SUBDOMAILING AND THE RISE OF SUBDOMAIN PHISHING

nusaibatara · Post by **nusaibatara** » Tue Apr 22, 2025 10:45 am

Guardio Labs discovers severe subdomain hijacking incident affecting thousands of subdomains
1. Overview of the incident
Guardio Labs discovered a serious subdomain hijacking incident that affected thousands of subdomains. They coined the term "SubdoMailing" to describe this attack chain that uses compromised subdomains of well-known companies to send malicious emails. The investigation found that the malicious activity has been active since 2022.

2. Characteristics of SubdoMailing Attack
SubdoMailing can be considered an evolved form of social engineering that phone number list exploits the reliability of well-known subdomains. Attackers perform this malicious campaign on a large scale by sending millions of phishing emails from hijacked subdomains.

In a subdomain hijack, an attacker takes control of a subdomain associated with a legitimate root domain, which then becomes a hotbed for all sorts of malicious activity. Hijacked subdomains can be used to launch phishing campaigns, distribute inappropriate content, sell illegal substances, or spread ransomware. Inactive subdomains often remain dormant for a long time. Even more dangerous, these subdomains pave the way for subdomain hijacks. Once attackers take control of these subdomains, they can get away with it!

3. Case Analysis of SubdoMailing Attack
According to an article published by the company, thousands of suspicious email traffic was generated from seemingly legitimate subdomains of well-known brands. These included big brands like MSN, VMware, McAfee, The Economist, Cornell University, CBS, Marvel, eBay, and many more! These emails used a sense of urgency to manipulate users into clicking on suspicious links. These links redirected users to harmful destinations. These ranged from intrusive ads to more dangerous phishing sites designed to steal sensitive information.

4. Preventive measures against SubdoMailing attacks
Due to the unique nature of SubdoMailing attacks, their success rate is expected to be high. Guardio explained that SubdoMailing uses highly sophisticated tactics to manipulate legitimate subdomains of such popular brands. These attacks are difficult to detect and require a thorough investigation by Guardio's cybersecurity experts.

We found that the SubdoMailing attack has the potential to seriously compromise unsuspecting users because it has the following characteristics:

Let's take one of the use cases that Guardio investigated. Guardio discovered several phishing emails coming from a subdomain of msn.com. When Guardio looked closely at the malicious emails, they were sent from a server in Kyiv, Ukraine. Ideally, it would be flagged as suspicious when it was inspected unless the server's IP address was authorized. Upon inspection, it was found that the suspicious IP address was authorized by a subdomain of msn.com. This could be one of the following reasons:

Further inspection of the SPF record for the msn.com subdomain led Guardio experts to discover a rabbit hole of 17,826 nested IP addresses that were authorized to send emails on behalf of the domain. The intricacies of the SPF records hinted at a very suspicious yet elaborate method of manipulating authentication filters. What’s more, the investigation revealed that this MSN subdomain pointed to another domain via a CNAME DNS record. Therefore, once the attacker purchased another domain, they could hijack the MSN subdomain.