Threat actors are weaponizing Bing Ads to launch sophisticated tech support scams, targeting users with fraudulent pages hosted on Microsoft Azure Blob Storage. This campaign, which began on February 2, 2026, has impacted nearly 50 organizations across vital sectors in the United States, including healthcare, manufacturing, and technology. The malicious advertisements were strategically placed within legitimate search results for everyday queries, making them difficult to distinguish from genuine offerings.
When unsuspecting users searched for common terms like “amazon,” they were presented with enticingly positioned ads on Bing. A click on these advertisements would reroute them to a newly registered domain, highswit[.]space, which initially hosted an empty WordPress site. This intermediate page then automatically forwarded victims to Azure Blob Storage containers where the actual scam pages resided, effectively masking the true source of the malicious content. Netskope analysts identified the operation through their threat monitoring systems, noting a consistent pattern across all fraudulent URLs, indicating a standardized and scalable deployment strategy by the attackers.
Attack Infrastructure and Pattern Analysis
The security researchers observed a concerning level of technical sophistication employed by the threat actors in their infrastructure setup. Dozens of Azure Blob Storage containers were discovered, all exhibiting similar naming conventions that incorporated randomized strings. This method allowed the attackers to swiftly deploy new scam pages even after older ones were identified and taken offline. The uniformity in the URL structure across these containers strongly suggests that the entire operation was automated, facilitating rapid scaling of the ongoing campaign.
Each malicious link meticulously crafted by the threat actors followed a specific pattern. This pattern invariably included an Azure Blob Storage container, a randomly generated string of characters serving as an identifier, a fixed path designating the scam page content as “werrx01USAHTML/index.html,” and a phone number parameter. This parameter instructed potential victims on which number to call for assistance, further solidifying the illusion of legitimate support. The scammers utilized a range of phone numbers to facilitate their operation, including 1-866-520-2041, 1-833-445-4045, 1-855-369-0320, 1-866-520-2173, and 1-833-445-3957. This strategic use of multiple numbers likely served to broaden their reach and complicate efforts to block their communications.
The content presented on these scam pages was designed to evoke a strong sense of urgency and fear in the targeted users. They meticulously mimicked legitimate Microsoft security warnings, displaying fabricated alerts that purported to identify critical threats such as Trojan spyware infections and severe system vulnerabilities. This carefully constructed facade aimed to pressure victims into immediate action, compelling them to contact the provided phone numbers for urgent technical support to resolve these non-existent issues. Upon engaging with the scammers via phone, the attackers would then attempt to gain remote access to the victim’s computer or directly solicit sensitive financial information under the guise of performing essential repair work.
Microsoft has been duly notified of all identified malicious Azure containers. As a result, these specific containers are no longer serving harmful content, a testament to the collaborative efforts between security researchers and platform providers. However, the underlying tactics and the adaptability of these threat actors mean that similar campaigns are likely to emerge in the future. Users are strongly advised to maintain a heightened state of vigilance, particularly when engaging with search advertisements. It is generally recommended to navigate directly to well-known websites by typing their URLs into the address bar, rather than relying on search engine results, especially when seeking services from established brands or companies.
The ongoing nature of such tech support scams highlights the persistent challenge of online security. As threat actors continually evolve their methodologies, adopting new technologies and exploiting existing ones like cloud storage services and search engine advertising, the need for user education and robust cybersecurity measures remains paramount. The continued monitoring of such campaigns by organizations like Netskope is crucial in identifying and neutralizing these threats before they can cause significant harm to individuals and businesses alike.