A new report from LayerX Labs identifies a new phishing campaign targeting Mac users. This sophisticated phishing campaign initially focused on Windows users, impersonating Microsoft security alerts to steal credentials. However, after Microsoft, Firefox, and Chrome rolled out new security measures, the campaign has shifted to Mac users as the primary target. 

Below, security leaders discuss the campaign and offer insights for mitigating associated risks. 

Security leaders weigh in 

Thomas Richards, Principal Consultant, Network and Red Team Practice Director at Black Duck:

In the past few weeks, we’ve seen an uptick in browser-based phishing attacks that use legitimate hosting services to trick users into falling for the attack. The ruse they use is a fairly old one and quite common. 

If you ever get an unknown random pop up saying your computer is compromised, it should be treated as suspicious and ignored. Anti-virus services will never ask you to enter a username and password to remove a threat.

Stephen Kowski, Field CTO at SlashNext Email Security+:

The threat landscape will continue to intensify significantly with faster, more sophisticated attacks leveraging both new and reinvented techniques. Attackers will continue exploiting trusted platforms and using GenAI to create more convincing phishing campaigns at unprecedented scale. The combination of speed, creativity and automation will make these threats particularly challenging.

The surge in browser-based phishing attacks highlights the critical need for advanced, AI-driven security solutions that can detect and block sophisticated threats in real-time. Organizations are making risky trade-offs by relying on basic security tools and default email protection instead of investing in comprehensive security solutions. Many companies mistakenly believe their existing email security is sufficient until they experience a significant breach. 

Security partners have an immense opportunity to deliver innovative solutions that address modern phishing tactics, however, they must evolve beyond traditional approaches. A multi-layered approach with real-time link analysis and AI-powered detection is essential in today’s threat environment. By adopting a proactive approach to browser security, organizations can significantly reduce their vulnerability to these evolving phishing tactics and better safeguard their sensitive data.

Darren Guccione, CEO and Co-Founder at Keeper Security:

Phishing attacks are evolving, and despite the fact that Macs are traditionally less susceptible to viruses, Mac users are no exception to many modern threats. Cybercriminals are opportunistic; when one attack vector gets blocked, they pivot to the next. This campaign demonstrates how quickly attackers adapt, leveraging trusted infrastructure and sophisticated deception to bypass traditional security measures.

Individual users and businesses cannot rely on built-in protections alone. Users should be equipped with tools that prevent credential theft, such as password managers and multi-factor authentication (MFA), but just as importantly, they need continuous security awareness training and education. Attackers are refining their tactics, using high-quality designs and domain reputation tricks to appear legitimate. The best defense is knowing how to spot and respond to phishing attempts, which includes keeping an eye out for urgent language, avoiding clicking on suspicious links and pop-ups, and visiting trusted websites directly.

Organizations must take a proactive stance, keeping systems updated, enabling strong authentication methods and promoting a culture of cybersecurity vigilance. In the event of a breach, Privileged Access Management (PAM) helps secure high-value accounts by enforcing strong access controls, automated credential rotation and encryption. Combined with MFA and strong password policies, these layered defenses can limit an attacker’s reach even if credentials are compromised. Phishing will continue to evolve, but with the right measures in place, businesses can stay ahead of the threat.