Bing Ads Abused to Deliver Azure-Hosted Tech Support Scams

A recently identified scam campaign is using Bing search advertisements and Microsoft Azure infrastructure to redirect users to fraudulent tech support pages, demonstrating how legitimate platforms can be misused for social engineering activity. 

“The tech support scam campaign had a significant initial impact, affecting users across 48 different organizations in the U.S. within a short timeframe,” said Netskope researchers.

Inside the Tech Support Scam Campaign

The campaign has impacted users across at least 48 organizations in the United States, affecting industries such as healthcare, manufacturing, and technology. 

Activity was first observed on Feb. 2, 2026 and escalated rapidly due to the attackers’ ability to blend malicious content into legitimate-looking Bing search results.

How the Attack Chain Works

The attack chain began with routine user searches for well-known brand names, including terms such as “Amazon.”

In these cases, users were presented with malicious Bing advertisements positioned prominently at the top of the search results page, increasing the likelihood of engagement. 

Clicking on one of these ads redirected users to a newly registered domain, highswit[.]space, which hosted an otherwise empty WordPress site.

Although the intermediary site appeared harmless, it played a critical role in the attack by acting as a redirector. 

Visitors were automatically forwarded to scam pages hosted on Microsoft Azure Blob Storage, allowing the threat actors to leverage trusted cloud infrastructure while obscuring the final destination of the traffic.

Scam Infrastructure and URL Patterns

Netskope analysts noted that every malicious URL followed a highly consistent structure, pointing to a standardized deployment process. 

Each link contained an Azure Blob Storage container name composed of a randomized string, a fixed directory path (werrx01USAHTML/index.html), and a phone number parameter instructing victims to call for technical support. 

Multiple phone numbers were observed throughout the campaign, including 1-866-520-2041, 1-833-445-4045, 1-855-369-0320, 1-866-520-2173, and 1-833-445-3957, indicating an effort to rotate contact points while maintaining the same backend infrastructure.

Social Engineering Tactics Used

The scam pages themselves were designed to closely mimic legitimate Microsoft security warnings. 

Victims were shown alarming alerts claiming their systems were infected with Trojan spyware or suffering from critical security vulnerabilities. 

These messages were intentionally crafted to create urgency and fear, pressuring users to call immediately to avoid data loss or system compromise — a well-established tactic in tech support fraud.

Automation and Campaign Scalability

From an infrastructure perspective, the campaign reflects a high degree of operational maturity. 

Researchers identified dozens of Azure Blob Storage containers, all using similar naming conventions combined with randomized identifiers. 

This approach enables attackers to rapidly deploy replacement scam pages as older containers are removed, reducing downtime and prolonging the campaign’s effectiveness.

The consistent URL structure indicates automation, enabling the campaign to scale across multiple victims and organizations.

Managing Risk from Search-Based Scams

Tech support scams like this one highlight how attackers can successfully exploit everyday user behavior and trusted platforms without relying on traditional malware or exploits. 

Because these campaigns often blend into normal web activity, reducing risk requires a combination of user awareness, technical controls, and operational readiness.

• Educate users to avoid clicking on search advertisements for well-known brands and instead navigate directly using bookmarks or manually entered URLs.
• Monitor web traffic for suspicious redirect chains involving newly registered domains, cloud storage services, or advertising networks.
• Implement DNS filtering, secure web gateways, and domain age–based blocking to reduce exposure to short-lived scam infrastructure.
• Apply browser security controls or isolation to limit interaction with malicious scripts, fake security alerts, and deceptive web content.
• Restrict and monitor the use of remote access tools through application controls and endpoint detection to prevent scam-driven system takeover.
• Use cloud security and CASB tools to inspect and control access to cloud-hosted content, especially HTML pages served from storage platforms.
• Regularly test incident response plans to ensure teams can quickly identify, contain, and recover from tech support scam–related incidents.

Together, these controls help close gaps created by ad-driven and cloud-hosted scam infrastructure. 

When Legitimate Services Enable Scams

This campaign illustrates how advertising platforms and cloud services can be misused to support scam activity that may bypass initial user judgment and some security controls. 

As search-based and cloud-hosted threats continue to evolve, organizations should account for these techniques as an ongoing risk rather than isolated events.

As threats increasingly abuse trusted services, many organizations are adopting zero-trust solutions to reduce implicit trust and better control access across users, devices, and applications.