Microsoft Warns of macOS Attack Using Fake Job Interviews and AppleScript Malware

Microsoft has revealed a highly targeted macOS attack campaign that used fake recruiter outreach and malicious interview lures to steal sensitive data from victims. The company says the operation, linked to threat actor Sapphire Sleet, relied more on social engineering than on software exploits, though Apple has since patched related security gaps.

According to Microsoft Threat Intelligence, the attackers approached targets through bogus recruiter profiles and invited them to supposed technical interviews. During that process, victims were persuaded to install a malicious AppleScript file named Zoom SDK Update.scpt, which looked harmless unless closely inspected.

Fake update flow used to steal credentials

Once executed through macOS Script Editor, the script downloaded additional malware payloads and moved the infection chain forward. Microsoft said the attackers also tracked progress using custom user-agent strings, which helped them monitor different stages of the campaign.

A key part of the attack involved launching a fake System Update app that used native macOS interface elements to appear legitimate. Victims were prompted to enter their password, which the malware validated locally before sending it out through the Telegram Bot API.

To avoid raising suspicion, the campaign also displayed a fake Software Update screen that suggested everything had installed successfully. Behind the scenes, the malware reportedly deployed several backdoors to maintain persistence on compromised systems.

Attackers went after highly sensitive data

Microsoft says the malware could harvest a wide range of information from infected Macs. That included system and host details, installed applications, browser data, extensions, Telegram session information, Keychain contents, crypto wallets, SSH keys, shell history, Apple Notes, and system logs.

The campaign appears to have focused on high-value individuals who use macOS devices and may hold sensitive corporate or financial information. Users with access to cryptocurrency assets seem to have been especially attractive targets.

Apple and Microsoft roll out protections

In response, Apple strengthened macOS and Safari protections, while Microsoft updated Microsoft Defender detections and published additional guidance for defenders. The company also released XDR hunting queries to help security teams identify related activity in enterprise environments.

Microsoft has not disclosed the full scale of the campaign, and the total number of victims remains unclear. Still, the findings show how effective well-crafted social engineering can be, especially when attackers combine fake job offers with convincing system-themed malware on macOS.

In other cybersecurity developments, Microsoft recently said its Zero Day Quest event uncovered more than 80 major vulnerabilities. CISA also warned about an actively exploited privilege escalation flaw affecting Windows 11 and Windows Server 2025, while Microsoft’s latest Patch Tuesday updates fixed 167 vulnerabilities.

Via Neowin