How spammers exploit hijacked corporate domains

By hijacking domains with CNAME records and exploiting forgotten SPF records, attackers take over domains and use them for their own purposes.

You’ve probably received more than a few spam or phishing emails from addresses that appear to belong to reputable organizations. It may have left you wondering how attackers manage this feat, and perhaps even worried if someone sends a malicious email using your own company name.

The good news is that there are several technologies to combat spoofed emails: Sender Policy Framework (SPF); DomainKeys Identified Mail (DKIM); and domain-based message authentication, reporting, and authentication (DMARC). The not-so-good news is that attackers occasionally find ways to bypass these security measures. This post looks at one such technique that spammers use to send email from real organization addresses: domain hijacking.

SubdoMailing campaign and corporate domain hijacking

Researchers at Guardio Labs have uncovered a massive spam campaign they’ve dubbed SubdoMailing. The campaign, which has been ongoing since at least 2022, includes more than 8,000 domains and 13,000 subdomains previously held by legitimate companies, along with approximately 22,000 unique IP addresses. Researchers estimate the average amount of spam at about five million emails per day.

SubdoMailing operators are constantly looking for suitable expired corporate domains, and once they find some they re-register them – typically capturing several dozen legitimate domains per day. The record stands at 72 hijacked domains in a single day – in June 2023.

To avoid landing on spam lists, attackers constantly rotate them. Each domain is used for spam distribution for 1-2 days before being inactive for an extended period while spammers switch to the next one. After a few days this too is temporarily retired and replaced by another.

Hijacking domains with a custom CNAME

So, how do threat actors go about exploiting hijacked domains? One method involves targeting domains with custom canonical name (CNAME) records. A CNAME is a type of DNS record used to refer one domain name to another.

The simplest example of a CNAME record is the “www” subdomain, which usually redirects to the main domain, like this:

However, there are more complex scenarios where a CNAME record redirects a subdomain to an entirely separate domain. For example, it could be a promotional website hosted on a different domain but integrated into the company’s overall web resource structure with a CNAME record.

Exploiting SPF records

Another tactic used by pseudo-mailing attackers involves exploiting SPF records. An SPF (Remitter Policy Framework – SMTP Protocol Extension) record contains a list of IP addresses and domains that are authorized to send email from a particular domain.

Again, it is quite normal for large organizations to add a large number of addresses and domains to this list for various purposes. This may include external domains that either do not belong to the company at all, or are used for a specific purpose: temporary projects, mass mailing tools, user survey platforms, and the like. Similar to the CNAME scenario, it may happen that the domain registration has expired, but someone forgot to remove said domain from the SPF record.

Leave a Comment