MITRE ATT&CK Technique
Description
Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. Multiple ways of delivering exploit code to a browser exist (i.e., [Drive-by Target](https://attack.mitre.org/techniques/T1608/004)), including: * A legitimate website is compromised, allowing adversaries to inject malicious code * Script files served to a legitimate website from a publicly writeable cloud storage bucket are modified by an adversary * Malicious ads are paid for and served through legitimate ad providers (i.e., [Malvertising](https://attack.mitre.org/techniques/T1583/008)) * Built-in web application interfaces that allow user-controllable content are leveraged for the insertion of malicious scripts or iFrames (e.g., cross-site scripting) Browser push notifications may also be abused by adversaries and leveraged for malicious code injection via [User Execution](https://attack.mitre.org/techniques/T1204). By clicking "allow" on browser push notifications, users may be granting a website permission to run JavaScript code on their browser.(Citation: Push notifications - viruspositive)(Citation: push notification -mcafee)(Citation: push notifications - malwarebytes) Often the website used by an adversary is one visited by a specific community, such as government, a particular industry, or a particular region, where the goal is to compromise a specific user or set of users based on a shared interest. This kind of targeted campaign is often referred to a strategic web compromise or watering hole attack. There are several known examples of this occurring.(Citation: Shadowserver Strategic Web Compromise) Typical drive-by compromise process: 1. A user visits a website that is used to host the adversary controlled content. 2. Scripts automatically execute, typically searching versions of the browser and plugins for a potentially vulnerable version. The user may be required to assist in this process by enabling scripting, notifications, or active website components and ignoring warning dialog boxes. 3. Upon finding a vulnerable version, exploit code is delivered to the browser. 4. If exploitation is successful, the adversary will gain code execution on the user's system unless other protections are in place. In some cases, a second visit to the website after the initial scan is required before exploit code is delivered. Unlike [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190), the focus of this technique is to exploit software on a client endpoint upon visiting a website. This will commonly give an adversary access to systems on the internal network instead of external systems that may be in a DMZ.
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2018-04-18T17:59:24.739Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may gain access to a system through a user '
'visiting a website over the normal course of browsing. '
'Multiple ways of delivering exploit code to a browser exist '
'(i.e., [Drive-by '
'Target](https://attack.mitre.org/techniques/T1608/004)), '
'including:\n'
'\n'
'* A legitimate website is compromised, allowing adversaries '
'to inject malicious code\n'
'* Script files served to a legitimate website from a publicly '
'writeable cloud storage bucket are modified by an adversary\n'
'* Malicious ads are paid for and served through legitimate ad '
'providers (i.e., '
'[Malvertising](https://attack.mitre.org/techniques/T1583/008))\n'
'* Built-in web application interfaces that allow '
'user-controllable content are leveraged for the insertion of '
'malicious scripts or iFrames (e.g., cross-site scripting)\n'
'\n'
'Browser push notifications may also be abused by adversaries '
'and leveraged for malicious code injection via [User '
'Execution](https://attack.mitre.org/techniques/T1204). By '
'clicking "allow" on browser push notifications, users may be '
'granting a website permission to run JavaScript code on their '
'browser.(Citation: Push notifications - '
'viruspositive)(Citation: push notification -mcafee)(Citation: '
'push notifications - malwarebytes)\n'
'\n'
'Often the website used by an adversary is one visited by a '
'specific community, such as government, a particular '
'industry, or a particular region, where the goal is to '
'compromise a specific user or set of users based on a shared '
'interest. This kind of targeted campaign is often referred to '
'a strategic web compromise or watering hole attack. There are '
'several known examples of this occurring.(Citation: '
'Shadowserver Strategic Web Compromise)\n'
'\n'
'Typical drive-by compromise process:\n'
'\n'
'1. A user visits a website that is used to host the adversary '
'controlled content.\n'
'2. Scripts automatically execute, typically searching '
'versions of the browser and plugins for a potentially '
'vulnerable version. The user may be required to assist in '
'this process by enabling scripting, notifications, or active '
'website components and ignoring warning dialog boxes.\n'
'3. Upon finding a vulnerable version, exploit code is '
'delivered to the browser.\n'
'4. If exploitation is successful, the adversary will gain '
"code execution on the user's system unless other protections "
'are in place. In some cases, a second visit to the website '
'after the initial scan is required before exploit code is '
'delivered.\n'
'\n'
'Unlike [Exploit Public-Facing '
'Application](https://attack.mitre.org/techniques/T1190), the '
'focus of this technique is to exploit software on a client '
'endpoint upon visiting a website. This will commonly give an '
'adversary access to systems on the internal network instead '
'of external systems that may be in a DMZ.',
'external_references': [{'external_id': 'T1189',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1189'},
{'description': 'Adair, S., Moran, N. (2012, May 15). '
'Cyber Espionage & Strategic Web '
'Compromises – Trusted Websites '
'Serving Dangerous Results. Retrieved '
'March 13, 2018.',
'source_name': 'Shadowserver Strategic Web '
'Compromise',
'url': 'http://blog.shadowserver.org/2012/05/15/cyber-espionage-strategic-web-compromises-trusted-websites-serving-dangerous-results/'},
{'description': 'Craig Schmugar. (2021, May 17). '
'Scammers Impersonating Windows '
'Defender to Push Malicious Windows '
'Apps. Retrieved March 14, 2025.',
'source_name': 'push notification -mcafee',
'url': 'https://www.mcafee.com/blogs/other-blogs/mcafee-labs/scammers-impersonating-windows-defender-to-push-malicious-windows-apps/'},
{'description': 'Gaurav Sethi. (2021, December 14). '
'The Dark Side of Web Push '
'Notifications. Retrieved March 14, '
'2025.',
'source_name': 'Push notifications - viruspositive',
'url': 'https://viruspositive.com/resources/blogs/the-dark-side-of-web-push-notifications'},
{'description': 'Pieter Arntz. (2019, January 22). '
'Browser push notifications: a '
'feature asking to be abused. '
'Retrieved March 14, 2025.',
'source_name': 'push notifications - malwarebytes',
'url': 'https://www.malwarebytes.com/blog/news/2019/01/browser-push-notifications-feature-asking-abused'}],
'id': 'attack-pattern--d742a578-d70e-4d0e-96a6-02a9c30204e6',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'initial-access'}],
'modified': '2025-10-24T17:49:28.067Z',
'name': 'Drive-by Compromise',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_contributors': ['Jeff Sakowicz, Microsoft Identity Developer '
'Platform Services (IDPM Services)',
'Saisha Agrawal, Microsoft Threat Intelligent Center '
'(MSTIC)',
'Frank Angiolelli'],
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': False,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Identity Provider', 'Linux', 'macOS', 'Windows'],
'x_mitre_version': '1.7'}