Hiding in Plain Sight: How Subdomain Attacks Use Your Email Authentication Against You

For years, analysts, security specialists, and security architects alike have been encouraging organizations to become DMARC compliant. This involves deploying email authentication to ensure their legitimate email has the best chance of getting to the intended recipients, and for domain owners to be quickly notified of any unauthorized usage of their domains. While together we are making progress thanks to DMARC adoption and reporting services such as Cisco’s OnDMARC offering, there’s an opportunity to do better particularly with on-going monitoring to address new and emerging threats, such as this Subdo campaign.

What’s happened?

Recently a totally new attack type has been seen that takes advantage of the complacency that an organization may have when they approached their DMARC rollout with a ‘ticked the box’ mindset.

The SubdoMailing (Subdo) campaign has been ongoing for about two years now. It sends malicious mail – that is typically authenticated – from domains and subdomains that have been compromised through domain takeover and dangling DNS issues.

These attacks were initially reported by Guardio Labs who reported the discovery of 8,000 domains and 13,000 subdomains being used for these types of attacks since 2022.

Several weeks before that, Cisco’s new DMARC partner, Red Sift, discovered what they initially thought was an isolated incident of bad senders passing SPF checks and sending emails fraudulently on behalf of one of their customers. In the customer’s instance of Red Sift OnDMARC, they noticed email was coming from a sender with a poor reputation and a subdomain that appeared unrelated to their customer’s main domain. But these emails had fully passed SPF checks with the customer’s current SPF record. Upon alerting the customer who then investigated all the ‘includes’ in their SPF record, several outdated CNAME addresses were found that had been taken over by attackers, which is what caused the issue.

What should I look out for?

The bad actors in this campaign are capitalizing on stale, forgotten or misconfigured records that were wrongfully included in DNS to send unauthorized emails. The attackers then send phishing emails as images to avoid text-based spam detection.

It is this oversight that has seen many notable organizations be impacted by these new subdomain attacks in the last few months, solely because they have not been actively monitoring in the right areas.

Proactive steps to start today:

  1. Don’t let your domain names expire – these are what provide fraudsters the opportunity to carry out the attack.
  2. Keep your DNS clean – Remove resource records from your DNS that are no longer in use and remove third-party dependencies from your DNS when they become redundant.
  3. Use a trusted email protection provider – It makes sense to use a vendor for DMARC, DKIM and SPF requirements but be sure to use a trusted vendor with the capability to proactively identify problems, such as when part of a SPF policy is void or insecure.
  4. Check for dangling DNS records – Have an inventory of hostnames that are monitored continuously for dangling resource records and third-party services. When identified, remove them immediately from your DNS.
  5. Monitor what sources are sending from owned domains – If the domain or subdomain is taken over for sending, then it is important to know if mail is being sent from it as quickly as possible.

What else should I do?

If you are wondering if you have been impacted by SubdoMailing, the best place to start is Red Sift Investigate, this will provide you with a review of your domain such as can be seen below:

Should this valuable tool reveal any ‘SubdoMailers’ – also known as poisoned includes – the Red Sift SPF Checker allows you to visualize them in a dynamic ‘SPF tree’, allowing you to quickly pinpoint where they are and speed up remediation efforts, an example of a dynamic SPF tree can be seen below: –

The OnDMARC Adoption and Reporting Solution that Cisco partners with Red Sift on has already been updated to uncover exactly these issues directly within the tool to ensure our customers are protected.

If you’re a Cisco Secure Email customer, find out how you can quickly add Red Sift domain protection to your security suite and better detect that image-based spam. To check out the sophisticated threat protection capabilities of Secure Email Threat Defense, start a free trial today.

We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Security on social!

Cisco Security Social Channels



Latest articles


Related articles

Leave a reply

Please enter your comment!
Please enter your name here