Watering Hole Attack
A targeted attack where criminals compromise a website frequented by the intended victims, infecting them when they visit the site during normal activity.
Also known as: strategic website compromise, supply-chain site attack
Last reviewed: 1 June 2026
A watering hole attack takes its name from the predator tactic of waiting at a watering hole for prey to arrive. Instead of attacking an organisation's hardened network directly, attackers identify websites that employees of the target organisation regularly visit — industry news sites, supplier portals, professional forums — and compromise those external sites to serve malware.
When a targeted employee visits the compromised site with a vulnerable browser, browser plugin, or operating system, a drive-by download silently installs malware. Because the victim is visiting a trusted, familiar website, suspicion is low. This makes watering hole attacks particularly effective against well-defended organisations where direct phishing or social engineering would be harder.
Attackers typically exploit zero-day or recently patched vulnerabilities in browsers, PDF readers, or Flash (historically). Defence includes keeping all software rigorously patched, using browser isolation or sandboxing technologies, deploying endpoint detection tools, and monitoring network traffic for anomalous outbound connections.
Examples
- An attacker compromises a trade-association website read by employees of a defence contractor, delivering malware via an unpatched browser vulnerability to visiting staff.