Malicious Bing Ads Redirect US Users to Fake Azure Tech Support Pages

A new wave of tech support scams is exploiting paid Bing search ads to target U.S. users, redirecting them to counterfeit Microsoft Azure support pages hosted on cloud storage. This sophisticated campaign, uncovered by researchers at Netskope Threat Labs, began on February 2 and quickly affected users across 48 organizations spanning healthcare, manufacturing, and technology sectors. Unlike typical phishing campaigns delivered via email or social media, this operation leveraged legitimate advertising channels to increase visibility and trust, making it particularly dangerous.

The scam begins when users search for common terms, such as “Amazon,” on Bing. Instead of visiting the legitimate site directly, victims click a malicious ad placed at the top of the search results. This ad first redirects users to a newly registered WordPress domain, which then forwards them to pages hosted in Microsoft Azure Blob Storage containers. These final scam pages mimic official tech support messages, warning of fake security issues and urging users to call fraudulent “Azure Support” numbers, aiming to extract payment information or gain remote access to devices.

The Azure-hosted scam infrastructure demonstrated a high degree of automation and standardization. Attackers generated multiple storage containers with random names, using fixed paths like werrx01USAHTML/index.html and query parameters containing the victim’s phone number. Embedded scam phone numbers included: 1-866-520-2041, 1-833-445-4045, 1-855-369-0320, 1-866-520-2173, and 1-833-445-3957. Researchers noted that the attackers could rapidly deploy new containers if existing ones were taken down, showcasing a scalable, automated approach.

Although abusing cloud platforms for phishing is not new—previous campaigns have leveraged DigitalOcean or StackPath—the integration of paid Bing ads significantly amplified the campaign’s reach. Netskope classified these pages as “ET PHISHING Microsoft Support Phish Landing Page,” and all identified Azure Blob Storage domains were reported to Microsoft and removed at the time of reporting.

Organizations are advised to take precautionary measures, such as training employees to avoid clicking sponsored search results for well-known brands, encouraging direct URL navigation, monitoring DNS and web traffic for suspicious blob.core.windows.net activity, and blocking known scam phone numbers. This campaign highlights how attackers continue to weaponize legitimate cloud services and advertising platforms, blending old tech support scams with modern, high-scale tactics.

What Undercode Say:

This campaign represents a concerning evolution in tech support scams. By combining paid advertising with legitimate cloud infrastructure, attackers bypass many traditional phishing defenses, including email filters and web reputation tools. Unlike standard scams, these ads exploit the user’s trust in search engine results, making even cautious users susceptible.

The use of Azure Blob Storage demonstrates an effective abuse of cloud legitimacy. Because Azure is widely trusted and normally used for legitimate content delivery, security systems often allow traffic from its domains by default. This gives scammers an edge, as the pages are less likely to be flagged as suspicious until user complaints accumulate.

Another significant factor is automation. The standardized container naming and rapid redeployment indicate the use of scripted infrastructure-as-code tools, allowing attackers to respond quickly when takedowns occur. This points to a shift from low-effort, manual scams to highly orchestrated operations that can scale to dozens or hundreds of victims.

Additionally, targeting paid search ads highlights a broader trend: cybercriminals are increasingly willing to pay upfront to exploit legitimate channels if it results in higher trust and conversion rates. This raises concerns about the security of ad networks and the need for stricter vetting processes for advertisers, particularly on major search engines.

From a user perspective, the lesson is clear: typing URLs directly into a browser remains safer than clicking on search ads, even if they appear at the top of results. Organizations must incorporate this behavior into security training and policy enforcement.

Moreover, monitoring patterns in cloud traffic and query strings can serve as an early warning system. For instance, repeated requests to random Azure Blob containers with suspicious paths or embedded phone numbers could indicate an ongoing campaign. Cybersecurity teams should integrate these indicators into automated threat detection systems.

This case also underlines the importance of collaboration between cloud providers and threat intelligence teams. Swift reporting to Microsoft ensured the removal of malicious content, limiting the campaign’s impact. Continued cooperation and real-time monitoring are essential to counter these increasingly sophisticated attacks.

Finally, this campaign reflects the convergence of traditional social engineering and modern infrastructure abuse. It’s no longer enough to secure endpoints or block phishing emails; organizations must now consider the integrity of the digital advertising ecosystem and cloud hosting environments as potential attack surfaces.

Fact Checker Results:

✅ Campaign started on February 2, 2026, targeting U.S. organizations across multiple industries.
✅ Scam used Bing ads to redirect users to fake Azure support pages hosted in cloud storage.
❌ No evidence of impact outside the U.S.; victims were exclusively American organizations.

Prediction:

📈 The use of legitimate advertising channels for scams will likely increase, as attackers see higher success rates and lower detection.
📞 Cloud-hosted tech support scams may expand globally, targeting additional major cloud providers beyond Azure.
⚠️ Organizations ignoring user training and direct URL policies may face increased fraud attempts and potential data breaches.

If you want, I can also create a visual flow diagram showing the attack chain from Bing search to Azure scam page to make this article even more engaging. Do you want me to do that?