How spammers exploit hijacked corporate domains

You’ve probably received more than a few spam or phishing emails from addresses belonging to seemingly reputable organizations. This may have left you wondering how attackers manage this feat, and perhaps even concerned if anyone out there sends malicious emails under your own company’s name.

The good news is that several technologies exist to combat emails sent on someone else’s behalf: Sender Policy Framework (SPF); DomainKeys Identified Mail (DKIM); and Domain-based Message Authentication, Reporting, and Conformance (DMARC). The not-so-good news is that attackers occasionally discover ways to bypass these safeguards. This post looks at one such technique that spammers use to send emails from the addresses of real organizations: domain hijacking.

SubdoMailing campaign and corporate domain hijacking

Researchers at Guardio Labs have uncovered a large-scale spam campaign that they’ve dubbed SubdoMailing. This campaign, ongoing since at least 2022, involves over 8000 domains and 13,000 subdomains previously owned by legitimate companies, along with nearly 22,000 unique IP addresses. The researchers estimate the average volume of spam at around five million emails daily.

The SubdoMailing operators are constantly on the lookout for suitable expired corporate domains, and once they find some they re-register them — typically capturing several dozen legitimate domains daily. The record stands at 72 hijacked domains in a single day — back in June 2023.

To avoid landing on spam lists, the attackers rotate them constantly. Each domain is used for spam distribution for 1–2 days before going dormant for an extended period while the spammers switch to the next. After a couple of days, this one too is temporarily retired, and another takes its place.

Hijacking domains with a custom CNAME

So, how exactly do threat actors go about exploiting hijacked domains? One method involves targeting domains with a custom canonical name (CNAME) record. A CNAME is a type of DNS record used to redirect one domain name to another.

The simplest example of a CNAME record is the “www” subdomain, which usually redirects to the main domain, like this:

  • company.com → company.com

However, more complex scenarios exist where a CNAME record redirects a subdomain to a completely separate domain. For example, this could be a promotional website hosted on a different domain but integrated into the company’s overall web resource structure with a CNAME record.

  • company.com → company2020promo.com

Large companies with extensive web resources may have multiple CNAME records and corresponding domains. The problem is that administrators cannot always keep track of is all. As such, a situation can arise where a domain has expired but its CNAME record lives on. These are the kind of domains that the cybercriminals behind the SubdoMailing campaign are eager to harvest.

They hunt for abandoned domains that still have active CNAME records referencing the large companies that once owned them. Let’s take company2020promo.com from our example. Say the company abandoned this domain after a promotional campaign several years ago, but the administrators forgot to remove the CNAME record. This allows threat actors to register the domain to themselves and automatically gain control over the promo.company.com subdomain.

That done, they gain the ability to authorize mail servers located at IP addresses they own to send emails from the promo.company.com subdomain — effectively inheriting the reputation of the primary domain, company.com.

Exploiting SPF records

The second tactic employed by the SubdoMailing attackers involves exploiting SPF records. SPF (Sender Policy Framework — an extension of the SMTP protocol) records list the IP addresses and domains authorized to send emails from a particular domain.

Again, it’s perfectly normal for large organizations to include a multitude of addresses and domains in this list for various purposes. This may include external domains that either do not belong to the company at all, or are used for some specific purpose: temporary projects, mass mailing tools, user survey platforms, and the like. Similar to the CNAME scenario, it may happen that the domain registration has expired, but someone forgot to remove the said domain from the SPF record.

Domains like these are also prized by threat actors. For our example company.com, let’s say the SPF record also includes some external domain like customersurveytool.com, belonging to a user-survey service.

Now, imagine this service no longer exists, the domain registration has expired, and the administrators forgot to update the SPF record. By registering the abandoned customersurveytool.com domain, attackers gain the ability to send emails not just from the subdomain, but from the company’s primary domain, company.com.

Examples of domain hijacking in the SubdoMailing campaign

How such problems can arise can be illustrated by the case of msnmarthastewartsweeps.com. The Microsoft Network (MSN) portal once collaborated with celebrity chef Martha Stewart on a project promoting MSN Messenger (remember that?) through prize giveaways. The project’s website used the subdomain marthastewart.msn.com, which redirected to the external domain msnmarthastewartsweeps.com through a CNAME record.

Here’s what marthastewart.msn.com looked like when it was live. Source

As you might guess, the msnmarthastewartsweeps.com domain registration eventually expired, but the MSN administrators failed to remove the corresponding CNAME record. In 2022, attackers discovered this domain, registered it, and gained the ability to send emails from marthastewart.msn.com, leveraging the reputation of none other than the Microsoft Network for their own purposes.

How to guard against SubdoMailing

To prevent domain hijacking and spamming in your company’s name, we recommend the following:

  • Implement SPF, DKIM, and DMARC
  • Regularly inventory your company’s web resources, including domains.
  • Ensure timely renewal of active domain registrations.
  • Remove outdated DNS records.
  • Update SPF records by removing unused addresses and domains authorized to send emails on your company’s behalf.

Leave a Reply

Your email address will not be published. Required fields are marked *