Keypoints
- Researchers identified a campaign named “SubdoMailing” that has hijacked over 8,000 subdomains from major brands and institutions to send millions of malicious emails daily.
- Attackers use two primary DNS-based tactics: CNAME (dangling CNAME) takeover of forgotten subdomains and SPF-Takeover by reclaiming abandoned domains included in SPF records.
- Complex SPF records were engineered to include thousands of IP addresses (one example yielded 17,826 IPs), allowing malicious SMTP servers to pass SPF checks.
- Malicious emails pass DKIM/SPF/DMARC checks because the attacker controls resurrected domains/subdomains and their DNS records, enabling delivery into recipients’ primary inboxes.
- The threat actor (ResurrecAds) acquires domains/hosts (many via Namecheap), operates SMTP servers (often with ports 25/80/3128 open and Squid proxies), and rotates IPs to avoid detection.
- Observed payloads include image-based phishing emails with click-redirect chains that fingerprint devices/geolocations, then route victims to ads, scams, phishing pages, or malware downloads.
- Guardio published a SubdoMailing checker and recommends domain owners remove unused subdomains, review SPF/DNS records, and monitor for dangling CNAMEs and included-abandoned domains.
MITRE Techniques
- [T1595] Active Scanning – Scanning and enumerating internet-facing DNS records to find long-forgotten subdomains and dangling CNAMEs (‘campaigner constantly scans and enumerates domains for long-forgotten subdomains with dangling CNAME records’).
- [T1583] Acquire Infrastructure – Registering abandoned domains, securing hosts and IP addresses to build a sending infrastructure (‘Quickly register these domains again — and you have control!’).
- [T1071.003] Application Layer Protocol: Mail Protocols – Using SMTP servers and mail protocols under hijacked hostnames to send mass malicious emails (‘SMTP Server that sent the email (62.244.33.18) … was located in Kyiv’ and ‘Hosting SMTP servers under the hijacked subdomain to send mass emails’).
- [T1566.002] Phishing: Spearphishing Link – Distributing image-crafted emails that redirect users through multi-step click chains to phishing, scams, or malware (‘Interacting with any part of this email … triggers a series of click-redirects through different domains’).
- [T1588.001] Obtain and Use Third-Party Services / Acquire Infrastructure (sub-technique) – Abuse of third-party/legacy marketing domains included in SPF records to expand authorized sender IPs (‘The SPF record … include:harrisburgjetcenter.com include:greaterversatile.com … resulting in 17,826 IPs’).
Indicators of Compromise
- [IP] SMTP / sender IPs – 62.244.33.18 (example SMTP server in Kyiv used to send malicious mails), 51.81.215.32 (A record example from directtoaccess.com), and many others (actor-inserted lists totaling thousands of IPs).
- [Domain / Subdomain] hijacked hostnames – marthastewart.msn.com (CNAME to msnmarthastewartsweeps.com), msnmarthastewartsweeps.com (re-registered abusive domain), directtoaccess.com (included in swatch.com SPF), and swatch.com (example affected main domain).
- [SPF/DNS records] abused TXT/CNAME entries – SPF string ‘v=spf1 include:harrisburgjetcenter.com include:greaterversatile.com -all’ (example engineered to include 17K+ IPs); CNAME records pointing to resurrected domains.
- [Open services / ports] network fingerprint – servers with SMTP (25), HTTP (80) and Squid proxy port (3128) open used for mail sending and remote management (observed in Shodan scans of actor servers).
- [Registrar] domain registration pattern – Namecheap registrations used to re-register many abandoned domains linked to takeovers (multiple re-registrations observed since 2022).
Guardio’s technical analysis shows attackers automate discovery of abandoned DNS entries (dangling CNAMEs and SPF includes), re-register those domains, and then modify DNS to authorize attacker-controlled SMTP hosts. By crafting SPF records that include old marketing/service domains (or by re-registering those domains), the adversary expands the list of authorized sender IPs—one chain produced 17,826 authorized IPs—allowing emails to pass SPF and, in many cases, DKIM/DMARC checks. Attackers then deploy SMTP servers under the hijacked hostnames, host click-redirects and landing pages (with ports 25/80 and proxy port 3128/Squid exposed), and rotate IPs and domains frequently to evade takedown and reputation-based filtering.
Practically, the attack flow is: active internet scanning for forgotten subdomains and included domains; re-registration/acquisition of these domains; DNS/CNAME or SPF modification to authorize attacker IPs; deployment of SMTP infrastructure and web redirectors under the hijacked names; and mass email delivery using image-based content and multi-step redirects to ads, scams, phishing pages, or malware. Key technical signatures include complex SPF includes referencing resurrected domains, large lists of authorized IPs, SMTP servers advertising both mail and HTTP services, and reusable landing/unsubscribe templates hosted on the same infrastructure.
Mitigations: audit and remove unused subdomains and DNS records, avoid including long-abandoned third-party domains in SPF/ TXT records, monitor SPF include chains for re-registered domains, restrict SPF include recursion, regularly scan for dangling CNAMEs, and monitor external registrations of previously linked domains (Guardio offers a SubdoMailing checker to assist domain owners).