In late-February 2024, Guardio released groundbreaking research uncovering a widespread subdomain hijacking attack orchestrated by a sophisticated threat actor. What initially appeared as a contained incident has now been revealed to be much larger in scale, affecting numerous domains and companies.
This attack, known as "Subdomain Hijacking" and its cousin “SPF hijacking”, exploits the trust associated with legitimate domains to disseminate spam and malicious phishing emails. By leveraging the credibility of these domains and manipulating dangling subdomains, the attackers aim to bypass security measures and infiltrate unsuspecting organizations' networks.
Our investigation has identified a concerning trend: the threat actors have registered thousands of domains previously used by reputable companies, and employing a sophisticated dictionary domain generation algorithm (DGA) to host SPF records. This poses a significant risk to organizations particularly if they utilize SPF mechanisms from inactive or typo-prone services.
You could be impacted one of two ways: one is if you use an SPF mechanism from a product/company/service that is no longer active and has been poisoned, or it is a typo of a common service and has been poisoned/hijacked, or if you have a dangling subdomain pointing to a product/company/service that is no longer active and the attackers took control of the destination domain.
Using our vast network of data, combined with some of the data points from the Guardio research, we’ve uncovered around 100 core domains that form the group’s authorization network. From those core domains, we’re branching out using passive DNS to discover the extent of the affected domain landscape.
How can I take action?
To safeguard your business from this evolving threat, we urge you to take immediate action:
Review your organization's SPF mechanisms and ensure they are up-to-date and accurate. We have updated our SPF checker tool to surface any malicious mechanisms we know are participating in this attack.
If we detect any malicious hosts, you should take action to review and remove them as soon as possible as you are open for authenticated impersonation.
This is how the checker will look if you are impacted:
If we do not detect any issues, you will not get a SubdoMailers warning
(but you still may get warnings if we detect any syntax errors in your SPF)
Conduct thorough audits of your subdomains and their traffic to identify any potential vulnerabilities or unauthorized access.
Stay vigilant for suspicious email activity and educate your employees on recognizing and reporting phishing attempts.
How do I remediate and remove the compromised host?
In the case of a compromised CNAME subdomain, you will just need to remove the unused record from your DNS.
For example: If pages.redsift.com is a CNAME to mkto-sj030158.com, which is now controlled by the attacker, you would just need to remove the pages.redsift.com CNAME record from your DNS zone.
In the case of a compromised SPF mechanism, you will just need to remove the compromised host from your SPF record.
For example: If your SPF record is as follows:
v=spf1 include:spf.protection.outlook.com include:spf.sendingblu.com ~all, where spf.sendingblu.com is the taken over record, you would remove that include from your SPF leaving you with just v=spf1 include:spf.protection.outlook.com ~all
Red Sift is committed to supporting you in mitigating this threat and protecting your digital assets. We have deployed advanced tools and techniques to identify and neutralize the threat actor's core domains and are actively monitoring for any signs of malicious activity within our customer base.
For more information and guidance on how to fortify your organization's defenses against subdomain hijacking, please follow us on our Attack Surface Management Sift Space community forum, or read our blog post.
If you have any technical questions about this attack or if you are affected, please submit a case in Sift Space and one of our Engineers will get back to you.