Full Report
Cybersecurity researchers have discovered a malvertising campaign that's targeting Microsoft advertisers with bogus Google ads that aim to take them to phishing pages that are capable of harvesting their credentials. "These malicious ads, appearing on Google Search, are designed to steal the login information of users trying to access Microsoft's advertising platform," Jérôme Segura, senior
Analysis Summary
# Tool/Technique: Malvertising Campaign Targeting Microsoft Advertisers
## Overview
A malvertising campaign utilizing bogus Google Search ads to redirect Microsoft advertisers to phishing pages designed to harvest their login credentials and Two-Factor Authentication (2FA) codes.
## Technical Details
- Type: Technique (Phishing/Malvertising)
- Platform: Google Search results, targeting users searching for "Microsoft Ads."
- Capabilities: Impersonation of legitimate services (Microsoft Ads), multi-stage redirection for evasion, credential harvesting.
- First Seen: Recent campaign reported in January 2025, with infrastructure identified dating back a couple of years.
## MITRE ATT&CK Mapping
- TA0001 - Initial Access
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (Indirectly, via drive to subsequent action)
- T1566.002 - Spearphishing Link
- TA0005 - Defense Evasion
- T1027 - Obfuscated Files or Information (Traffic redirection used to filter security tools)
## Functionality
### Core Capabilities
- **Malicious Ad Placement:** Serving sponsored ads on Google Search for terms like "Microsoft Ads."
- **Phishing Page:** Hosting a convincing lookalike of the legitimate Microsoft advertising platform login page (`ads.microsoft[.]com` cloned as `ads.mcrosoftt[.]com`).
- **Credential Harvesting:** Capturing user login credentials and 2FA codes.
### Advanced Features
- **Evasion Tactics:** Redirecting traffic originating from VPNs to a phony marketing website.
- **Bot Filtering:** Serving Cloudflare Web Application Firewall (WAF) challenges to filter out automated scanning bots.
- **Lure Diversion (Rickrolling):** Users attempting to directly navigate to the final landing page (`ads.mcrosoftt[.]com`) are redirected to a YouTube video (Rickrolled) to deter manual investigation or casual direct access.
- **Infrastructure Linkage:** Majority of phishing domains are hosted in Brazil or use the `.com.br` TLD, drawing parallels to previous campaigns targeting Google Ads users hosted on `.pt` TLDs.
## Indicators of Compromise
- File Hashes: [Not explicitly provided in the context]
- File Names: [Not explicitly provided in the context—focus is on URLs/domains]
- Registry Keys: [Not applicable/provided]
- Network Indicators:
- Phishing Domain: `ads.mcrosoftt[.]com` (defanged)
- Common TLDs observed: `.com.br`
- Behavioral Indicators:
- Traffic redirection based on source (VPN detection).
- Presentation of Cloudflare challenges.
- Redirection to YouTube upon direct access to the final landing page.
## Associated Threat Actors
- Unidentified threat actors running the malvertising operation.
- Contextually linked to actors who previously targeted Google Ads users via similar means.
## Detection Methods
- Signature-based detection: Identifying the known phishing domains and C2 infrastructure.
- Behavioral detection: Monitoring for redirects originating from search results leading to credential input forms mimicking Microsoft Ads.
- YARA rules: [Not specified in the context]
## Mitigation Strategies
- **Auditing Search Behavior:** Users should verify URLs carefully, especially when searching for sensitive platform logins.
- **Using Official Channels:** Accessing Microsoft Advertising platforms only through trusted bookmarks or direct, verified navigation instead of search ads.
- **WAF/Bot Management:** Ensuring robust WAF configurations (like Cloudflare) are in place to challenge suspicious traffic, though attackers attempt to bypass simple checks.
- **Credential Protection:** Enforcing strong multi-factor authentication (MFA/2FA) that is resistant to simple MFA prompt bombing (e.g., hardware tokens or push notifications that require explicit user consent).
## Related Tools/Techniques
- Similar campaigns targeting Google Ads users using sponsored links.
- Phishing campaigns leveraging delivery services (USPS) via Smishing, which also exhibit advanced obfuscation techniques (related to PDF delivery).
***
# Tool/Technique: Smishing Campaign Impersonating USPS (Secondary Topic)
## Overview
An SMS phishing (Smishing) campaign impersonating the United States Postal Service (USPS) to trick mobile users into installing malicious links or submitting personal and payment information under the guise of resolving failed package deliveries.
## Technical Details
- Type: Technique (Smishing/Social Engineering)
- Platform: Mobile devices (SMS/iMessage)
- Capabilities: Social engineering via delivery failure lures, embedding malicious links inside PDF attachments, sophisticated URL obfuscation within PDFs, capturing sensitive data (address, email, phone, payment card details).
- First Seen: Recent report disclosed alongside the malvertising findings (early 2025).
## MITRE ATT&CK Mapping
- TA0001 - Initial Access
- T1566 - Phishing
- T1566.004 - Phishing: SMS/Smishing
- TA0007 - Credential Access
- T1555 - Credentials from File Systems (If PDF leads to capture)
- TA0005 - Defense Evasion
- T1027 - Obfuscated Files or Information (Bypassing PDF URL extraction detection via non-standard URI tags)
## Functionality
### Core Capabilities
- **Social Engineering Lure:** Messages claim a package delivery failure requiring immediate action.
- **Data Collection:** Phishing webpage collects mailing address, email, phone number, and payment card details (for a supposed "redelivery service charge").
- **Data Exfiltration:** Collected data is encrypted and sent to an attacker-controlled remote server.
### Advanced Features
- **PDF Obfuscation:** Malicious links are embedded in PDF attachments without using the standard `/URI` tag, making automated extraction by security tools significantly harder.
- **iMessage Bypass:** Messages often include prompts like "Please reply to Y" or "Please reply to 1" to trick the recipient into replying, which in turn disables iMessage's built-in phishing link protection for that thread.
- **Scale:** Large operation involving at least 20 malicious PDFs and 630 phishing pages detected.
## Indicators of Compromise
- File Hashes: [Not explicitly provided in the context]
- File Names: Malicious PDFs used in the attack.
- Registry Keys: [Not applicable/provided]
- Network Indicators: Remote servers receiving encrypted data (Specific IPs/domains not listed).
- Behavioral Indicators: SMS messages claiming delivery failure from USPS that contain an embedded PDF requiring a click.
## Associated Threat Actors
- Unidentified threat actors (The attack structure shows sophistication).
- **Related Connection:** The technique of coercing a reply to disable iMessage protection is associated with the **Darcula** Phishing-as-a-Service (PhaaS) toolkit and the Chinese-speaking threat actor **Smishing Triad**.
## Detection Methods
- Signature-based detection: Identifying known malicious PDF hashes or associated phishing pages.
- Behavioral detection: Analyzing SMS/iMessage content for suspicious PDF attachments combined with delivery failure urgencies, or monitoring for replies that correspond to iMessage protection bypasses.
- YARA rules: Rules capable of detecting PDF structures that lack standard URI tags for URL identification.
## Mitigation Strategies
- **User Education:** Caution against clicking links or opening unexpected attachments from SMS/iMessage, especially those concerning delivery misses.
- **Security Configuration:** Keeping mobile operating systems updated to patch vulnerabilities that allow link hiding.
- **MFA/Payment Security:** Never entering full payment card details for small verification fees requested via SMS links.
## Related Tools/Techniques
- Darcula Phishing-as-a-Service (PhaaS) toolkit.
- Smishing Triad (Chinese-speaking threat actor using similar iMessage bypass techniques).