It's not enough to verify that it's a legit Microsoft URL.
Trick #1: Fake Helpdesk page via Microsoft Learn
We found this ad while looking for Microsoft support live agents. The top (sponsored) result looks like it was bought by Microsoft itself with its official logo and URL.
Users who click on the ad are redirected to a legitimate Microsoft website (learn.microsoft.com) showing Microsoft’s “official” phone number. This page has the look and feel of a genuine knowledge base article especially since it appears to be posted by “Microsoft Support”:
image_545302.jpg (115.24 KiB) Viewed 4589 times
Clicking the 3 dots beside the ad reveals that it actually doesn’t belong to Microsoft at all, but instead was paid for by an advertiser from Vietnam. This does not mean this is the actual scammer, simply that this account may have been compromised and is being used to create malicious ads.
image_25e78d.jpg (25.12 KiB) Viewed 4589 times
As for the Microsoft page, it was created by a scammer via a fake Microsoft Support profile using Microsoft Learn collections.
Microsoft Learn Collections is a feature available to anyone with a Microsoft Learn profile. Collections allow you to create curated lists of Microsoft Learn content to share with your followers. A collection can include documentation articles, training modules, learning paths, videos, code samples, and more.
image_51ed97.jpg (51.49 KiB) Viewed 4589 times
The second (unrelated) ad campaign we saw is using a different tactic but also starts with a Google ad. When victims clicking on it, it will launch a search query page via microsoft.com/en-us/search/explore.
This clever trick works by passing the following parameters to the URL:
When the page finishes loading, it will display what looks like a contact number from Microsoft. In a way, this is a form of advertisement that totally abuses what the Microsoft search feature was intended for:
I'm sure that's been going on for a long time. I often wondered how people thought they were dealing with Microsoft Support. I used to get the aftermath of a lot of fake tech support victims.
However, yes, any service where you have users that post things under your domain could be used for scamming if accounts get compromised. Forum attachments even, for that matter, if we weren't paying attention.
