How to protect your site from subdomain takeover

Subdomain takeover is a serious risk for organizations with a large online presence (which is a lot of businesses in 2025!). A domain name is the starting point of your company’s online identity, encompassing the main and subsidiary websites—serving as the organization’s business card, storefront, and a central hub for commercial activities. For SaaS providers and tech solution vendors, domains also form a critical component of their product offerings. 

So the last thing you want is for a bad actor to fraudulently operate under one of your subdomains without your knowledge. This article explores subdomain takeover risk and outlines practical solutions for reducing the risk of subdomain takeover, including external attack surface management (EASM) as a useful tool for mitigation.

How does subdomain takeover work?

A subdomain takeover attack occurs when an attacker takes control of a subdomain that should be under the control of the original domain owner. Here’s how it typically works:

  1. Identify unused subdomains: The attacker starts by scanning the target domain for subdomains that are no longer in use or are misconfigured. Tools like sublist3r, amass, or subfinder can help in this process.
  2. Check DNS records: The attacker then checks the DNS records of these subdomains to see if they are pointing to a valid service or if they are misconfigured. Misconfigurations can include CNAME records pointing to a service that no longer exists or has been deleted.
  3. Exploit misconfigurations: If a subdomain is found to be pointing to a service that no longer exists, the attacker can take advantage of this. For example, if a subdomain is set to point to a cloud service (like an AWS S3 bucket) that has been deleted, the DNS record will still point to the cloud service’s domain.
  4. Claim the subdomain: The attacker can then create a new resource on the cloud service (e.g., a new S3 bucket) with the same name as the original resource. Since the DNS record still points to the cloud service, the subdomain will now point to the attacker’s resource.
  5. Control the subdomain: Once the attacker has control of the subdomain, they can use it for various malicious purposes, such as hosting phishing pages, serving malware, or redirecting traffic to malicious sites.
  6. Maintain control: The attacker can maintain control of the subdomain until the domain owner corrects the DNS records or takes other remedial actions.

Consider the following scenario: a bank unintentionally leaves a subdomain associated with a past promotional event vulnerable. An attacker exploits this oversight to create a fraudulent page resembling the bank’s login portal. Unsuspecting customers, trusting the authentic-looking URL, enter their credentials, inadvertently granting the attacker access to thousands of bank accounts and sensitive data. This not only exposes the bank to significant legal liability but also risks severe and lasting reputational harm.

Recent subdomain attack incidents

Unfortunately, subdomain attacks are common occurrences with far-reaching repercussions. Recently, a massive ad fraud campaign named “SubdoMailing” used over 8,000 legitimate internet domains and 13,000 hijacked subdomains of major brands to send up to five million emails per day for generating revenue via scams and malvertising.

Large enterprises are no less vulnerable to subdomain takeover attacks. In 2020, Microsoft security researchers found multiple Microsoft subdomains vulnerable to takeover. Cyber attackers even managed to takeover Tesla’s subdomain to host a cryptocurrency scam.

Motives and intent

Once an attacker gains control of a vulnerable subdomain, they can host malicious content, effectively transforming the subdomain into a platform for phishing campaigns and other malicious activities. Hackers use subdomain takeover as a mechanism to intercept user authentication credentials, distribute malware, and harvest sensitive information, such as session cookies, which can facilitate further attacks.

What makes a subdomain vulnerable?

Each domain name is linked to a set of DNS records, including canonical name (CNAME) records, which route subdomains to specific target domains or services. Vulnerabilities arise when an external service, often hosted by cloud providers, becomes inactive or misconfigured while the DNS record continues to point to it.

This creates an opportunity for attackers to hijack the subdomain by providing their own virtual host and hosting malicious content. Such control allows attackers to intercept cookies from the main domain, execute cross-site scripting (XSS) attacks, bypass content security policies, and potentially capture sensitive information, including user credentials, or deliver malicious content to unsuspecting users.

IT considerations for defending against subdomain takeover

For organizations with a minimal online presence, subdomain takeover may not be a primary concern for their IT teams. However, for larger firms where domains play a critical role in their operations and often encompass numerous subdomains, the risk becomes significantly more pronounced. This makes subdomain takeover a substantial threat to business continuity and security.

Here are some common ways to defend your organization’s digital assets against subdomain takeover.

Monitoring and detection

Organizations often leave subdomains unmanaged or improperly configured over time, creating vulnerabilities. One of the most effective ways to prevent subdomain takeovers is by implementing an external attack surface management (EASM) tool. EASM tools continuously monitor domains, identifying exploitable changes, including misconfigured or abandoned subdomains.

As a crucial part of a comprehensive security strategy, EASM maps and analyzes an organization’s digital footprint from an external perspective, uncovering vulnerabilities before they can be exploited. By proactively addressing these weak points, EASM tools help organizations secure their online assets and strengthen overall security.

Regularly audit and clean DNS records

Regularly review your DNS records, with particular attention to CNAME and TXT records, to maintain the security and accuracy of your domain configurations. Ensure that outdated or irrelevant subdomain entries pointing to unused third-party services are promptly removed or updated. This prevents attackers from exploiting vulnerable subdomains and helps safeguard your domain while ensuring its configurations remain secure and up-to-date.

Monitor third-party services

When using third-party services like cloud platforms, hosting providers, or content delivery networks (CDNs) for your subdomains, be sure to verify that these services remain active and correctly configured at all times. Keep track of expiration dates and trial period deadlines, as lapses can leave subdomains pointing to unclaimed addresses, exposing them to potential security breaches.

Domain registrar locking and MFA

Utilize domain-locking features offered by most domain registrars to prevent unauthorized changes to your DNS settings, reducing the risk of exploitation by hackers. Additionally, enable multi-factor authentication (MFA) for your domain registrar account to add an extra layer of protection, further deterring unauthorized access. Implementing these security measures significantly reduces the risk of subdomain takeover and helps protect your online assets.

Map your attack surface for free

Interested to get a comprehensive view of your attack surface risks, including all domains and subdomains? Book a free analysis here.

About the Author

Marcus White Cybersecurity Specialist, Outpost24

Marcus is an Outpost24 cybersecurity specialist based in the UK. He’s been in the B2B technology sector for 8+ years and has worked closely with products in email security, data loss prevention, endpoint security, and identity and access management.