Attackers are manipulating Bing’s organic search results to place phishing pages above the brands they impersonate. It is happening across every industry, and most brand protection programs are not looking for it.
In late 2024, Malwarebytes researchers searched Bing for “Keybank login” and found a phishing page ranked above KeyBank’s actual website. The fraudulent domain had been registered two weeks earlier. It was not a paid ad. It was an organic search result that the algorithm surfaced as more relevant than the real bank’s login page. Users who clicked it entered their credentials on a convincing replica that forwarded the stolen information to attackers in real time, bypassing two-factor authentication by relaying the session live.
This was not an outlier. In March 2026, Malwarebytes documented a separate campaign where Bing’s AI-powered search results directed users searching for OpenClaw, an open-source AI tool, to malicious GitHub repositories distributing infostealer malware. The same month, Microsoft’s own security team published research on a threat group using SEO poisoning against the platform to distribute fake VPN clients. A comprehensive analysis in April 2026 mapped at least four distinct threat actor groups systematically exploiting its search rankings to deliver malware and phishing at scale.
What connects them is not the payload but the delivery mechanism: the search engine that hundreds of millions of people trust to show them the right page is showing them the wrong one.
Why Bing is a bigger target than its market share suggests
Bing holds roughly 4% of the global search market. That sounds marginal until you consider where that 4% lives. It is the default search engine on every fresh Windows installation, embedded in Microsoft Edge, Cortana, and the Windows 11 taskbar search box. When an employee at a corporate workstation types a brand name or “VPN download” into the taskbar, the query goes to Bing unless the organization has changed it.
For attackers targeting enterprise users on corporate devices, that makes it the primary search surface for a significant share of the workforce, particularly in organizations running Microsoft environments with default settings. The Bing’s Blind Spot analysis noted that Chinese-speaking markets, where Bing commands significantly higher usage, have seen particularly concentrated attack activity.
The brand impersonation campaigns documented across Bing span every sector. Banking customers search for login pages and find credential harvesting sites. Enterprise users search for software downloads and find trojanized installers. Consumers search for customer support and find tech support scams that lock their browsers. In February 2026, a tech support scam campaign using Bing search results and Microsoft Azure hosting impacted users across 48 U.S. organizations in healthcare, manufacturing, and technology within a matter of weeks.
How SEO poisoning differs from search ad fraud
Search ad fraud on Bing is a related but different problem: attackers purchasing ads that appear above organic results and direct traffic to phishing pages. SEO poisoning exploits a different mechanism entirely.
With ad fraud, the attacker pays for visibility, and the ad platform has an abuse reporting channel where the ad can be flagged and removed.
With SEO poisoning, the attacker manipulates the organic ranking algorithm itself. The techniques include registering keyword-stuffed domains, compromising high-authority websites and injecting lure pages, building backlink networks to inflate domain reputation, and creating content that crawlers index as relevant. The fraudulent page appears alongside, or above, the legitimate brand’s own website in the unpaid results.
The response pathways are different, and that matters. A fraudulent ad can be reported to one platform. A fraudulent organic result may involve domain registrars, hosting providers, and content platforms rather than a single abuse channel. The process is slower, the escalation paths are less direct, and the fraudulent page may remain indexed and visible for longer.
Why most brand protection programs miss Bing search results
Most brand protection programs monitor for fraudulent domains, social media impersonation, and app store abuse. Few systematically monitor what appears when someone searches for their brand name on Bing.
The reason this matters is that the victim’s experience is fundamentally different from an email-based attack. If you receive a phishing email, you might recognize it as unsolicited and pause. If you type your bank’s name into a search engine and click the first result, you have no reason to be suspicious. You initiated the interaction, found what you were looking for, and landed on a page that appeared exactly where you expected it.
Covering this surface means monitoring search results for brand-related queries across major engines, not just monitoring domain registrations. The fraudulent domain may have been registered months ago and repurposed, or it may be a compromised legitimate site with injected content. What matters is not whether a suspicious domain exists but whether it appears where your customers or employees will find it.
The Bottom Line
Bing SEO poisoning places phishing pages in the organic search results for brand-name queries across banking, software, AI tools, and enterprise services. The attack exploits the trust users place in search engine results and bypasses the email filters, domain alerts, and ad platform abuse channels that most brand protection programs rely on. For any brand whose customers or employees might search for it by name on a Windows device, Bing’s organic results are part of the attack surface whether the brand is monitoring them or not.
Key Takeaways
Bing SEO poisoning is the manipulation of Bing’s organic search rankings to place fraudulent pages above legitimate websites for brand-name queries. Unlike search ad fraud, these are unpaid results that Bing’s algorithm surfaces as relevant, making them appear more trustworthy to users.
Bing is the default search engine on every Windows installation, embedded in Edge, Cortana, and the Windows 11 taskbar. Enterprise users on corporate devices often use Bing by default, making it a significant attack surface for credential harvesting and malware delivery targeting the workforce.
The campaigns span every sector: banking login pages (KeyBank), software downloads (Chrome, Notepad++, VPN clients), AI tools (OpenClaw), and tech support (Amazon). Any brand that people search for by name is a potential target.
Search ad fraud uses paid ads that can be reported through the ad platform’s abuse channel. SEO poisoning manipulates organic rankings, requiring takedown of the underlying infrastructure through domain registrars, hosting providers, and content platforms. The response is slower and the escalation paths are less direct.
Most programs monitor fraudulent domains, social media impersonation, and app store abuse. Few systematically monitor what appears when someone searches for their brand name in organic search results, leaving a gap that attackers are actively exploiting.
