A Mac user's favorite excuse for not using a Windows laptop is always that Macs are more secure. While that's what we like to call denial, it often leads Mac users to let their guard down. Unfortunately, their extreme trust in Apple might backfire, as a phishing attack that once primarily targeted Windows users has now shifted its focus to Mac users.

No, your Mac hasn’t been infected with spyware

According to security researchers at LayerX Labs, a phishing attack is tricking Mac users into thinking their devices have been locked due to unusual activity. Unlike most malware attacks, this one takes things a step further by using malicious code to freeze the webpage a user is browsing.

Of course, that's usually enough to make users believe the security alert might be real. The pop-up then prompts them to enter their Mac username and password, claiming their device has been infected with a Trojan-type spyware. Strangely enough, the warning doesn’t even resemble a typical Apple pop-up and completely ignores Apple’s usual macOS styling.

LayerX Labs notes that Mac users fall victim to this attack when they mistype a URL in their browser’s address bar, leading them to a “compromised domain parking page.” That page then redirects them through multiple sites before landing on the phishing page.

As mentioned earlier, this phishing attack originally targeted Windows users. LayerX had been monitoring it for months, as it tricked Windows users with fake Microsoft security alerts claiming their laptops had been “compromised” and “locked.” It worked similarly to the Mac version, aiming to steal users' Windows credentials. The report also highlights that this campaign was particularly difficult to stop since the phishing pages were hosted directly on Microsoft’s Windows.net platform, which made the warnings appear more legitimate.

Microsoft caught wind of this in February 2025 and introduced an “anti-scareware” feature in Edge. Chrome and Firefox followed suit, leading to a 90% drop in Windows-targeted attacks. Since Safari lacks a similar feature, Mac users became the new primary target.

Apple hasn’t commented on the attack yet, but the company is usually quick to release security updates for such threats. Until then, if you’re a Mac user (whether you use Safari or not), it’s crucial to stay vigilant. Apple rarely asks for your Mac credentials, and when it does, you should be able to tell it's a genuine Apple prompt.