical obfuscation. Despite countermeasures from Google and Apple, these threats persist, emphasizing the need for heightened vigilance, stronger security controls, and continuous efforts to improve detection mechanisms.

Impact

• Sensitive Credential Theft
• Security Bypass
• Financial Loss

Indicators of Compromise

Domain Name

• 30yp.com

• aboutadvertselive.com

• aboutblngmicro.cloud

• account.colndcx-app.com

• accounts-ads.site

• adslbing.com

• adsmicrosoft.shop

• adsverstoni.com

• login-adsmicrosoft.helpexellent.com

• portfoliokrakenus.com

• portofolioprospots.com

• www34.con-webs.com

• ads.mcrosoftt.com

MD5

• 106e35ec5b4dea29097dc60c9ce03883

• bad17a349c9c00e24681f0039e190804

• 08f67bb852c58e78e6fb3b463668eeed

• e657f882a7cf6f6834de2e224c5c0208

SHA-256

• e5527bff30c427e3f7a791b46f37ee34e2d84d68a08b10b515489fdbb69d6b33

• febfba3b56611696e3904c6d7f8993d4542a57b9f8c2beeb5c190ce8f23266b2

• e3dc7326ccf1433665c8ff4e4699f25f5d61fc77595458664204a99c396c1763

• 18094c18806bbc2e2aa9c76fa036b5ff0fdde432b357d23e8cb14a800aead518

SHA1

• 27e8778691de9ca0287b7f43f8ede0c88ad67865

• 48849ab48e73a407ecf872c9ac42cb817fe5e500

• 171303f62e5f036fbcc559cfba6aecc9399a4b46

• 6bcb90a78de663604bf1f64f3b7d468257fb3a22

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Perform comprehensive security audits on the email server infrastructure to identify and address any potential weaknesses. This includes reviewing server configurations, access controls, and encryption protocols to ensure they meet industry best practices.
• Emails from unknown senders should always be treated with caution. Never trust or open links and attachments received from unknown sources/senders.
• Enable 2FA for user accounts on the email server to add an extra layer of security. This prevents unauthorized access even if usernames and passwords are compromised.
• Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
• Implement network segmentation to isolate critical systems and sensitive data from the rest of the network. This limits the lateral movement of attackers in case of a breach and reduces the impact of potential future attacks.
• Implement a regular backup strategy for email servers and critical data. Ensure that backups are stored securely and regularly tested for data restoration.
• Apply the latest security patches and updates to the email server software and associated components to address any vulnerabilities a threat actor may have exploited. Also, prioritize patching known exploited vulnerabilities and zero-days.