How to protect your domain from 'SubdoMailing'

Mar 27, 2024 · 3 mins read
SPF DKIM Email Security DNS It's always DNS
How to protect your domain from 'SubdoMailing'

Last month, Guardio revealed SubdoMailing, a sophisticated new cyberattack that saw a torrent of spam email from subdomains of high-trust corporate domains. While the scale and sophistication of the operation were new, the attack was not. It was essentially a specific variant of subdomain hijacking that targets Sender Policy Framework (SPF) records. Perhaps most alarming were the high-quality domains perfect for phishing attempts:

  • secure2.unicef.ca
  • gms.mlb.com
  • login.o3.symantec.com
  • marthastewart.msn.com
  • intel.hsn.com
  • api.xdr.mcafee.com
  • pgh.aclu.org
  • subscribe.marvel.com
  • wiki.java.net

Who Is Affected

Guardio’s SubdoMailing Checker can determine if your domain was affected in this particular attack. However, the SubdoMailing technique has a broad potential impact, primarily affecting the following scenarios:

  1. Companies with Expired Web Domains: Especially those that were cross-referenced by their primary domain through DNS records such as CNAMEs. Organizations in this category should immediately verify whether their domains have been compromised:

  2. Systems Using Vulnerable SPF Records: If your SPF records include domains that you do not directly control, these records might be vulnerable to exploitation. Even if your domain was not directly involved in this round of attacks, it’s essential to:

  3. Organizations with Unused or Forgotten Subdomains: Even if your SPF records are secure, neglected subdomains (especially those with outdated CNAME records pointing to now-uncontrolled domains) present a significant security risk. It’s critical to:

Addressing these vulnerabilities requires a proactive approach to domain management and security. By taking these steps, you can significantly enhance your organization’s resilience against SubdoMailing and similar DNS-based attack vectors.

How It Works

Suppose a company, examplecorp.com, had a second temporary domain like exampleconf2018.com and a CNAME record conf.examplecorp.com pointing to exampleconf2018.com. The company let the exampleconf2018.com domain go but forgot to delete the record for conf.examplecorp.com.

Attackers purchase the exampleconf2018.com domain and can then exploit the trust inherent in the examplecorp.com domain. This makes the attack particularly insidious as it leverages the existing trust in the primary domain to conduct phishing campaigns or distribute malware. Since conf.examplecorp.com still points to exampleconf2018.com, it can lend credibility to malicious activities conducted under this guise.

How to Fix It

  1. Review and Update SPF Records: Regularly audit your SPF records for entries that reference external domains. Remove or update any includes that point to domains outside of your direct control to mitigate potential vulnerabilities.

  2. Audit Your DNS Records Regularly: Ensure that all CNAME, A, and MX records are current and point to domains under your control. Remove any outdated or unused records to prevent them from being exploited.

  3. Monitor Domain Expiration Dates: Implement a system to track the expiration dates of all domains associated with your organization. Renew domains well before their expiration dates to avoid lapses.

  4. Use DNS Security Extensions (DNSSEC): DNSSEC adds an extra layer of verification to DNS responses, helping to prevent attackers from redirecting traffic through DNS spoofing.

  5. Educate Your Team: Ensure that your IT and security teams are aware of the risks associated with domain management and DNS configurations. Regular training sessions can help keep everyone up to date on best practices.

  6. Implement a Robust SPF Policy: Review and update your SPF records to ensure they accurately reflect the mail servers authorized to send email on behalf of your domains. Avoid using ‘include’ statements that reference domains outside your control.

  7. Use Domain Monitoring Services: Subscribe to services that monitor and alert you to changes in DNS configurations or domain registrations that could indicate a security risk.

By taking these steps, organizations can significantly reduce their vulnerability to SubdoMailing and other DNS-based attacks. The key is to maintain control and oversight of your domain infrastructure and to act swiftly if you detect any anomalies.

If you’d like assistance configuring, auditing, or monitoring your DNS records, send us an email at hello@silentwave.systems.

Sharing is caring!