Google is being used to attack Microsoft passwords.SOPA Images/LightRocket via Getty ImagesThere are myriad ways to steal passwords. From sophisticated AI-driven attacks against Gmail users, to invisible hacking threats, and fake CAPTCHA tests. What you might not expect, however, is a hacker to deploy Google against Microsoft users in order to access account passwords. But when it comes to cybersecurity, you should always expect the unexpectedheres what you need to know.How Hackers Use Google To Target Microsoft PasswordsSecurity researchers at Malwarebytes seem to have the knack when it comes to uncovering devious hacking attacks that target account passwords using malicious advertising as the stepping stone to credential theft. I recently reported how a perpetual hack attack identified by Jrme Segura, senior director of research at Malwarebytes, saw hackers disguise themselves as fake Google Ads login pages to fool advertisers, who were then phished for their account credentials. Now, it seems a similar attack has been ongoing that targets Microsoft advertiser accounts by way of fake adverts turning up on Google search. These malicious ads, appearing on Google Search, Segura said, are designed to steal the login information of users trying to access Microsofts advertising platform.Its no secret that theres an ongoing business bun-fight between Google and Microsoft when it comes to the advertising ecosystem, and Microsoft purchases ad space from Google in order to earn clicks from those searches. What the Malwarebytes researchers discovered, however, was that sponsored results on Google for searches of Microsoft Ads returned ads containing malicious links that had slipped through Googles strict protections. We have reported these incidents to Google, Segura said, and I have reached out to both Google and Microsoft for a statement.How The Hackers Evade Detections To Ultimately Steal PasswordsSegura recounted how threat actors are using different techniques to evade detection and drop traffic from bots, security scanners and crawlers. Anyone using a VPN is directed to a white page that contains bogus marketing, while genuine users are redirected to a cloaking page that requires an "Are you human?" verification check. Finally, they get redirected to an entry page for a malicious domain impersonating the Microsoft ads platform login. The phishing page gives users a fake error message enticing them to reset their password, Segura warned, as well as attempting to bypass any two-factor authentication protections.Segura said that this could just be the tip of a very concerning iceberg, with accounts other than Google Ads and Microsoft Ads being targeted to steal passwords. These recent malvertising campaigns highlight the ongoing threat of phishing through online advertising, Segura concluded, While tech companies like Google work to combat these issues, users must remain vigilant.MORE FOR YOUMitigating The Latest Attacks On Account PasswordsSegura recommend the following mitigation approaches:Always carefully examine the URL in your browsers address bar before entering any credentials.Use 2FA verification wisely, you still need to pay attention to requests before granting them access.Check your advertising accounts for any suspicious activity such as changes in administrator accounts.If you encounter a suspicious ad, report it for the benefit of other users.When I last reported on these types of attacks that use malvertising as a route to stealing your passwords, Google told me that it has a misrepresentation policy that doesnt allow advertisers to run advertisements that scam users, whether by concealing information about the advertisers business, product or service in question. Google has specialist teams in place to monitor infringements and told me, for background, that they are aware of these malicious ad campaigns and continue to take enforcement measures against them. Both malicious adverts and associated accounts are actively reviewed, and appropriate actions are taken as a consequence.