Threat actors are always on the lookout for potential ways into target networks. And although the cybersecurity world has a lot on its radar already, subdomains are entry points that are not always easy to identify and may end up overlooked.

Companies often map subdomains to a specific IP address that points to third-party services such as Shopify and Amazon Web Service (AWS). As such, subdomains could quickly pile up as companies continue to develop and drop products and services. That shouldn’t be a problem as long as they are updated accordingly. However, when a company drops the subscription or stops offering a service, it may forget about these subdomain records—which may then lead to subdomain takeover.

Conducting a regular inventory of subdomains with a subdomain lookup tool can support the detection of the corresponding attack surface. Let’s see how a subdomain finder allows us to check subdomains for vulnerabilities and consequently protect digital assets and clients with an example.

A Closer Look at a Subdomain Takeover

Subdomain takeover occurs when someone outside a company gains control of unused and outdated subdomains. Take Microsoft, for instance. Researchers have found hundreds of subdomains that are vulnerable to subdomain takeover in its network. A spam group, in fact, was seen hosting their ads for a poker casino on these Microsoft subdomains:

• portal[.]ds[.]microsoft[.]com
• perfect10[.]microsoft[.]com
• ies.global[.]microsoft[.]com
• blog-ambassadors[.]microsoft[.]com

Screenshot lookup services no longer see the spam content on any of the domains, as Microsoft quickly fixed the issues on these subdomains. However, the Wayback Machine allowed us to see the spam ad hosted on the reputable subdomain blog-ambassadors[.]microsoft[.]com in February 2020.

The four subdomains above or those that were reportedly vulnerable are, however, not the only ones Microsoft should be on the lookout for. Subdomain Lookup revealed that microsoft[.]com has 10,000 subdomains, ranging from Microsoft’s support services to Microsoft Teams subdomains.

Any of these subdomains could be vulnerable. The subdomain finder also revealed that some of them, such as wishlist-int[.]mp[.]microsoft[.]com, may not have been updated for a while.

Possible Consequences of a Subdomain Takeover

Aside from hosting spam, threat actors can use vulnerable subdomains for more nefarious activities. Bug bounty hunters, for instance, found that vulnerable Microsoft subdomains can lead to an account takeover.

In essence, once threat actors hijack a subdomain, they can:

• Deface a website and host spam or unreputable content on it.
• Trick website visitors into downloading malware.
• Hack into user accounts and devices.

There are also instances of more advanced takeovers such as the subdomain takeover of saostatic[.]uber[.]com, which paved the way for attackers to entirely bypass the Single Sign On (SSO) login protocol of auth[.]uber[.]com.

Threat actors can take over vulnerable subdomains with the right tools and resources. As such, companies also have to employ the right tools to combat the threat. Subdomain lookups enable companies to find subdomains and create a detailed inventory. From there, they can identify which subdomains they may need to remove and which ones they need to update.