SubdoMailing – Hackers Abuse 13,000 subdomains of Popular Brands In Phishing Campaign

In a seemingly impossible act, nearly 8000 domains were discovered to be compromised by threat actors for malicious scam campaigns sending millions of emails every day.

All of these domains belonged to the most reputable brands and institutions, such as MSN, VMware, McAfee, The Economist, Cornell University, CBS, Marvel, eBay, and many others.

This threat activity has been dubbed as “Subdomailing,” with all of these emails bypassing security measures even with security checks of major email providers and reaching users’ inboxes.

You can analyze a malware file, network, module, and registry activity with the ANY.RUN malware sandbox, and the Threat Intelligence Lookup that will let you interact with the OS directly from the browser.

The number of compromised domains associated with this activity is still increasing by 100s daily.

Array of Compromised domains (Source: Guardio Labs)

Hackers Abuse 13,000 Subdomains

According to the Guardio labs report, this activity was identified due to unusual patterns in email metadata, especially with SMTP servers.

Threat actors behind this activity used complex DNS manipulations, which resulted in the compromise of several domains belonging to reputable brands.

Sample Spam mails from compromised domains (Source: Guardio Labs)

Investigating one of the emails related to this phishing campaign revealed that threat actors cleverly used images instead of text on the body of the email, which bypassed the text-based spam filters.

Clicking on any region of the email redirected the users through several different domains that are found to be used for finding the device type and geographic location and displaying deceptive ads, phishing sites, or even delivering malware.

On analysing further, the headers of the emails provided interesting information that the sample email originated from an SMTP server in Kyiv and was flagged from [email protected].

Most of the large brands use mass mailing services that allow these service providers to send emails on their behalf.

The Interesting Part

Digging deep on the DNS record of it was discovered that there was another CNAME record) that used that was linked to this domain.

Additionally, the SPF record of showed the following information along with an includes: header, which allows expanding the IP list of approved senders.

This made it clear that all the SPF records of these compromised domains contain several IP addresses.

Recursively querying them revealed that there were more than 17826 IP addresses that threat actors are using under a compromised domain.

SPF record of hijacked subdomain (Source: Guardio Labs)

To add a brief insight, threat actors have been using abandoned domains with CNAME records used by big brands and were privately registered again by these threat actors.

As these domains were not monitored, threat actors successfully manipulated these domains into sending millions of spam and phishing emails to thousands of users worldwide under the impression of a reputable brand.

Martha Steward domain 2001 (Source: Guardio Labs)

To prevent these kinds of massive domain compromise, researchers at Guardio Labs have released a new website, “SubdoMailing,” for domain owners to regain control over their compromised domain.

You can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits, with Perimeter81 malware protection. All are extremely harmful, can wreak havoc, and damage your network.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Eswar is a Cyber security reporter with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is reporting data breach, Privacy and APT Threats.