Threat Actors Weaponizes Bing Ads Attack Users with Azure Tech Support Scams

A sophisticated tech support scam campaign has emerged, exploiting Bing search advertisements to redirect unsuspecting users to fraudulent pages hosted on Microsoft Azure Blob Storage.

This operation has affected users across 48 different organizations in the United States, impacting sectors including healthcare, manufacturing, and technology.

The attack began on February 2, 2026, at approximately 16:00 UTC, and quickly gained traction due to its clever placement within legitimate search results.

The attack strategy is particularly concerning because it targets users performing everyday searches. When victims searched for common terms such as “amazon,” they encountered malicious advertisements positioned prominently in Bing’s search results.

Clicking on these ads redirected them to highswit[.]space, a newly registered domain hosting an empty WordPress site.

This intermediate step served as a gateway, automatically forwarding users to Azure Blob Storage containers where the actual scam pages were hosted.

Each fraudulent link included an Azure Blob Storage container, a random string identifier, a fixed path “werrx01USAHTML/index.html,” and a phone number parameter instructing victims whom to call.

The scammers used multiple phone numbers, including 1-866-520-2041, 1-833-445-4045, 1-855-369-0320, 1-866-520-2173, and 1-833-445-3957.

The scam pages mimicked legitimate Microsoft security warnings, displaying fake alerts about Trojan spyware infections and system vulnerabilities.

These pages created a sense of urgency, prompting victims to contact the provided phone numbers for technical support. Once contacted, scammers would attempt to gain remote access to victims’ computers or extract financial information under the guise of fixing non-existent problems.

Attack Infrastructure and Pattern Analysis

The threat actors demonstrated technical sophistication in their infrastructure setup.

Security researchers discovered dozens of Azure Blob Storage containers, all following similar naming conventions with randomized strings.

This approach allowed attackers to quickly deploy new scam pages when older ones were taken down.

The consistent URL structure across all containers suggests the operation was automated, enabling rapid scaling of the campaign.

Microsoft has since been notified of all identified malicious containers, which no longer serve harmful content.

Users should remain vigilant by directly navigating to websites rather than clicking on search advertisements, especially when searching for well-known brands or services.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.