Poisoned Search: How Hackers Turn Google Results into Backdoors

If you searched “Download Microsoft Teams” in late September, you might have seen a very convincing ad at the top of your results. It looked legitimate—Microsoft logo, professional text, the works. But clicking that ad could have installed a remote access Trojan on your system.

That’s what researchers at Blackpoint Cyber’s Security Operations Center (SOC) discovered in their recent analysis of the Oyster malware campaign. Attackers bought Google ads that led unsuspecting users to a fake site, teams-install.top, which delivered a Trojanized Microsoft Teams installer. Once installed, the malware established persistence through scheduled tasks and DLL registration, quietly stealing credentials and files.

“It’s a really clever twist,” said LMG Security’s Matt Durrin on a Cyberside Chats Live. “If you’re a Microsoft 365 user, you’d just go to Microsoft’s site. But Google Workspace users? They search for ‘download Teams’—and that’s exactly who these attackers targeted.”

This incident highlights a growing threat trend: SEO poisoning and malvertising, where attackers manipulate search results and paid ads to deliver malware or phishing pages. This social engineering attack is increasing in popularity and scope—and it’s catching both end users and IT staff off guard.

The Rise of Search-Based Phishing

Attackers are moving beyond email because, quite simply, email defenses have improved. Filters are catching more spam, users are better trained, and companies are running phishing simulations. So, threat actors are going where users still click freely: search engines.

The 2025 Netskope Cloud Threat Report found that enterprise employees clicked phishing links at a rate of 8 per 1,000 users per month, up nearly 190% year-over-year—and that most of those clicks no longer come from email, but from search engines and ads.

“Hackers are actually using a different method to phish you,” LMG founder Sherri Davidoff explained. “They’re not just relying on emails anymore.”

Case Study: The Payroll Pirates

One of the most financially damaging examples of this trend is the Payroll Pirates campaign, uncovered by Silent Push in late 2024 and expanded on by Microsoft in 2025.

Operating under the codename Storm-2657, these attackers created fake HR and payroll portals for well-known companies like Macy’s, Kaiser Permanente, New York Life, and multiple U.S. universities. They purchased search ads for phrases like “Workday login” and “ADP employee portal,” tricking employees into entering credentials on cloned sites built with platforms like Wix and Leadpages.

Once the attackers had access to legitimate HR accounts, they:

• Changed direct-deposit settings to route paychecks into attacker-controlled bank accounts.
• Set up mailbox rules to delete notification emails.
• Added MFA devices under their own control to maintain access.

Microsoft found that the group compromised 11 accounts across three universities, which were then used to phish 6,000 additional users at 25 schools.

“It’s not just about stealing a paycheck,” said Sherri. “It’s about eroding employee confidence in the systems they rely on.”

Reinventing an Old Scam: Fake Tech Support Pages

A modern twist on the long running “tech support” scam targets users searching for help with antivirus or account issues.

In 2025, Malwarebytes researchers discovered a wave of attacks where scammers hijacked searches for support pages belonging to major brands—Microsoft, Netflix, Bank of America, and PayPal among them. The key innovation was search parameter injection, a technique that lets attackers manipulate how a legitimate page displays within a browser.

Here’s how it works: when a user searches “Netflix customer service,” the attacker’s sponsored ad leads to a legitimate netflix.com page—but with a malicious search parameter appended to the URL (for example, ?support=1-800-555-0101). That phone number then appears inside the site’s own search bar or header. To the average user, it looks like an official Netflix help page—complete with logo, HTTPS padlock, and all.

Victims end up calling the fraudulent phone number embedded in the URL, reaching a scammer instead of real customer support. These scammers convince victims to pay “service fees,” download remote-access tools, or provide login credentials—often leading to both financial loss and data exposure.

“It’s the real website,” Matt explained on the podcast, “but something’s different—and it’s not readily apparent what that is.”

AI Is Making Poisoned Results More Effective

If these ads and fake pages seem unusually polished, that’s because they are. Attackers are now using artificial intelligence to generate copy, branding, and layouts that closely mirror legitimate organizations.

A 2025 CrowdStrike study found that AI-generated phishing content achieved a 54% click rate, compared to just 12% for human-written messages. The same tools can churn out believable ad headlines, fake installer text, and “official” portal language—complete with grammar and tone that match the brand they’re impersonating.

As Sherri noted, “AI has come out, it’s now been integrated with search, and so we don’t rely on search results as much. People are clicking less. But in fact, that doesn’t make us safer.”

Indeed, Bain & Company says that 60% of Google searches now end without a click, the few results that users do click—typically the top ad—carry outsized risk. As AI-driven search platforms evolve, attackers are already optimizing to appear in those high-visibility slots.

How to Defend Against the Poisoned Web

Phishing isn’t just an email problem anymore—it’s a behavioral problem. Today’s attackers exploit habits, not ignorance. Here’s how organizations can reduce their exposure to poisoned search results and malvertising.

Key Takeaways

1. Block and filter ad content at the enterprise level. Use enterprise web proxies, browser controls, and DNS filtering to block sponsored results and malicious domains tied to critical business tools or portals.
2. Establish and enforce trusted download paths. Require that all software come from signed, verified, or internal repositories — not search results. Enforce application whitelisting so only verified executables can run — this blocks malicious installers even if a user downloads them.
3. Incorporate poisoned-search scenarios into training and awareness materials. Teach staff to type trusted URLs, use bookmarks, or access internal portals directly rather than searching. Our team provides curated KnowBe4 implementations to help organizations ensure they are prioritizing the most pressing cybersecurity awareness training issues.
4. Assess search behavior across your organization. Track how users find tools and portals — are they typing URLs, using bookmarks, or searching externally? Use this data to identify high-risk departments or roles and tailor awareness training campaigns accordingly. Over time, shift culture toward safer, more deliberate browsing habits.
5. Expand monitoring and detection. Hunt for persistence artifacts linked to poisoned-download infections, such as new scheduled tasks, DLL registrations, or rundll32.exe activity. Flag software installs originating from search-referral URLs in your EDR and SIEM.
6. Conduct tabletop exercises that include search poisoning. Simulate incidents where employees download fake software or fall for poisoned ads. This tabletop exercise enables you to practice tracing attacks back to SEO poisoning, identifying other potential victims, and developing plans to block future attacks through technical and policy controls.

Final Thoughts

Attackers no longer need to send a phishing email to get you to click—they just need you to search.

“It doesn’t matter if it’s an email, a banner ad, or a search result,” said Matt Durrin. “If you’re trying to reach Microsoft, make sure the website you go to is actually Microsoft.”

The poisoned web thrives on speed and routine. By building awareness, tightening technical controls, and testing your defenses, you can dramatically reduce the risk of becoming the next victim of a poisoned search.

Protect Your Organization

Your employees can’t stop searching—but they can learn to search safely.

LMG Security offers custom phishing and social engineering testing and training, tabletop exercises, and penetration testing that help teams recognize poisoned results and respond effectively before damage occurs.

Let’s connect and discuss how your organization can detect, prevent, and respond to modern phishing threats.