A new warning for Apple users who are suddenly “now prime targets” for a dangerous password attack that has already hit Windows. The lure may seem simple but it’s alarmingly effective and you will lose your Apple account password if you fall victim.

The new report comes courtesy of LayerX, which says the attack shifting from Windows to Mac “shows the trials and tribulations of combating online phishing, and how attacks morph and shift in response to adaptations by security tools.”

ForbesMicrosoft’s Free Windows Upgrade—‘Don’t Wait Until It’s Too Late’By Zak Doffman

This is so-called scareware. These attacks fake a security alert or technical fail, which triggers credential phishing masquerading as technical support. In the new campaign targeting Macs, a faked screen freeze prompts users to enter their Apple ID and password. As I’ve reported before, Microsoft and Google are clamping down in Chrome and Edge, but LayerX warns “the attackers have shifted their focus to Mac users,” which remains vulnerable. I have reached out to Apple for comments on the report.

As LayerX explains, the Windows browser attacks “prompted users to enter their Windows username and password. Simultaneously, malicious code caused the webpage to freeze, creating the illusion that the entire computer was locked.” It appears that the attackers have registered a raft of domains to catch users mistyping URLs.

LayerX says the attackers included some devious touches in their campaign to avoid detection. “Phishing pages were hosted on Microsoft’s Windows.net platform,” this helped “make the messages appear legitimate, since they were security warnings (supposedly) by Microsoft, coming from a page on a windows[.]

net domain.”

The attackers also revolved sub-domains. “Even if a particular page was flagged for being malicious and placed in feeds of malicious pages, it was quickly taken down and replaced by another URL with a ‘clean’ reputation.” The security researchers also found anti-bot and CAPTCHA code within web pages, to trick “automated web crawlers [and] anti-phishing protections and delay the page’s classification as malicious.”

ForbesGoogle’s Play Store Deletion—Do Not Leave These Apps On Your PhoneBy Zak Doffman

LayerX says that “following the introduction of the browser protections,” it saw “a drastic 90% drop in Windows-targeted attacks.” We can assume we’ll see something similar for Apple’s Safari users if it follows suit, albeit we await confirmation.

While this warning is for Apple users, Windows users are mon notice as well. “Our prediction is that in the coming weeks or months, we will see a resurgent wave of attacks based on this infrastructure,” LayerX warns, “as it probes and tests for weak spots in Microsoft’s new defenses. This is just the latest reminder that preventing phishing and web attacks is a continuous, never-ending battle.”