Subdomain takeover: What it is and how to prevent it

It takes years to build a reputation and only moments to destroy it—and that’s especially true when it comes to subdomain takeovers. Subdomain takeovers can lead to data breaches, financial damage, loss of customer trust, and (sometimes) irreparable harm to your brand’s reputation.

Cybercriminals can exploit an unused subdomain to host phishing sites, spread malware, and capture sensitive user data in hours. This isn’t a hypothetical scenario—it happens to businesses (big and small) every day.

Fortunately, you can do something about it.

Below, we’ll explain everything you need to know about subdomain takeover and how to protect your business from cybercriminals.

What is a subdomain takeover?

Subdomain takeover is a cyber-attack in which attackers gain control over an organization’s subdomain. This typically occurs when a subdomain is misconfigured or left unmonitored, allowing attackers to exploit orphaned DNS records or expired services. Once in control, attackers can host malicious content, phish for credentials, or redirect users to harmful sites—all under the disguise of a trusted domain (hopefully, not yours).

How do subdomain takeovers work?

Here’s a step-by-step walkthrough of how subdomain takeovers work:

1. Orphaned DNS Records: When a service (like a hosting provider or cloud service) associated with a subdomain is no longer in use, but the DNS records still point to it, this creates an orphaned DNS record. Attackers can identify these records through DNS scanning solutions.
2. Misconfigured Subdomains: Sometimes, subdomains aren’t properly configured or maintained. Misconfigurations can include incorrect DNS settings or failure to remove DNS entries for no longer active services. Attackers look for these misconfigurations as entry points.
3. Expired Services: If a service linked to a subdomain expires (such as a cloud service account or hosting plan), the DNS record might still exist, pointing to a non-existent resource. Attackers can then register the same service or a similar one to take control of the subdomain.
4. Exploiting Vulnerabilities: Once an attacker identifies an orphaned or misconfigured subdomain, they can exploit it by creating a new account with the same service or configuring a server to respond to requests for the subdomain. This allows them to host malicious content or perform other harmful activities.

Real-world examples of subdomain takeovers

Subdomain takeovers aren’t the work of science fiction—they happen to big-name businesses like Microsoft, Tesla, and UNICEF:

• Microsoft’s Subdomain Takeover: In 2020, security researchers found multiple Microsoft subdomains vulnerable to takeover. Attackers could have exploited these subdomains to distribute malware or phishing pages. Microsoft acted quickly to secure the vulnerable subdomains after researchers reported the discovery.
• Tesla’s Subdomain Takeover: Tesla suffered a subdomain takeover when attackers hijacked a subdomain that pointed to a defunct AWS bucket. The attacker used the subdomain to host a cryptocurrency scam.
• UNICEF’s Subdomain Takeover: A subdomain of UNICEF was taken over and used to distribute malware. The attackers exploited an orphaned DNS record pointing to a service no longer used.

Why subdomain takeover is a big deal

Any cyberattack on your business is a big deal, but subdomain takeover poses security risks that can have far-reaching consequences for any organization. Here are some of the primary risks associated with subdomain takeover:

• Phishing Attacks: Attackers can host phishing sites on hijacked subdomains, tricking users into providing sensitive information.
• Data Breaches: Compromised subdomains can distribute malware, leading to potential data breaches and unauthorized access.
• Reputation Damage: Malicious activities on hijacked subdomains can severely damage an organization’s credibility and brand reputation.
• SEO Poisoning: Exploited subdomains can host spammy content, negatively impacting search engine rankings and website visibility.
• Service Disruption: Subdomain takeovers can disrupt services associated with the affected subdomain.

Common causes of subdomain takeover

Preventing subdomain takeover starts with understanding how these vulnerabilities occur. Even the most well-intentioned IT teams can overlook certain aspects of domain management—and all it takes is a teeny-tiny gap for attackers to exploit into full-scale problems.

Here are a few of the most common causes of subdomain takeover (and how to prevent them):

• Orphaned DNS records
• Misconfigured subdomains
• Expired services
• Inadequate monitoring
• Lack of clear policies

Orphaned DNS records

Orphaned DNS records are like old, forgotten keys to your digital assets. These records point to services that no longer exist or are no longer in use.

When a subdomain’s associated service is discontinued, but the DNS record remains, it creates an opening for attackers. They can identify these orphaned records through DNS scanning solutions and then register the defunct service to hijack the subdomain.

How to Prevent: Regularly audit your DNS records and remove any that are no longer needed.

Misconfigured subdomains

Misconfigured subdomains occur when subdomains aren’t set up correctly, such as when they have incorrect DNS settings or fail to remove records for inactive services. Misconfigurations can lead to gaps that attackers can exploit to take control of a subdomain.

How to Prevent: Follow best practices for DNS configuration and guarantee any changes are carefully managed and monitored.

Expired services

Expired services (like old hosting accounts or cloud services) can be a hidden danger. When these services expire, the associated subdomains can be left pointing to nothing—and this creates an opportunity for attackers. They can re-register the expired service or create a new one using the same subdomain to take control.

How to Prevent: Track all services associated with your subdomains and confirm that they are either renewed or properly decommissioned.

Inadequate monitoring

Without regular checks and maintenance, changes or issues that could lead to a subdomain takeover are easy to miss.

How to Prevent: Regularly monitor your DNS records and use automated solutions to alert you to potential vulnerabilities.

Lack of clear policies

A lack of clear policies for subdomain management can lead to inconsistencies and overlooked vulnerabilities. Without well-defined processes for creating, managing, and decommissioning subdomains, errors and misconfigurations increase.

How to Prevent: Establish (and enforce) clear policies for DNS and subdomain management to maintain a secure digital environment.

What to do if you discover a vulnerable subdomain

If you walk away from this article and immediately get to work on the prevention methods above, you might find a vulnerability in one (or more) of your subdomains.

Now what?

Take immediate action

Here’s what you need to do as soon as possible:

1. Identify the Scope: Determine the extent of the vulnerability. Is it just one subdomain at risk, or are multiple subdomains at risk? Understanding the scope will help prioritize your response efforts.
2. Secure Access: Immediately restrict access to the vulnerable subdomain. Update DNS records to point to a secure location or remove the DNS entry entirely if the subdomain isn’t in use.
3. Notify Your IT Team: Alert your IT and security teams about the vulnerability.

How to safely remove or secure the subdomain

• Update DNS Records: If the subdomain is still needed, update the DNS records to point to a secure, active service. Document and review changes.
• Remove Unnecessary Subdomains: If the subdomain is no longer required, remove the DNS entry to prevent potential exploitation.
• Implement Temporary Measures: Use firewall rules or access controls to temporarily block traffic to the vulnerable subdomain while you work on a permanent fix.

Improve your subdomain management with solutions

Manually monitoring your subdomains can be a full-time job. Fortunately, there is a solution to help automate and streamline the process. Valimail provides automated email authentication solutions to prevent email spoofing and domain hijacking. Its platform simplifies DMARC, SPF, and DKIM setup and management.

Secure your email domain with Valimail

Protecting your subdomains isn’t something you can just add to the backlog—you need to take action before cybercriminals do. Reading this article was a good first step, but now it’s time to do something about it.

While we can’t help with every aspect of your cybersecurity, we can help with one of the most valuable (and abused) channels: email.

Valimail provides comprehensive DMARC solutions to simplify and automate your email authentication. This protects your domains and subdomains from phishing, spoofing, and other malicious activities. With Valimail, you get:

• Automated Email Authentication: Easily set up and manage DMARC, SPF, and DKIM to prevent email spoofing and domain hijacking.
• Robust Monitoring: Continuous monitoring and alerting to detect vulnerabilities and unauthorized activities in real-time.
• Expert Support: Access to a team of experts who can guide you through email authentication and subdomain management complexities.

Don’t leave your domain’s security to chance—take proactive steps to protect your brand today. Sign up for Valimail Monitor (it’s free) to identify all services and sending activity from your domains. It’s the perfect first step to securing your domain.