Netskope reports Bing ads redirecting users to Azure tech support pages
Netskope Threat Labs identified a surge of U.S. users clicking Bing ads that redirected to tech support pages hosted in Azure Binary Large Object (BLOB) Storage, affecting employees across multiple industries and prompting provider notification.
Research Overview
Netskope observed a concentrated set of clicks beginning Feb. 2 that involved users at 48 U.S. organizations across healthcare, manufacturing, and technology. Each session began with a click on a Bing search ad for a common query and led to a domain that redirected to Azure BLOB Storage content.
Key Findings
The activity involved visits from users at 48 distinct organizations in the U.S., with victims identified across several industry sectors. The initial vector was a search-result advertisement in Bing for simple queries such as the name of a major retailer.
Clicks on the ad first went to a recently registered domain that redirected to BLOB storage containers, which served pages formatted as tech support landing sites. All landing pages shared a consistent path structure and included a phone number for callers.
Technical Breakdown
Landing URLs followed a repeated pattern: a BLOB.core.windows.net host, a variable path segment, and a werrx01USAHTML/index.html resource, with a query parameter containing a call-in number. This uniform structure appeared in every instance Netskope reviewed over the two-day window.
Netskope extracted multiple BLOB storage domains and identified five phone numbers used on the pages: 1-866-520-2041, 1-833-445-4045, 1-855-369-0320, 1-866-520-2173, and 1-833-445-3957. The domains listed in the vendor report were recorded and tracked by the research team.
Netskope detection
Netskope classifies these pages under ET PHISHING Microsoft Support Phish Landing Page detection rules and flagged the associated URLs within customer telemetry. The classification was applied to identify accesses to the hosted landing pages.
Disclosures
All identified Azure BLOB Storage container domains were reported to Microsoft and were not serving the landing pages at the time of the vendor post. Netskope stated it will continue to monitor the campaign.
The incident shows that clicking search-result advertisements can route users to cloud-hosted tech support pages and that direct navigation avoids exposure to ad links; this “Blog Signals brief” is a fact-based summary of the vendor blog.