Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T1608.006: SEO Poisoning

Adversaries may poison mechanisms that influence search engine optimization (SEO) to further lure staged capabilities towards potential victims. Search engines typically display results to users based on purchased ads as well as the site’s ranking/score/reputation calculated by their web crawlers and algorithms.[1][2]

To help facilitate Drive-by Compromise, adversaries may stage content that explicitly manipulates SEO rankings in order to promote sites hosting their malicious payloads (such as Drive-by Target) within search engines. Poisoning SEO rankings may involve various tricks, such as stuffing keywords (including in the form of hidden text) into compromised sites. These keywords could be related to the interests/browsing habits of the intended victim(s) as well as more broad, seasonably popular topics (e.g. elections, trending news).[3][1]

In addition to internet search engines (such as Google), adversaries may also aim to manipulate specific in-site searches for developer platforms (such as GitHub) to deceive users towards Supply Chain Compromise lures. In-site searches will rank search results according to their own algorithms and metrics such as popularity[4] which may be targeted and gamed by malicious actors.[5]

Adversaries may also purchase or plant incoming links to staged capabilities in order to boost the site’s calculated relevance and reputation.[2][6]

SEO poisoning may also be combined with evasive redirects and other cloaking mechanisms (such as measuring mouse movements or serving content based on browser user agents, user language/localization settings, or HTTP headers) in order to feed SEO inputs while avoiding scrutiny from defenders.[3][7]

EnterpriseT1608.006Sub-techniqueObject v1.1 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

SEO Poisoning is a pre-compromise staging behavior: adversaries try to make malicious or deceptive content appear trustworthy and easy to find through search engines or in-site searches such as developer platforms. For leaders, the risk is not only “bad search results”; it is that employees may reach attacker-staged payloads through normal research, troubleshooting, software discovery, or trending-topic browsing before traditional perimeter controls see an obvious intrusion.

Executive priority

Prioritize this as an early-warning and exposure-management issue tied to initial access readiness. Security leaders should ask whether the organization can detect risky search-driven traffic, investigate employee visits to newly discovered or reputation-manipulated sites, and protect developers from deceptive search results that could lead toward supply chain compromise lures. Because ATT&CK lists this under Resource Development and PRE, the value is in prevention, monitoring, and rapid triage before a compromise path matures.

Technical view

This sub-technique sits under Stage Capabilities and supports lures toward Drive-by Compromise, Drive-by Target content, and potentially Supply Chain Compromise lures in developer ecosystems. With no official ATT&CK detection text provided, SOC and detection teams should validate coverage around search-referral traffic, redirects, cloaking indicators, suspicious downloads after search navigation, and developer-platform discovery paths. The DET0881 relationship indicates a detection strategy exists for SEO Poisoning, but local teams still need to map it to available telemetry and tune it against normal user research behavior.

Likely telemetry

  • Secure web gateway, proxy, DNS, and browser history showing search-engine referrals and subsequent redirects
  • HTTP request metadata such as user agent, language/localization settings, headers, and redirect chains where collected
  • Endpoint or EDR telemetry for files downloaded or executed after search-driven browsing
  • Web reputation, domain reputation, newly observed domain, and URL categorization signals
  • Developer workflow telemetry where available, such as access to repositories, packages, or in-site search results on developer platforms

Detection direction

  • Validate whether web and DNS telemetry preserves referrer, redirect, and destination context; SEO poisoning investigations often depend on the path from search result to staged content, not just the final domain.
  • Tune for clusters of users reaching unusual domains through similar search terms, trending topics, or business-relevant queries, while accounting for legitimate research and news browsing false positives.
  • Review controls for cloaking and evasive redirects, including cases where content changes based on user agent, language, headers, or other request characteristics mentioned in ATT&CK.
  • For developer populations, monitor for suspicious discovery and retrieval patterns from developer platforms because ATT&CK notes in-site search manipulation can be used as a supply chain lure.
  • Use the Mustard Tempest relationship as threat-intelligence context only; do not assume attribution from SEO-poisoning activity alone.

Mitigation priorities

  • Apply M1056 Pre-compromise measures: reduce exposed information that can make lures more convincing, monitor adversarial preparation, and increase friction before users reach staged capabilities.
  • Strengthen web access controls, URL filtering, reputation checks, and safe browsing protections for search-driven traffic without relying on any single reputation source.
  • Harden endpoint and browser defenses so that a search-driven visit or download has multiple opportunities for prevention and containment.
  • Provide targeted awareness for employees and developers who commonly search for software, fixes, templates, or business documents, emphasizing verification of sources before downloading or executing content.
  • Prepare IR playbooks to reconstruct search path, redirect chain, downloaded artifacts, and affected users when suspicious search-driven activity is found.
Analyst notes and limits

ATT&CK provides strong behavioral context but no official detection procedure for this object. The most defensible Glexia takeaway is to treat SEO Poisoning as a pre-compromise visibility and control-validation problem: can the organization see how users arrived at a suspicious site, what redirects occurred, and whether staged content led to download or execution?

This take is limited to the supplied ATT&CK fields, references, and relationships. It does not assert current exploitation, customer exposure, or guaranteed detection. Actual risk depends on local browsing patterns, developer workflows, web telemetry retention, endpoint controls, and the organization’s ability to correlate search navigation with subsequent activity.

Official MITRE ATT&CK definition

SEO Poisoning

Adversaries may poison mechanisms that influence search engine optimization (SEO) to further lure staged capabilities towards potential victims. Search engines typically display results to users based on purchased ads as well as the site’s ranking/score/reputation calculated by their web crawlers and algorithms.[1][2]

To help facilitate Drive-by Compromise, adversaries may stage content that explicitly manipulates SEO rankings in order to promote sites hosting their malicious payloads (such as Drive-by Target) within search engines. Poisoning SEO rankings may involve various tricks, such as stuffing keywords (including in the form of hidden text) into compromised sites. These keywords could be related to the interests/browsing habits of the intended victim(s) as well as more broad, seasonably popular topics (e.g. elections, trending news).[3][1]

In addition to internet search engines (such as Google), adversaries may also aim to manipulate specific in-site searches for developer platforms (such as GitHub) to deceive users towards Supply Chain Compromise lures. In-site searches will rank search results according to their own algorithms and metrics such as popularity[4] which may be targeted and gamed by malicious actors.[5]

Adversaries may also purchase or plant incoming links to staged capabilities in order to boost the site’s calculated relevance and reputation.[2][6]

SEO poisoning may also be combined with evasive redirects and other cloaking mechanisms (such as measuring mouse movements or serving content based on browser user agents, user language/localization settings, or HTTP headers) in order to feed SEO inputs while avoiding scrutiny from defenders.[3][7]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1608 Stage Capabilities This object subtechnique of Stage Capabilities.
Associated objects

Groups, software, and campaigns

Relationship explorer

All related ATT&CK context

detects · Detection Strategy DET0881: Detection of SEO Poisoning Enterprise mitigates · Mitigation M1056: Pre-compromise Enterprise subtechnique of · Technique T1608: Stage Capabilities Enterprise uses · Group G1020: Mustard Tempest Enterprise
Mitigations

Mitigation direction

Mitigation Enterprise

M1056: Pre-compromise

Pre-compromise mitigations involve proactive measures and defenses implemented to prevent adversaries from successfully identifying and exploiting weaknesses during the Reconnaissance and Resource Development phases of an attack. These activities focus on reducing an organization's attack surface, identify adversarial preparation efforts, and increase the difficulty for attackers to conduct successful operations. This mitigation can be implemented through the following measures:

Limit Information Exposure:

- Regularly audit and sanitize publicly available data, including job posts, websites, and social media. - Use tools like OSINT monitoring platforms (e.g., SpiderFoot, Recon-ng) to identify leaked information.

Protect Domain and DNS Infrastructure:

- Enable DNSSEC and use WHOIS privacy protection. - Monitor for domain hijacking or lookalike domains using services like RiskIQ or DomainTools.

External Monitoring:

- Use tools like Shodan, Censys to monitor your external attack surface. - Deploy external vulnerability scanners to proactively address weaknesses.

Threat Intelligence:

- Leverage platforms like MISP, Recorded Future, or Anomali to track adversarial infrastructure, tools, and activity.

Content and Email Protections:

- Use email security solutions like Proofpoint, Microsoft Defender for Office 365, or Mimecast. - Enforce SPF/DKIM/DMARC policies to protect against email spoofing.

Training and Awareness:

- Educate employees on identifying phishing attempts, securing their social media, and avoiding information leaks.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.1
Created
Modified
Raw hash
d2d7c1d5af6631aa...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.1 Current bundle d2d7c1d5af66…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Atlas SEO

    Atlas Cybersecurity. (2021, April 19). Threat Actors use Search-Engine-Optimization Tactics to Redirect Traffic and Install Malware. Retrieved September 30, 2022.

    Open source URL
  2. [2]
    MalwareBytes SEO

    Arntz, P. (2018, May 29). SEO poisoning: Is it worth it?. Retrieved September 30, 2022.

    Open source URL
  3. [3]
    ZScaler SEO

    Wang, J. (2018, October 17). Ubiquitous SEO Poisoning URLs. Retrieved September 30, 2022.

    Open source URL
  4. [4]
    Chexmarx-seo

    Yehuda Gelb. (2023, November 30). The GitHub Black Market: Gaming the Star Ranking Game. Retrieved June 18, 2024.

    Open source URL
  5. [5]
    Checkmarx-oss-seo

    Yehuda Gelb. (2024, April 10). New Technique to Trick Developers Detected in an Open Source Supply Chain Attack. Retrieved June 18, 2024.

    Open source URL
  6. [6]
    DFIR Report Gootloader

    The DFIR Report. (2022, May 9). SEO Poisoning – A Gootloader Story. Retrieved September 30, 2022.

    Open source URL
  7. [7]
    Sophos Gootloader

    Szappanos, G. & Brandt, A. (2021, March 1). “Gootloader” expands its payload delivery options. Retrieved September 30, 2022.

    Open source URL
  8. [8]
    mitre-attack T1608.006
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use