Threat Actors Use Bing Ads for Azure Tech Support Scams

Sophisticated tech support scams are now exploiting Bing search advertisements. These campaigns redirect unsuspecting users to fraudulent pages hosted on Microsoft Azure Blob Storage.

This operation has affected users across 48 different organizations in the United States, impacting sectors including healthcare, manufacturing, and technology.

The attack began on February 2, 2026, at approximately 16:00 UTC, and quickly gained traction due to its clever placement within legitimate search results.

The attack strategy is particularly concerning because it targets users performing everyday searches. When victims searched for common terms such as “amazon,” they encountered malicious advertisements positioned prominently in Bing’s search results.

Clicking on these ads redirected them to highswit[.]space, a newly registered domain hosting an empty WordPress site.

This intermediate step served as a gateway, automatically forwarding users to Azure Blob Storage containers where the actual scam pages were hosted.

Netskope analysts identified the widespread nature of this campaign through their threat monitoring systems. The researchers noted that every malicious URL followed a consistent pattern, indicating a standardized deployment method.

Each fraudulent link included an Azure Blob Storage container, a random string identifier, a fixed path “werrx01USAHTML/index.html,” and a phone number parameter instructing victims whom to call.

The scammers used multiple phone numbers, including 1-866-520-2041, 1-833-445-4045, 1-855-369-0320, 1-866-520-2173, and 1-833-445-3957.

The scam pages mimicked legitimate Microsoft security warnings, displaying fake alerts about Trojan spyware infections and system vulnerabilities.

These pages created a sense of urgency, prompting victims to contact the provided phone numbers for technical support. Once contacted, scammers would attempt to gain remote access to victims’ computers or extract financial information under the guise of fixing non-existent problems.

Attack Infrastructure and Pattern Analysis

The threat actors demonstrated technical sophistication in their infrastructure setup.

Security researchers discovered dozens of Azure Blob Storage containers, all following similar naming conventions with randomized strings.

This approach allowed attackers to quickly deploy new scam pages when older ones were taken down.

The consistent URL structure across all containers suggests the operation was automated, enabling rapid scaling of the campaign.

Microsoft has since been notified of all identified malicious containers, which no longer serve harmful content.

Users should remain vigilant by directly navigating to websites rather than clicking on search advertisements, especially when searching for well-known brands or services.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.