{"id":5662,"date":"2026-05-25T11:37:23","date_gmt":"2026-05-25T11:37:23","guid":{"rendered":"https:\/\/adex.com\/blog\/?p=5662"},"modified":"2026-05-25T11:37:24","modified_gmt":"2026-05-25T11:37:24","slug":"subdomain-takeovers-prevention","status":"publish","type":"post","link":"https:\/\/adex.com\/blog\/subdomain-takeovers-prevention\/","title":{"rendered":"Subdomain Takeover: How Trusted Domains Get Weaponized \u2013 and What Actually Stops It"},"content":{"rendered":"\n<p>In the advertising ecosystem, a domain&#8217;s reputation is currency. Years of legitimate traffic, institutional backlinks, and clean delivery history translate directly into deliverability, lower verification friction, and access to placements that newer domains simply cannot reach. That currency is exactly what subdomain takeover lets an attacker spend without ever earning it.<\/p>\n\n\n\n<p>The mechanism is procedural rather than exotic: a CNAME record on a respectable domain still points to a cloud bucket, SaaS tenant, or PaaS app that was decommissioned months ago. An attacker re-registers the abandoned resource, and traffic to that subdomain now resolves to their page \u2013 sitting under a domain whose trust signals were built by someone else. No breach, no phished admin, no exploit in anyone&#8217;s code. Just a deprovisioning step that never happened.<\/p>\n\n\n\n<p>We have been tracking this pattern from inside the verification stack for three years. In November 2022, our team flagged an iGaming landing page running under a <a href=\"https:\/\/adex.com\/blog\/adex-discovers-potential-dns-vulnerability-and-3rd-party-fraud-on-fc-barcelonas-official-website\/\" type=\"post\" id=\"5136\" target=\"_blank\" rel=\"noreferrer noopener\">subdomain of FC Barcelona&#8217;s official site <\/a>during routine campaign monitoring on PropellerAds. Weeks later, the <a href=\"https:\/\/adex.com\/blog\/another-case-of-subdomain-takeover-detected-potential-fraud-on-carmax-website\/\" type=\"post\" id=\"5147\" target=\"_blank\" rel=\"noreferrer noopener\">same pattern surfaced on <code>expresstestdrives-qa.carmax.com<\/code><\/a>, where the subdomain was managed through Azure while the root sat on Akamai. <\/p>\n\n\n\n<p>In 2025, the abuse moved up the trust ladder: Indonesian <code>.ac.id<\/code> and <code>.go.id<\/code> zones \u2013 universities and municipal authorities \u2013 serving Mahjong Ways and Candy Bonanza variants into a market where online gambling is criminalised under Articles 303 and 303 bi of the Penal Code, with a handful of US universities and an Italian grocery domain rounding out the cluster.<\/p>\n\n\n<div class=\"block__bord\"><div class=\"block__bord_desc\"><p>Each of those incidents pointed back at the same structural failure, and at the same gap in how the advertising stack handles it: reputation systems score the parent domain, content scanners score the page, and a hijacked subdomain breaks the pairing in a way most pre-bid stacks do not reconcile by default. The domain looks safe. The page is malicious. The campaign clears verification on the strength of a trust signal the legitimate owner accumulated and the attacker simply borrowed.<\/p>\n<\/div><\/div>\n<style>\n.block__bord { margin: 32px 0; padding: 1.25em 2.375em;\tborder-radius: 24px; background: rgba(0, 220, 200, 0.20); }\n.block__bord_desc {font-size: 16px !important;font-weight: 400 !important;color: #606060 !important;}\n<\/style>\n\n\n\n<p>This article walks through what subdomain takeover actually is, why it is structurally attractive to ad fraudsters specifically, what the three cases above show on different surfaces, and \u2013 the part most write-ups skip \u2013 what detection looks like in production when the textbook fingerprint signal is no longer visible because the attacker has already filled the empty resource.<\/p>\n\n\n\n<p><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"tldr\">TL;DR<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it is<\/strong> <br>A subdomain takeover (also called subdomain hijacking, dangling DNS attack, or CNAME takeover attack) happens when a DNS record on a domain you own still points to a third-party resource you no longer control. An attacker re-registers that resource and silently inherits your domain&#8217;s reputation.<\/li>\n\n\n\n<li><strong>Why it matters in advertising<\/strong> <br>Reputation systems trust the parent domain while content scanners look at the page, and a hijacked subdomain breaks that pairing: the domain looks safe, the page is malicious, and most pre-bid stacks do not reconcile the two by default.<\/li>\n\n\n\n<li><strong>What actually stops it<\/strong> <br>On the owner side: a live DNS inventory, a deprovisioning checklist that includes DNS, and continuous orphan-fingerprint monitoring of your own zone. On the ad-platform side: stacked signals (NS\/IP consistency, content-vertical alignment, geo-vertical anomaly review) plus human review on edge cases. No single layer closes the gap.<\/li>\n<\/ul>\n\n\n<div class=\"toc\"><h4 class=\"toc__title\" id=\"contents\">Contents<\/h4><ul class=\"toc__list\"><li class=\"toc__list_item\"><a href=\"#tldr\">TL;DR<\/a><\/li><li class=\"toc__list_item\"><a href=\"#what-a-subdomain-takeover-actually-is\">What a Subdomain Takeover Actually Is<\/a><\/li><li class=\"toc__list_item\"><a href=\"#why-this-attack-is-structurally-attractive-to-ad-fraudsters\">Why This Attack Is Structurally Attractive to Ad Fraudsters<\/a><\/li><li class=\"toc__list_item\"><a href=\"#three-cases-that-show-the-same-mechanism-on-different-surfaces\">Three Cases That Show the Same Mechanism on Different Surfaces<\/a><\/li><li class=\"toc__list_item\"><a href=\"#what-detection-actually-looks-like-in-production\">What Detection Actually Looks Like in Production<\/a><\/li><li class=\"toc__list_item\"><a href=\"#how-to-tell-a-takeover-apart-from-adjacent-threats\">How to Tell a Takeover Apart from Adjacent Threats<\/a><\/li><li class=\"toc__list_item\"><a href=\"#what-domain-owners-actually-need-to-do\">What Domain Owners Actually Need to Do<\/a><\/li><li class=\"toc__list_item\"><a href=\"#a-self-check-runbook\">A Self-Check Runbook<\/a><\/li><li class=\"toc__list_item\"><a href=\"#provider-specific-notes\">Provider-Specific Notes<\/a><\/li><li class=\"toc__list_item\"><a href=\"#whos-exposed-and-whats-at-stake\">Who&#039;s Exposed, and What&#039;s at Stake<\/a><\/li><li class=\"toc__list_item\"><a href=\"#where-this-leaves-the-defender\">Where This Leaves the Defender<\/a><\/li><li class=\"toc__list_item\"><a href=\"#frequently-asked-questions\">Frequently Asked Questions<\/a><\/li><\/ul><\/div><style>\n.toc {}\n.toc__title {\n      font-size: 32px;\n    line-height: 40px;\n    font-weight: 700;\n}\n.toc__list_item {\n    color: #FE645A !important;\n}\n.toc__list_item:not(:last-child){\n    margin-bottom: 5px;\n}\n.toc__list_item a {\n    font-size: 18px;\n    line-height: 24px;\n    color: #FE645A;\n    font-weight: 600;\n}\n.toc__list_item a:hover {\n    text-decoration: underline;\n}\n@media (max-width: 1023px) {.toc__title {font-size: 24px;line-height: 32px;}}\n<\/style>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"what-a-subdomain-takeover-actually-is\">What a Subdomain Takeover Actually Is<\/h2>\n\n\n\n<p>A subdomain takeover is a DNS hygiene failure rather than a software vulnerability. A record on a domain you own, usually a CNAME, sometimes an A or NS record, still resolves to a third-party service that you no longer control.&nbsp;<\/p>\n\n\n\n<p>The classic shape is <strong><em>promo.brand.com<\/em><\/strong> pointing to a cloud bucket, a SaaS tenant, or a PaaS app that has since been deleted, decommissioned, or returned to the provider, leaving the DNS entry resolving to a backend that no longer exists.<\/p>\n\n\n\n<p class=\"has-background\" style=\"background-color:#d6d6d630\">When an attacker spots the dangling reference, they re-register the abandoned resource on whichever provider the record points at, claiming the now-free S3 bucket name if the CNAME pointed to S3, registering the released app slug if it pointed to Heroku, creating a GitHub Pages site under the deleted username, or spinning up a tenant on the SaaS service the previous owner walked away from.&nbsp;<\/p>\n\n\n\n<p>Only one of those actions is needed in any given case, and from that moment forward, traffic to your subdomain resolves to the attacker&#8217;s content without any network breach, phished admin, or exploit in your code \u2013 they have simply moved into the empty room your DNS was still pointing at.<\/p>\n\n\n\n<p>This is why OWASP files the issue under <a href=\"https:\/\/owasp.org\/Top10\/A05_2021-Security_Misconfiguration\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">A05:2021 Security Misconfiguration<\/a> rather than as a discrete vulnerability class. There is no software bug to patch, because the exposure is procedural: a deprovisioning step that did not happen.<\/p>\n\n\n\n<p>The major cloud providers publish their own guidance on this failure mode, which is worth reading even if you do not run on their stack.&nbsp;<\/p>\n\n\n\n<p>Microsoft&#8217;s documentation on <a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/security\/fundamentals\/subdomain-takeover\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">preventing dangling DNS entries and avoiding subdomain takeover<\/a> is one of the more concrete operational references; AWS and Google Cloud have analogous notes. EdOverflow&#8217;s community list <a href=\"https:\/\/github.com\/EdOverflow\/can-i-take-over-xyz\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Can I take over XYZ?<\/a> tracks which providers are currently vulnerable to which fingerprint patterns.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"subdomain-takeover-vs-related-terms\">Subdomain takeover vs. related terms<\/h3>\n\n\n\n<p>The term overlaps with several others, and treating them as synonyms causes real confusion in incident reports.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Dangling DNS attack.<\/strong> The same phenomenon, named from the DNS record&#8217;s perspective rather than the attacker&#8217;s.<\/li>\n\n\n\n<li><strong>CNAME takeover attack.<\/strong> A subset in which the dangling record is specifically a CNAME pointing to a deprovisioned third-party host.<\/li>\n\n\n\n<li><strong>Subdomain hijacking.<\/strong> Often used interchangeably with takeover, but in some incident reports, it refers to a credential or registrar compromise of a subdomain rather than a dangling-record reclamation. Read carefully.<\/li>\n\n\n\n<li><strong>CMS \/ credential compromise.<\/strong> Different mechanism (legitimate hosting, attacker-controlled login), identical-looking outcome (attacker content under your domain).<\/li>\n<\/ul>\n\n\n    <div class=\"block__quote\"><p class=\"block__quote_desc\"><p>This article concerns the dangling-record class \u2013 the procedural failure that re-emerges every time a marketing campaign ends without a DNS cleanup.<\/p>\n<\/p><\/div>\n    <style>.block__quote {margin: 32px 0;padding-left: 20px;border-left: 3px solid #00B8A7;}.block__quote_desc {font-weight: 700 !important;font-size: 18px !important;line-height: 28px !important;margin-bottom: 24px !important;}.block__quote_author {display: none;}<\/style>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"why-this-attack-is-structurally-attractive-to-ad-fraudsters\">Why This Attack Is Structurally Attractive to Ad Fraudsters<\/h2>\n\n\n\n<p>The interesting question is not whether subdomain takeover can be done \u2013 <a href=\"https:\/\/labs.detectify.com\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Detectify Labs<\/a> and others demonstrated the mechanism years ago &#8211; but why it keeps paying off specifically in advertising.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"reputational-arbitrage\">Reputational arbitrage<\/h3>\n\n\n\n<p>A newly registered domain has no history, so reputation systems treat it cautiously, ad platforms throttle delivery, and verification vendors flag it for review.&nbsp;<\/p>\n\n\n\n<p>A subdomain on <strong><em>*.ac.id, *.go.id<\/em><\/strong>, or a <strong><em>.gov<\/em><\/strong> second-level domain inherits years of accumulated trust signals: backlinks, age, institutional context, and sometimes even allowlist entries in enterprise filtering tools.<\/p>\n\n\n\n<p>For an actor pushing iGaming or other regulated-vertical funnels into geographies where direct advertising is restricted, the lift in deliverability is what carries the campaign economics rather than a marginal optimization on top of them.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"detection-asymmetry\">Detection asymmetry<\/h3>\n\n\n\n<p>Reputation-based filters score the domain while content scanners score the page, and subdomain takeover decouples the two: the domain is genuinely high-trust, the page is genuinely malicious, and most pre-bid stacks do not reconcile that contradiction at scale.&nbsp;<\/p>\n\n\n\n<p>The defenses that do catch it \u2013 DNS-level resolution checks, NS-record consistency checks across the domain tree, behavioral traffic-pattern analysis \u2013 are not standard issue across the verification market.<\/p>\n\n\n\n<p class=\"has-background\" style=\"background-color:#d6d6d630\">What buying teams often miss is that the attacker never has to compromise the legitimate site at all. The legitimate site keeps functioning, the owner sees no abnormal logs, and any traffic anomaly lands on infrastructure the owner does not even monitor.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"the-attack-chain-end-to-end\">The attack chain, end-to-end<\/h3>\n\n\n\n<div class=\"adex-subdomain-chain-v2\">\n  <style>\n    .adex-subdomain-chain-v2 {\n      width: 100%;\n      max-width: 1180px;\n      margin: 32px auto;\n      padding: 44px 34px 40px;\n      background: #ffffff;\n      border: 1px solid #e2e5f0;\n      border-radius: 18px;\n      font-family: -apple-system, BlinkMacSystemFont, \"Segoe UI\", sans-serif;\n      color: #160b52;\n      box-sizing: border-box;\n      overflow: hidden;\n    }\n\n    .adex-subdomain-chain-v2 *,\n    .adex-subdomain-chain-v2 *::before,\n    .adex-subdomain-chain-v2 *::after {\n      box-sizing: border-box;\n    }\n\n    .adex-subdomain-chain-v2 .adex-st-timeline {\n      position: relative;\n      display: grid;\n      grid-template-columns: repeat(5, minmax(0, 1fr));\n      gap: 16px;\n      margin-bottom: 36px;\n    }\n\n    .adex-subdomain-chain-v2 .adex-st-trunk {\n      position: absolute;\n      top: 36px;\n      left: 10%;\n      right: 10%;\n      height: 3px;\n      background: #e4e7f2;\n      border-radius: 99px;\n      z-index: 0;\n    }\n\n    .adex-subdomain-chain-v2 .adex-st-trunk-danger {\n      position: absolute;\n      top: 36px;\n      left: 30%;\n      width: 20%;\n      height: 3px;\n      background: #ff5050;\n      border-radius: 99px;\n      z-index: 1;\n    }\n\n    .adex-subdomain-chain-v2 .adex-st-stage {\n      position: relative;\n      z-index: 2;\n      min-width: 0;\n      text-align: center;\n      display: flex;\n      flex-direction: column;\n      align-items: center;\n    }\n\n    .adex-subdomain-chain-v2 .adex-st-node {\n      width: 52px;\n      height: 52px;\n      margin: 0 auto 28px;\n      border-radius: 50%;\n      background: #ffffff;\n      border: 3px solid #16006f;\n      color: #16006f;\n      display: flex;\n      align-items: center;\n      justify-content: center;\n      font-family: \"SF Mono\", \"JetBrains Mono\", Menlo, Consolas, monospace;\n      font-size: 17px;\n      line-height: 1;\n      font-weight: 900;\n    }\n\n    .adex-subdomain-chain-v2 .adex-st-stage-attacker .adex-st-node,\n    .adex-subdomain-chain-v2 .adex-st-stage-money .adex-st-node {\n      background: #ff5050;\n      border-color: #ff5050;\n      color: #ffffff;\n    }\n\n    .adex-subdomain-chain-v2 .adex-st-label {\n      margin: 0 0 12px;\n      font-family: \"SF Mono\", \"JetBrains Mono\", Menlo, Consolas, monospace;\n      font-size: 12px;\n      line-height: 1.25;\n      letter-spacing: 0.18em;\n      text-transform: uppercase;\n      font-weight: 900;\n      color: #74779a;\n      word-break: normal;\n      overflow-wrap: normal;\n      hyphens: none;\n    }\n\n    .adex-subdomain-chain-v2 .adex-st-stage-attacker .adex-st-label,\n    .adex-subdomain-chain-v2 .adex-st-stage-money .adex-st-label {\n      color: #ff5050;\n    }\n\n    .adex-subdomain-chain-v2 .adex-st-title {\n      margin: 0 0 14px;\n      font-size: clamp(14px, 1.15vw, 20px);\n      line-height: 1.16;\n      font-weight: 900;\n      color: #16006f;\n      max-width: 100%;\n      word-break: normal;\n      overflow-wrap: normal;\n      hyphens: none;\n    }\n\n    .adex-subdomain-chain-v2 .adex-st-text {\n      margin: 0 0 24px;\n      font-size: clamp(12px, 1.02vw, 16px);\n      line-height: 1.38;\n      color: #414361;\n      max-width: 100%;\n      word-break: normal;\n      overflow-wrap: normal;\n      hyphens: none;\n    }\n\n    .adex-subdomain-chain-v2 .adex-st-code {\n      display: inline;\n      padding: 1px 5px;\n      border-radius: 5px;\n      background: #f1f2f8;\n      font-family: \"SF Mono\", \"JetBrains Mono\", Menlo, Consolas, monospace;\n      color: #16006f;\n      white-space: normal;\n      overflow-wrap: anywhere;\n      word-break: break-word;\n      -webkit-box-decoration-break: clone;\n      box-decoration-break: clone;\n    }\n\n    .adex-subdomain-chain-v2 .adex-st-control {\n      width: 100%;\n      margin-top: auto;\n      padding: 15px 10px;\n      border: 1px dashed #bdc6e3;\n      border-radius: 10px;\n      background: #fbfcff;\n      min-height: 92px;\n      display: flex;\n      flex-direction: column;\n      justify-content: center;\n    }\n\n    .adex-subdomain-chain-v2 .adex-st-control-label {\n      margin: 0 0 8px;\n      font-family: \"SF Mono\", \"JetBrains Mono\", Menlo, Consolas, monospace;\n      font-size: clamp(8px, 0.78vw, 12px);\n      line-height: 1.25;\n      letter-spacing: 0.13em;\n      text-transform: uppercase;\n      font-weight: 900;\n      color: #00a99d;\n      word-break: normal;\n      overflow-wrap: normal;\n      hyphens: none;\n    }\n\n    .adex-subdomain-chain-v2 .adex-st-control-text {\n      margin: 0;\n      font-size: clamp(11px, 0.98vw, 16px);\n      line-height: 1.22;\n      font-weight: 850;\n      color: #16006f;\n      word-break: normal;\n      overflow-wrap: normal;\n      hyphens: none;\n    }\n\n    .adex-subdomain-chain-v2 .adex-st-exposure {\n      display: grid;\n      grid-template-columns: 190px 1fr;\n      gap: 24px;\n      align-items: center;\n      margin-top: 18px;\n      padding: 28px 30px;\n      border: 1px solid #ffb7b2;\n      border-left: 4px solid #ff5050;\n      border-radius: 12px;\n      background: #fff4f3;\n    }\n\n    .adex-subdomain-chain-v2 .adex-st-exposure-label {\n      margin: 0;\n      font-family: \"SF Mono\", \"JetBrains Mono\", Menlo, Consolas, monospace;\n      font-size: 15px;\n      line-height: 1.25;\n      letter-spacing: 0.18em;\n      text-transform: uppercase;\n      font-weight: 900;\n      color: #ff5050;\n    }\n\n    .adex-subdomain-chain-v2 .adex-st-exposure-text {\n      margin: 0;\n      font-size: 17px;\n      line-height: 1.45;\n      color: #414361;\n    }\n\n    .adex-subdomain-chain-v2 .adex-st-exposure-text strong {\n      color: #16006f;\n      font-weight: 900;\n    }\n\n    @media (max-width: 860px) {\n      .adex-subdomain-chain-v2 {\n        padding: 36px 22px 34px;\n      }\n\n      .adex-subdomain-chain-v2 .adex-st-timeline {\n        gap: 10px;\n      }\n\n      .adex-subdomain-chain-v2 .adex-st-node {\n        width: 46px;\n        height: 46px;\n        font-size: 15px;\n      }\n\n      .adex-subdomain-chain-v2 .adex-st-label {\n        font-size: 9px;\n        letter-spacing: 0.1em;\n      }\n\n      .adex-subdomain-chain-v2 .adex-st-title {\n        font-size: 13px;\n        line-height: 1.18;\n      }\n\n      .adex-subdomain-chain-v2 .adex-st-text {\n        font-size: 11.3px;\n      }\n\n      .adex-subdomain-chain-v2 .adex-st-control {\n        min-height: 86px;\n        padding: 12px 7px;\n      }\n\n      .adex-subdomain-chain-v2 .adex-st-control-label {\n        font-size: 8px;\n        letter-spacing: 0.09em;\n      }\n\n      .adex-subdomain-chain-v2 .adex-st-control-text {\n        font-size: 11.5px;\n        line-height: 1.18;\n      }\n\n      .adex-subdomain-chain-v2 .adex-st-exposure {\n        grid-template-columns: 1fr;\n        gap: 12px;\n      }\n    }\n\n    @media (max-width: 640px) {\n      .adex-subdomain-chain-v2 .adex-st-timeline {\n        grid-template-columns: 1fr;\n        gap: 26px;\n      }\n\n      .adex-subdomain-chain-v2 .adex-st-trunk,\n      .adex-subdomain-chain-v2 .adex-st-trunk-danger {\n        display: none;\n      }\n\n      .adex-subdomain-chain-v2 .adex-st-node {\n        margin-bottom: 14px;\n      }\n\n      .adex-subdomain-chain-v2 .adex-st-label {\n        font-size: 12px;\n      }\n\n      .adex-subdomain-chain-v2 .adex-st-title {\n        font-size: 20px;\n      }\n\n      .adex-subdomain-chain-v2 .adex-st-text {\n        font-size: 16px;\n      }\n\n      .adex-subdomain-chain-v2 .adex-st-control {\n        max-width: 360px;\n      }\n\n      .adex-subdomain-chain-v2 .adex-st-control-label {\n        font-size: 11px;\n      }\n\n      .adex-subdomain-chain-v2 .adex-st-control-text {\n        font-size: 16px;\n      }\n\n      .adex-subdomain-chain-v2 .adex-st-exposure {\n        padding: 24px 20px;\n      }\n\n      .adex-subdomain-chain-v2 .adex-st-exposure-text {\n        font-size: 16px;\n      }\n    }\n  <\/style>\n\n  <div class=\"adex-st-timeline\">\n    <div class=\"adex-st-trunk\"><\/div>\n    <div class=\"adex-st-trunk-danger\"><\/div>\n\n    <div class=\"adex-st-stage\">\n      <div class=\"adex-st-node\">01<\/div>\n      <p class=\"adex-st-label\">Legitimate<\/p>\n      <h3 class=\"adex-st-title\" id=\"setup\">Setup<\/h3>\n      <p class=\"adex-st-text\">\n        <span class=\"adex-st-code\">promo.brand.com<\/span> is created with a CNAME to\n        <span class=\"adex-st-code\">brand-promo.cloudprovider.net<\/span>.\n      <\/p>\n      <div class=\"adex-st-control\">\n        <p class=\"adex-st-control-label\">Owner Control<\/p>\n        <p class=\"adex-st-control-text\">Asset<br>inventory<\/p>\n      <\/div>\n    <\/div>\n\n    <div class=\"adex-st-stage\">\n      <div class=\"adex-st-node\">02<\/div>\n      <p class=\"adex-st-label\">Drift<\/p>\n      <h3 class=\"adex-st-title\" id=\"decommission-gap\">Decommission gap<\/h3>\n      <p class=\"adex-st-text\">\n        The cloud resource is deleted. The DNS record is left in place.\n      <\/p>\n      <div class=\"adex-st-control\">\n        <p class=\"adex-st-control-label\">Owner Control<\/p>\n        <p class=\"adex-st-control-text\">DNS audit \/<br>deprovisioning<br>checklist<\/p>\n      <\/div>\n    <\/div>\n\n    <div class=\"adex-st-stage adex-st-stage-attacker\">\n      <div class=\"adex-st-node\">03<\/div>\n      <p class=\"adex-st-label\">Attacker<\/p>\n      <h3 class=\"adex-st-title\" id=\"reclamation\">Reclamation<\/h3>\n      <p class=\"adex-st-text\">\n        The same resource name is re-registered on the same provider \u2014 by someone else.\n      <\/p>\n      <div class=\"adex-st-control\">\n        <p class=\"adex-st-control-label\">Owner Control<\/p>\n        <p class=\"adex-st-control-text\">Orphan-<br>fingerprint<br>scan<\/p>\n      <\/div>\n    <\/div>\n\n    <div class=\"adex-st-stage adex-st-stage-attacker\">\n      <div class=\"adex-st-node\">04<\/div>\n      <p class=\"adex-st-label\">Attacker<\/p>\n      <h3 class=\"adex-st-title\" id=\"content-swap\">Content swap<\/h3>\n      <p class=\"adex-st-text\">\n        The trusted subdomain now resolves to attacker-hosted iGaming content.\n      <\/p>\n      <div class=\"adex-st-control\">\n        <p class=\"adex-st-control-label\">Platform Control<\/p>\n        <p class=\"adex-st-control-text\">Content<br>classification<\/p>\n      <\/div>\n    <\/div>\n\n    <div class=\"adex-st-stage adex-st-stage-money\">\n      <div class=\"adex-st-node\">05<\/div>\n      <p class=\"adex-st-label\">Monetisation<\/p>\n      <h3 class=\"adex-st-title\" id=\"ad-delivery\">Ad delivery<\/h3>\n      <p class=\"adex-st-text\">\n        Campaign URL passes reputation checks; the user lands on the attacker page.\n      <\/p>\n      <div class=\"adex-st-control\">\n        <p class=\"adex-st-control-label\">Platform Control<\/p>\n        <p class=\"adex-st-control-text\">Pre-bid URL<br>verification<\/p>\n      <\/div>\n    <\/div>\n  <\/div>\n\n  <div class=\"adex-st-exposure\">\n    <p class=\"adex-st-exposure-label\">Exposure Window<\/p>\n    <p class=\"adex-st-exposure-text\">\n      <strong>Stages 02 \u2192 03<\/strong> \u2014 DNS still points at a resource the brand no longer controls. Time to reclamation ranges from minutes to months, and during this period nothing on the brand&#8217;s own infrastructure looks abnormal.\n    <\/p>\n  <\/div>\n<\/div>\n\n\n\n<p>The dotted annotations are the defender artifact that should have caught the chain at each stage. The structural problem is that the artifacts live in different organizations: stages 1\u20133 are visible only to the domain owner; stages 4\u20135 are visible only to the ad platform and its verification vendors. Neither side has end-to-end visibility, which is why the attack pattern persists.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"three-cases-that-show-the-same-mechanism-on-different-surfaces\">Three Cases That Show the Same Mechanism on Different Surfaces<\/h2>\n\n\n\n<p>The Adex anti-fraud team has documented the pattern across very different domain categories. Each case illustrates a different angle of the same exposure.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"november-2022-fc-barcelona\">November 2022: FC Barcelona<\/h3>\n\n\n\n<p>During routine campaign verification on the PropellerAds network, an analyst flagged a link pointing to FC Barcelona&#8217;s official domain.&nbsp;<\/p>\n\n\n\n<p>The root domain resolved to AWS; the subdomain in question resolved through Google Cloud DNS, with mismatched IP infrastructure, hosting an iGaming page that had been live since late October.&nbsp;<\/p>\n\n\n\n<p>The full breakdown, including the NS-record mismatch that triggered the manual review, is in our original write-up of the FC Barcelona subdomain incident:<\/p>\n\n\n<div class=\"block__preview\">\n        <a href=\"https:\/\/adex.com\/blog\/adex-discovers-potential-dns-vulnerability-and-3rd-party-fraud-on-fc-barcelonas-official-website\/\" class=\"block__preview_img\"><img src=\"https:\/\/adex.com\/blog\/wp-content\/uploads\/2022\/11\/Adex-Barcelona-potential-fraud.png\" srcset=\"https:\/\/adex.com\/blog\/wp-content\/uploads\/2022\/11\/Adex-Barcelona-potential-fraud.png\" sizes=\"100vw\" alt=\"Adex - Barcelona - potential fraud\" decoding=\"async\" class=\"lazy\"><\/a>\n    <div class=\"block__preview_box\">\n        <a href=\"https:\/\/adex.com\/blog\/category\/current_risks\/\" class=\"block__preview_box-cat\">Current risks<\/a>        <h3 class=\"block__preview_box-title\" id=\"adex-discovers-potential-dns-vulnerability-and-3rd-party-fraud-on-fc-barcelonas-official-website\"><a href=\"https:\/\/adex.com\/blog\/adex-discovers-potential-dns-vulnerability-and-3rd-party-fraud-on-fc-barcelonas-official-website\/\">ADEX Discovers: Potential DNS Vulnerability and 3rd Party Fraud on FC Barcelona\u2019s Official Website<\/a><\/h3>\n    <\/div>\n<\/div>\n<style>\n.block__preview {display: flex;align-items: center;justify-content: center; margin: 32px 0;}\n.block__preview a {text-decoration: none;}\n.block__preview_img {min-width: 360px;max-width: 360px;min-height: 188px;width: 100%;height: 100%;}\n.block__preview_img img {width: 100%;height: 100%;}\n.block__preview_box {margin-left: 40px;max-width: 360px;}\n.block__preview_box-cat {color: #00B8A7 !important;font-weight: 600;font-size: 12px;line-height: 16px;text-transform: uppercase; display: block; margin-bottom: 4px;}\n.block__preview_box-cat:hover {color: #FE645A !important; text-decoration: none !important;}\n.block__preview_box-title {font-size: 20px;font-weight: 700;line-height: 24px;color: #0B172D;}\n.block__preview_box-title a {color: #0B172D !important;}\n.block__preview_box-title a:hover {color: #FE645A !important;}\n@media screen and (max-width: 768px) {.block__preview {flex-direction: column;}.block__preview_box {max-width: 100%; margin-top: 32px;margin-left: 0px;}.block__preview_img {max-width: 100%;min-width: 100%;min-height: 100%;}}<\/style>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"late-2022-carmax\">Late 2022: Carmax<\/h3>\n\n\n\n<p>A few weeks later, a near-identical pattern appeared on <strong><em>carmax.com<\/em><\/strong>, a high-traffic U.S. retailer. The root was on Akamai DNS; the suspicious subdomain \u2013 <strong><em>expresstestdrives-qa.carmax.com<\/em><\/strong> \u2013 was managed via Microsoft Azure and hosted iGaming content.&nbsp;<\/p>\n\n\n\n<p>The naming convention is worth pausing on: <strong><em>expresstestdrives-qa<\/em><\/strong> is plausible enough to look like a QA environment, a marketing or product team might genuinely have stood up, and that plausibility is what makes these takeovers hard to spot from inventory lists alone, a point we expanded on in the Carmax case analysis:<\/p>\n\n\n<div class=\"block__preview\">\n        <a href=\"https:\/\/adex.com\/blog\/another-case-of-subdomain-takeover-detected-potential-fraud-on-carmax-website\/\" class=\"block__preview_img\"><img src=\"https:\/\/adex.com\/blog\/wp-content\/uploads\/2022\/12\/Adex-carmax-subdomain-takeover.png\" srcset=\"https:\/\/adex.com\/blog\/wp-content\/uploads\/2022\/12\/Adex-carmax-subdomain-takeover.png\" sizes=\"100vw\" alt=\"Adex - carmax subdomain takeover\" decoding=\"async\" class=\"lazy\"><\/a>\n    <div class=\"block__preview_box\">\n        <a href=\"https:\/\/adex.com\/blog\/category\/current_risks\/\" class=\"block__preview_box-cat\">Current risks<\/a>        <h3 class=\"block__preview_box-title\" id=\"another-case-of-subdomain-takeover-detected-potential-fraud-on-carmax-website\"><a href=\"https:\/\/adex.com\/blog\/another-case-of-subdomain-takeover-detected-potential-fraud-on-carmax-website\/\">Another Case of Subdomain Takeover Detected: Potential Fraud on Carmax Website<\/a><\/h3>\n    <\/div>\n<\/div>\n<style>\n.block__preview {display: flex;align-items: center;justify-content: center; margin: 32px 0;}\n.block__preview a {text-decoration: none;}\n.block__preview_img {min-width: 360px;max-width: 360px;min-height: 188px;width: 100%;height: 100%;}\n.block__preview_img img {width: 100%;height: 100%;}\n.block__preview_box {margin-left: 40px;max-width: 360px;}\n.block__preview_box-cat {color: #00B8A7 !important;font-weight: 600;font-size: 12px;line-height: 16px;text-transform: uppercase; display: block; margin-bottom: 4px;}\n.block__preview_box-cat:hover {color: #FE645A !important; text-decoration: none !important;}\n.block__preview_box-title {font-size: 20px;font-weight: 700;line-height: 24px;color: #0B172D;}\n.block__preview_box-title a {color: #0B172D !important;}\n.block__preview_box-title a:hover {color: #FE645A !important;}\n@media screen and (max-width: 768px) {.block__preview {flex-direction: column;}.block__preview_box {max-width: 100%; margin-top: 32px;margin-left: 0px;}.block__preview_img {max-width: 100%;min-width: 100%;min-height: 100%;}}<\/style>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"2025-2026-indonesian-institutional-cluster\">2025\u20132026: Indonesian institutional cluster<\/h3>\n\n\n\n<p>The most recent cluster, surfaced in early 2025 and reviewed through 2026, moved up the trust ladder.&nbsp;<\/p>\n\n\n\n<p>Affected landing pages were sitting under Indonesian <strong><em>.ac.id<\/em><\/strong> and <strong><em>.go.id<\/em><\/strong> zones: universities and municipal authorities, pushing iGaming creatives (Mahjong Ways, Candy Bonanza variants) into narrowly geo-targeted campaigns aimed at Indonesian users, a market in which all forms of gambling are criminalised under Articles 303 and 303 bi of the Penal Code and reinforced by Law No. 7 of 1974 and the 2024 update to the ITE Law, and where direct advertising of those creatives would be flagged on sight.<\/p>\n\n\n\n<p>That prohibition is exactly the condition under which attackers most need institutional-domain cover. A handful of cases also involved U.S. universities and an Italian B2B grocery domain. Some were classic dangling-CNAME takeovers; others were traceable to outdated CMS installations or compromised admin credentials. The full inventory and the editorial position are in our coverage of the abuse of trusted domains in iGaming:<\/p>\n\n\n<div class=\"block__preview\">\n        <a href=\"https:\/\/adex.com\/blog\/abuse-of-trusted-domains-in-igaming\/\" class=\"block__preview_img\"><img src=\"https:\/\/adex.com\/blog\/wp-content\/uploads\/2026\/02\/Adex-Subdomain-Takeover-Case-Study.png\" srcset=\"https:\/\/adex.com\/blog\/wp-content\/uploads\/2026\/02\/Adex-Subdomain-Takeover-Case-Study.png\" sizes=\"100vw\" alt=\"Adex-Subdomain-Takeover-Case-Study\" decoding=\"async\" class=\"lazy\"><\/a>\n    <div class=\"block__preview_box\">\n        <a href=\"https:\/\/adex.com\/blog\/category\/guides\/\" class=\"block__preview_box-cat\">Guides<\/a>        <h3 class=\"block__preview_box-title\" id=\"adex-detects-abuse-of-trusted-domains-in-igaming-advertising-campaigns\"><a href=\"https:\/\/adex.com\/blog\/abuse-of-trusted-domains-in-igaming\/\">Adex Detects Abuse of Trusted Domains in iGaming Advertising Campaigns<\/a><\/h3>\n    <\/div>\n<\/div>\n<style>\n.block__preview {display: flex;align-items: center;justify-content: center; margin: 32px 0;}\n.block__preview a {text-decoration: none;}\n.block__preview_img {min-width: 360px;max-width: 360px;min-height: 188px;width: 100%;height: 100%;}\n.block__preview_img img {width: 100%;height: 100%;}\n.block__preview_box {margin-left: 40px;max-width: 360px;}\n.block__preview_box-cat {color: #00B8A7 !important;font-weight: 600;font-size: 12px;line-height: 16px;text-transform: uppercase; display: block; margin-bottom: 4px;}\n.block__preview_box-cat:hover {color: #FE645A !important; text-decoration: none !important;}\n.block__preview_box-title {font-size: 20px;font-weight: 700;line-height: 24px;color: #0B172D;}\n.block__preview_box-title a {color: #0B172D !important;}\n.block__preview_box-title a:hover {color: #FE645A !important;}\n@media screen and (max-width: 768px) {.block__preview {flex-direction: column;}.block__preview_box {max-width: 100%; margin-top: 32px;margin-left: 0px;}.block__preview_img {max-width: 100%;min-width: 100%;min-height: 100%;}}<\/style>\n\n\n\n<p>Three different surfaces produced the same underlying failure: a DNS record that outlived the resource it pointed to, or an admin surface that outlived its hardening.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"what-detection-actually-looks-like-in-production\">What Detection Actually Looks Like in Production<\/h2>\n\n\n\n<p>In theory, subdomain takeover is trivially detectable, but in production, it is not, and the gap between the two is where most of the operational difficulty sits.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"the-textbook-signal\">The textbook signal<\/h3>\n\n\n\n<p>The textbook signal is a fingerprint response from the orphaned cloud service: AWS S3 returns <code><strong>NoSuchBucket<\/strong><\/code> on a direct request, Azure returns a specific 404 template, GitHub Pages returns the &#8220;There isn&#8217;t a GitHub Pages site here&#8221; string, and Heroku returns &#8220;No such app&#8221;. <\/p>\n\n\n\n<p>Some of these fingerprints have shifted recently \u2013 AWS changed CloudFront-to-deleted-bucket behavior at the end of 2023, so distributions now return a generic <code>NotFound<\/code> without the bucket name, which breaks scanners that match on the old string, but the underlying pattern of a fingerprintable orphan response still holds across the major providers.<\/p>\n\n\n\n<p>Open-source tools: <a href=\"https:\/\/github.com\/haccer\/subjack\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">subjack<\/a>, <a href=\"https:\/\/github.com\/projectdiscovery\/nuclei\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">nuclei<\/a> with the <strong><em>takeovers<\/em><\/strong> template set, and commercial attack-surface platforms automate this lookup at scale, and if you only had to defend your own perimeter, this would mostly work.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"why-does-it-fail-in-advertising\">Why does it fail in advertising<\/h3>\n\n\n\n<p>In ad ops, you are not defending your perimeter; you are defending against the use of someone else&#8217;s dangling subdomain as a click destination.&nbsp;<\/p>\n\n\n\n<p>The signal you have access to is the URL submitted with a campaign, and that URL by design, after reclamation, resolves to a real page with a real certificate on a real trusted domain. The takeover fingerprint is no longer visible from outside because the attacker has already filled the empty resource.<\/p>\n\n\n\n<p>What works in that environment is a different signal stack:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><tbody><tr><td><strong>Detection layer<\/strong><\/td><td><strong>What it looks for<\/strong><\/td><td><strong>Where it works<\/strong><\/td><td><strong>Where it fails<\/strong><\/td><\/tr><tr><td>Reputation scoring<\/td><td>Domain-level trust score<\/td><td>New, low-reputation domains<\/td><td>High-trust domain hosting malicious subdomain \u2014 passes<\/td><\/tr><tr><td>NS \/ IP consistency<\/td><td>Mismatch between root and subdomain authoritative servers<\/td><td>Root and subdomain on different infrastructure with no business reason<\/td><td>Large enterprises legitimately split DNS by function \u2014 false positives<\/td><\/tr><tr><td>Content classification<\/td><td>Page content vs. expected vertical of the domain<\/td><td>iGaming page on a .edu or vehicle retailer<\/td><td>Cloaked pages serving different content to crawlers vs. real users<\/td><\/tr><tr><td>Behavioural traffic analysis<\/td><td>Click patterns, geo concentration, conversion shape<\/td><td>Narrow geo \/ vertical anomalies on otherwise stable domains<\/td><td>Requires post-bid data; partial visibility before spend<\/td><\/tr><tr><td>Asset inventory hygiene<\/td><td>Owner-side audit of every DNS record and its resolution target<\/td><td>The original takeover before exploitation<\/td><td>Out of reach for advertisers and ad platforms \u2014 only the domain owner can run it<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>No single row in that table closes the problem.&nbsp;<\/p>\n\n\n\n<p>The Indonesian cluster, for example, first surfaced not through content classification but through a geo-vertical anomaly: online gambling is illegal in Indonesia, so concentrating iGaming-creative delivery into narrowly geo-targeted campaigns running almost exclusively on <strong><em>.ac.id<\/em><\/strong> and <strong><em>.go.id<\/em><\/strong> domains was the kind of country-vertical pairing nothing in those domains&#8217; profile could plausibly justify.&nbsp;<\/p>\n\n\n\n<p>Content classification confirmed the finding and NS inconsistency explained the mechanism, but none of the three signals alone would have justified an automated block.<\/p>\n\n\n\n<p>This is where the practical center of gravity lies for ad-platform security: stack layers with different blind spots, and accept that human review remains part of the loop for edge cases.&nbsp;<\/p>\n\n\n    <div class=\"block__quote\"><p class=\"block__quote_desc\"><p>Across the campaign environments we monitor, the false-positive rate on any single layer, including ours, is high enough that a fully automated block on one signal is operationally unsafe. Tighten thresholds, and you reject legitimate inventory; loosen them, and trust-abused subdomains slip through.<\/p>\n<\/p><\/div>\n    <style>.block__quote {margin: 32px 0;padding-left: 20px;border-left: 3px solid #00B8A7;}.block__quote_desc {font-weight: 700 !important;font-size: 18px !important;line-height: 28px !important;margin-bottom: 24px !important;}.block__quote_author {display: none;}<\/style>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"how-to-tell-a-takeover-apart-from-adjacent-threats\">How to Tell a Takeover Apart from Adjacent Threats<\/h2>\n\n\n\n<p>Subdomain takeover gets conflated with three nearby threats because the externally visible outcome is similar: attacker content reaching users from a domain that should be trustworthy.<\/p>\n\n\n\n<p>Misclassifying the threat means the wrong people are paged, and the wrong fix gets applied.<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><tbody><tr><td><\/td><td><strong>Subdomain takeover<\/strong><\/td><td><strong>CMS \/ credential compromise<\/strong><\/td><td><strong>Typosquatting \/ lookalike domain<\/strong><\/td><td><strong>Open redirect abuse<\/strong><\/td><\/tr><tr><td><strong>Domain ownership<\/strong><\/td><td>Legitimate<\/td><td>Legitimate<\/td><td>Attacker-owned<\/td><td>Legitimate<\/td><\/tr><tr><td><strong>Attack surface<\/strong><\/td><td>Orphan DNS record<\/td><td>CMS or admin login<\/td><td>DNS registration<\/td><td>Web app logic (redirect parameter)<\/td><\/tr><tr><td><strong>Visible to root-domain owner<\/strong><\/td><td>Rarely \u2014 separate infrastructure<\/td><td>Sometimes \u2014 admin and access logs<\/td><td>No \u2014 different domain entirely<\/td><td>Yes \u2014 appears in app logs<\/td><\/tr><tr><td><strong>First-line defense<\/strong><\/td><td>DNS hygiene + orphan monitoring<\/td><td>Patching + MFA + admin hardening<\/td><td>Brand monitoring, registrar takedown<\/td><td>App-layer redirect allowlist<\/td><\/tr><tr><td><strong>Typical detection signal<\/strong><\/td><td>NS\/IP mismatch + content anomaly<\/td><td>Login anomalies, file-system changes<\/td><td>Brand-similarity registration alert<\/td><td>Suspicious referrer chain<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n    <div class=\"block__quote\"><p class=\"block__quote_desc\"><p>The row many readers get wrong is &#8220;Visible to root-domain owner.&#8221; Most security teams assume that if their site is being abused, they will see it in their own logs, but for dangling-record takeover, specifically, the hijacked subdomain is no longer hitting their infrastructure at all.<\/p>\n<\/p><\/div>\n    <style>.block__quote {margin: 32px 0;padding-left: 20px;border-left: 3px solid #00B8A7;}.block__quote_desc {font-weight: 700 !important;font-size: 18px !important;line-height: 28px !important;margin-bottom: 24px !important;}.block__quote_author {display: none;}<\/style>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"what-domain-owners-actually-need-to-do\">What Domain Owners Actually Need to Do<\/h2>\n\n\n\n<p>For the brand whose subdomain is being weaponized, the defensive picture is concrete. Most published advice on this collapses into four operational requirements that are easy to list and surprisingly hard to actually maintain.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"1-maintain-a-live-dns-inventory\">1. Maintain a live DNS inventory<\/h3>\n\n\n\n<p>You need a live inventory, updated automatically, that lists every CNAME and external alias, the cloud account or SaaS tenant each record points to, and the business owner responsible for it.&nbsp;<\/p>\n\n\n\n<p>Takeovers almost always trace back to an inventory that doesn&#8217;t exist or has drifted out of date. AWS Route 53 Resolver query logs, Azure DNS analytics, or third-party DNS posture managers can populate the data automatically; the discipline is keeping the ownership column accurate.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"2-make-dns-part-of-every-deprovisioning-checklist\">2. Make DNS part of every deprovisioning checklist<\/h3>\n\n\n\n<p>When a marketing campaign ends, a SaaS contract is canceled, or a cloud resource is deleted, the corresponding DNS record must be removed in the same change window \u2013 a process problem more than a technical one.&nbsp;<\/p>\n\n\n\n<p>A useful gate is to require that no cloud resource can be deleted without a linked DNS-record disposition (delete, re-point, or document why kept), enforced in your change-management system.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"3-continuously-monitor-your-own-dns-surface\">3. Continuously monitor your own DNS surface<\/h3>\n\n\n\n<p>Several attack-surface vendors and open-source tools will continuously scan your zones for fingerprintable orphan responses, making this the cheapest mitigation and the one most consistently skipped.&nbsp;<\/p>\n\n\n\n<p>At minimum, schedule a weekly subjack or nuclei run against your full subdomain list, with results piped into your existing alerting.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"4-harden-admin-and-cms-surfaces\">4. Harden admin and CMS surfaces<\/h3>\n\n\n\n<p>Not every case in the 2025 cluster was a dangling CNAME; some were straightforward credential compromises on outdated CMS instances.&nbsp;<\/p>\n\n\n\n<p>Subdomain takeover and CMS takeover get conflated because the externally visible outcome is identical: an attacker hosting their content on your domain. The defenses are different (patching, MFA, admin IP allowlisting, removal of unused tenants), but the inventory discipline that catches one will surface the other.<\/p>\n\n\n<div class=\"block__preview\">\n        <a href=\"https:\/\/adex.com\/blog\/biggest-malware-scandals-2025\/\" class=\"block__preview_img\"><img src=\"https:\/\/adex.com\/blog\/wp-content\/uploads\/2026\/02\/adex-biggest-malware-scandals-2025.jpg\" srcset=\"https:\/\/adex.com\/blog\/wp-content\/uploads\/2026\/02\/adex-biggest-malware-scandals-2025.jpg\" sizes=\"100vw\" alt=\"Adex: the biggest malware scandals in 2025\" decoding=\"async\" class=\"lazy\"><\/a>\n    <div class=\"block__preview_box\">\n        <a href=\"https:\/\/adex.com\/blog\/category\/current_risks\/\" class=\"block__preview_box-cat\">Current risks<\/a>        <h3 class=\"block__preview_box-title\" id=\"the-biggest-malware-scandals-in-2025-why-the-fraud-looks-legit\"><a href=\"https:\/\/adex.com\/blog\/biggest-malware-scandals-2025\/\">The Biggest Malware Scandals in 2025: Why The Fraud Looks Legit?\u00a0<\/a><\/h3>\n    <\/div>\n<\/div>\n<style>\n.block__preview {display: flex;align-items: center;justify-content: center; margin: 32px 0;}\n.block__preview a {text-decoration: none;}\n.block__preview_img {min-width: 360px;max-width: 360px;min-height: 188px;width: 100%;height: 100%;}\n.block__preview_img img {width: 100%;height: 100%;}\n.block__preview_box {margin-left: 40px;max-width: 360px;}\n.block__preview_box-cat {color: #00B8A7 !important;font-weight: 600;font-size: 12px;line-height: 16px;text-transform: uppercase; display: block; margin-bottom: 4px;}\n.block__preview_box-cat:hover {color: #FE645A !important; text-decoration: none !important;}\n.block__preview_box-title {font-size: 20px;font-weight: 700;line-height: 24px;color: #0B172D;}\n.block__preview_box-title a {color: #0B172D !important;}\n.block__preview_box-title a:hover {color: #FE645A !important;}\n@media screen and (max-width: 768px) {.block__preview {flex-direction: column;}.block__preview_box {max-width: 100%; margin-top: 32px;margin-left: 0px;}.block__preview_img {max-width: 100%;min-width: 100%;min-height: 100%;}}<\/style>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"a-self-check-runbook\">A Self-Check Runbook<\/h2>\n\n\n\n<p>If you own a domain and want to know right now whether you have an exposed subdomain, the following gives you a defensible first pass. None of it is a substitute for a continuous program; it is what we recommend for a one-hour first audit.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"step-1-enumerate-your-subdomains\">Step 1. Enumerate your subdomains<\/h3>\n\n\n\n<p>Pull from every source you can:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Your authoritative DNS provider&#8217;s zone export.<\/li>\n\n\n\n<li>Certificate Transparency logs (<strong><em>crt.sh<\/em><\/strong>, e.g., <strong><em>https:\/\/crt.sh\/?q=%25.brand.com&amp;output=json<\/em><\/strong>).<\/li>\n\n\n\n<li>Passive DNS providers (SecurityTrails, VirusTotal, Shodan).<\/li>\n\n\n\n<li>Internal CMDB and cloud-account exports.<\/li>\n<\/ul>\n\n\n\n<p>Merge and dedupe the result; that combined list is what you will run scans against.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"step-2-resolve-every-record-and-capture-the-response\">Step 2. Resolve every record and capture the response<\/h3>\n\n\n\n<p>For each subdomain, capture:<\/p>\n\n\n\n<div class=\"adex-shell-check-block\">\n  <style>\n    .adex-shell-check-block {\n      max-width: 860px;\n      margin: 32px auto;\n      padding: 18px 20px;\n      background: #f0f2f4;\n      border-radius: 14px;\n      font-family: -apple-system, BlinkMacSystemFont, \"Segoe UI\", sans-serif;\n      box-sizing: border-box;\n      color: #26323f;\n    }\n\n    .adex-shell-check-block *,\n    .adex-shell-check-block *::before,\n    .adex-shell-check-block *::after {\n      box-sizing: border-box;\n    }\n\n    .adex-shell-check-block .adex-shell-label {\n      margin: 0 0 8px;\n      font-size: 14px;\n      line-height: 1.2;\n      color: #666f7a;\n      font-weight: 500;\n    }\n\n    .adex-shell-check-block .adex-shell-list {\n      display: grid;\n      gap: 8px;\n      margin: 0;\n      padding: 0;\n    }\n\n    .adex-shell-check-block .adex-shell-row {\n      display: grid;\n      grid-template-columns: 18px 1fr;\n      gap: 12px;\n      align-items: start;\n      margin: 0;\n    }\n\n    .adex-shell-check-block .adex-shell-dot {\n      width: 7px;\n      height: 7px;\n      margin-top: 10px;\n      border-radius: 50%;\n      background: #000000;\n    }\n\n    .adex-shell-check-block .adex-shell-code {\n      font-family: \"SF Mono\", \"JetBrains Mono\", Menlo, Consolas, monospace;\n      font-size: 18px;\n      line-height: 1.35;\n      color: #26323f;\n      white-space: normal;\n      overflow-wrap: anywhere;\n    }\n\n    .adex-shell-check-block .adex-shell-highlight {\n      background: #f4e7b8;\n      padding: 1px 3px;\n      border-radius: 2px;\n      -webkit-box-decoration-break: clone;\n      box-decoration-break: clone;\n    }\n\n    @media (max-width: 560px) {\n      .adex-shell-check-block {\n        padding: 16px;\n      }\n\n      .adex-shell-check-block .adex-shell-code {\n        font-size: 15px;\n      }\n    }\n  <\/style>\n\n  <p class=\"adex-shell-label\">Shell<\/p>\n\n  <div class=\"adex-shell-list\">\n    <p class=\"adex-shell-row\">\n      <span class=\"adex-shell-dot\"><\/span>\n      <span class=\"adex-shell-code\">\n        <span class=\"adex-shell-highlight\">dig +noall +answer subdomain.brand.com CNAME<\/span>\n      <\/span>\n    <\/p>\n\n    <p class=\"adex-shell-row\">\n      <span class=\"adex-shell-dot\"><\/span>\n      <span class=\"adex-shell-code\">dig +noall +answer subdomain.brand.com A<\/span>\n    <\/p>\n\n    <p class=\"adex-shell-row\">\n      <span class=\"adex-shell-dot\"><\/span>\n      <span class=\"adex-shell-code\">curl -sI https:\/\/subdomain.brand.com<\/span>\n    <\/p>\n  <\/div>\n<\/div>\n\n\n\n<p>You are looking for two things: CNAMEs that point to third-party hosts, and HTTP responses that match a known orphan-fingerprint pattern.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"step-3-run-a-fingerprint-scan\">Step 3. Run a fingerprint scan<\/h3>\n\n\n\n<div class=\"adex-shell-tools-block\">\n  <style>\n    .adex-shell-tools-block {\n      max-width: 860px;\n      margin: 32px auto;\n      padding: 18px 20px;\n      background: #f0f2f4;\n      border-radius: 14px;\n      font-family: -apple-system, BlinkMacSystemFont, \"Segoe UI\", sans-serif;\n      box-sizing: border-box;\n      color: #26323f;\n    }\n\n    .adex-shell-tools-block *,\n    .adex-shell-tools-block *::before,\n    .adex-shell-tools-block *::after {\n      box-sizing: border-box;\n    }\n\n    .adex-shell-tools-block .adex-shell-label {\n      margin: 0 0 14px;\n      font-size: 14px;\n      line-height: 1.2;\n      color: #666f7a;\n      font-weight: 500;\n    }\n\n    .adex-shell-tools-block .adex-shell-list {\n      display: grid;\n      gap: 8px;\n      margin: 0;\n      padding: 0;\n    }\n\n    .adex-shell-tools-block .adex-shell-row {\n      display: grid;\n      grid-template-columns: 18px 1fr;\n      gap: 12px;\n      align-items: start;\n      margin: 0;\n    }\n\n    .adex-shell-tools-block .adex-shell-dot {\n      width: 7px;\n      height: 7px;\n      margin-top: 10px;\n      border-radius: 50%;\n      background: #000000;\n      flex: 0 0 auto;\n    }\n\n    .adex-shell-tools-block .adex-shell-code {\n      font-family: \"SF Mono\", \"JetBrains Mono\", Menlo, Consolas, monospace;\n      font-size: 18px;\n      line-height: 1.45;\n      color: #36414d;\n      white-space: normal;\n      overflow-wrap: anywhere;\n    }\n\n    .adex-shell-tools-block .adex-shell-comment {\n      color: #d6007f;\n    }\n\n    .adex-shell-tools-block .adex-shell-number {\n      color: #f03232;\n    }\n\n    .adex-shell-tools-block .adex-shell-highlight {\n      display: inline-block;\n      width: 10px;\n      height: 28px;\n      background: #f4e7b8;\n      border-radius: 2px;\n      vertical-align: middle;\n    }\n\n    .adex-shell-tools-block .adex-shell-indent {\n      display: inline-block;\n      padding-left: 0;\n    }\n\n    @media (max-width: 560px) {\n      .adex-shell-tools-block {\n        padding: 16px;\n      }\n\n      .adex-shell-tools-block .adex-shell-code {\n        font-size: 15px;\n      }\n    }\n  <\/style>\n\n  <p class=\"adex-shell-label\">Shell<\/p>\n\n  <div class=\"adex-shell-list\">\n    <p class=\"adex-shell-row\">\n      <span class=\"adex-shell-dot\"><\/span>\n      <span class=\"adex-shell-code\">\n        <span class=\"adex-shell-comment\"># subjack<\/span>\n      <\/span>\n    <\/p>\n\n    <p class=\"adex-shell-row\">\n      <span class=\"adex-shell-dot\"><\/span>\n      <span class=\"adex-shell-code\">\n        subjack -w subdomains.txt -t <span class=\"adex-shell-number\">100<\/span> -timeout <span class=\"adex-shell-number\">30<\/span> -ssl -c<br>\n        fingerprints.json -v\n      <\/span>\n    <\/p>\n\n    <p class=\"adex-shell-row\">\n      <span class=\"adex-shell-dot\"><\/span>\n      <span class=\"adex-shell-code\">\n        <span class=\"adex-shell-highlight\"><\/span>\n      <\/span>\n    <\/p>\n\n    <p class=\"adex-shell-row\">\n      <span class=\"adex-shell-dot\"><\/span>\n      <span class=\"adex-shell-code\">\n        <span class=\"adex-shell-comment\"># or nuclei<\/span>\n      <\/span>\n    <\/p>\n\n    <p class=\"adex-shell-row\">\n      <span class=\"adex-shell-dot\"><\/span>\n      <span class=\"adex-shell-code\">\n        nuclei -l subdomains.txt -t http\/takeovers\/ -severity<br>\n        high,critical\n      <\/span>\n    <\/p>\n  <\/div>\n<\/div>\n\n\n\n<p>Treat anything flagged as &#8220;vulnerable&#8221; as a candidate rather than a conclusion, because false positives are common, and every hit should be confirmed by hand before you alert an owner.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"step-4-triage-hits\">Step 4. Triage hits<\/h3>\n\n\n\n<p>For each candidate:<\/p>\n\n\n\n<p>1. Confirm the third-party host actually returns the orphan signature (re-run the curl manually).<\/p>\n\n\n\n<p>2. Identify the cloud account or SaaS tenant that the record points at.<\/p>\n\n\n\n<p>3. Either reclaim the resource (preferred) or remove the DNS record. Reclaiming is safer because it prevents an attacker from racing you to the name.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"step-5-wire-it-into-change-management\">Step 5. Wire it into change management<\/h3>\n\n\n\n<p>The audit only matters if it does not have to be redone manually next quarter. Land the subdomain list and the fingerprint scan into your CI\/CD or scheduled-task runner, alert on diffs, and require a DNS-disposition entry on every cloud-resource deletion ticket.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"provider-specific-notes\">Provider-Specific Notes<\/h2>\n\n\n\n<p>Reclamation behavior is not uniform across providers. The following are the patterns we have observed most often in 2024\u20132026 incidents; check current provider documentation before treating any of them as authoritative.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>AWS S3.<\/strong> Bucket names are global and reusable after deletion, and CloudFront distributions tied to a CNAME are the more common takeover vector once the distribution is removed. AWS now requires CNAME validation for some distribution types, but older configurations are not retroactively protected. As of late 2023, CloudFront no longer leaks the underlying bucket name in the error response when the bucket is missing, which complicates detection, but does not close the underlying takeover path \u2013 the dangling CNAME is still the failure, and the attacker who can identify the bucket name (often from old archives, JS bundles, or CT logs) can still reclaim it.<\/li>\n\n\n\n<li><strong>Microsoft Azure.<\/strong> Azure introduced subscription-scoped DNS validation for App Service, Storage, and CDN endpoints in stages from 2019 onward, but tenants that predate the change or opted out of the validation flow remain exposed. The Microsoft Learn guidance linked above is the current operational reference.<\/li>\n\n\n\n<li><strong>GitHub Pages.<\/strong> The &#8220;There isn&#8217;t a GitHub Pages site here&#8221; response is the canonical fingerprint. GitHub has tightened the takeover path with custom-domain verification \u2013 a custom domain on a verified organization cannot be silently reclaimed by re-registering the username \u2013 but unverified custom domains and <code>*.github.io<\/code> slots tied to deleted usernames remain exploitable, and the fingerprint is still the right signal to scan for.<\/li>\n\n\n\n<li><strong>Heroku.<\/strong> App names are reusable after deletion, with the &#8220;No such app&#8221; response acting as the fingerprint.<\/li>\n\n\n\n<li><strong>Netlify, Vercel, Fastly, Fly.io.<\/strong> All have variants of the same pattern. EdOverflow&#8217;s <a href=\"https:\/\/github.com\/EdOverflow\/can-i-take-over-xyz\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Can I take over XYZ?<\/a> tracks the current status per provider and is the most reliable single reference.<\/li>\n<\/ul>\n\n\n    <div class=\"block__quote\"><p class=\"block__quote_desc\"><p>The point is not to memorize fingerprints but to recognize that &#8220;we are on a major cloud, so we are fine&#8221; is not a defense, because the cloud&#8217;s reclamation policy is the variable, and policies have changed and will change again.<\/p>\n<\/p><\/div>\n    <style>.block__quote {margin: 32px 0;padding-left: 20px;border-left: 3px solid #00B8A7;}.block__quote_desc {font-weight: 700 !important;font-size: 18px !important;line-height: 28px !important;margin-bottom: 24px !important;}.block__quote_author {display: none;}<\/style>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"whos-exposed-and-whats-at-stake\">Who&#8217;s Exposed, and What&#8217;s at Stake<\/h2>\n\n\n\n<p>The most common misreading of this category is that subdomain takeover is a problem of large brands with sloppy infrastructure, when in practice, smaller organizations are often more exposed: they spin up cloud resources for a campaign or a microsite, hand the work to an external agency, and lose track of the DNS record after the engagement ends.<\/p>\n\n\n\n<p>The 2025 Indonesian cluster spans institutional domains without dedicated security operations, which is exactly the profile attackers prefer.<\/p>\n\n\n\n<p>The second misreading is treating this primarily as a brand-safety problem, when it is also a compliance problem. A <strong>.gov<\/strong> or <strong><em>.edu<\/em><\/strong> subdomain hosting an unlicensed gambling page is not just reputationally awkward; it can expose the legitimate owner to regulatory risks they did not consent to and cannot easily document their way out of.<\/p>\n\n\n    <div class=\"block__quote\"><p class=\"block__quote_desc\"><p>From an ad-platform perspective, the consequence is that takeover-driven inventory carries a different category of risk than ordinary low-quality inventory, and that distinction should drive how it is handled when detected.<\/p>\n<\/p><\/div>\n    <style>.block__quote {margin: 32px 0;padding-left: 20px;border-left: 3px solid #00B8A7;}.block__quote_desc {font-weight: 700 !important;font-size: 18px !important;line-height: 28px !important;margin-bottom: 24px !important;}.block__quote_author {display: none;}<\/style>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"where-this-leaves-the-defender\">Where This Leaves the Defender<\/h2>\n\n\n\n<p>There is no single control that closes subdomain takeover end to end: domain owners shrink the exposure window through inventory discipline, ad platforms, and verification layers stack signals to catch the abuse downstream while accepting the false-positive cost, and neither approach is sufficient on its own.<\/p>\n\n\n<div class=\"block__bord\"><div class=\"block__bord_desc\"><p>The asymmetry, cheap to attempt, expensive to fully prevent, keeps this technique in circulation as long as cloud-tenant reuse and DNS hygiene gaps coexist.<\/p>\n<\/div><\/div>\n<style>\n.block__bord { margin: 32px 0; padding: 1.25em 2.375em;\tborder-radius: 24px; background: rgba(0, 220, 200, 0.20); }\n.block__bord_desc {font-size: 16px !important;font-weight: 400 !important;color: #606060 !important;}\n<\/style>\n\n\n\n<p>The change of mindset worth taking from this is to stop treating a trusted domain in a campaign URL as a sufficient signal of legitimacy, which it has not been for several years. The work is to build the second-layer checks (NS consistency, content-vertical alignment, behavioral anomaly review) into the verification stack, and to treat any campaign that fails them as worth the friction of a manual review rather than the cost of a quiet impression on someone else&#8217;s hijacked subdomain.<\/p>\n\n\n\n<p>That is a less satisfying conclusion than &#8220;deploy this tool and the problem goes away,&#8221; but it is closer to what the operational reality looks like.<\/p>\n\n\n<div class=\"block__preview\">\n        <a href=\"https:\/\/adex.com\/blog\/typosquatting-case\/\" class=\"block__preview_img\"><img src=\"https:\/\/adex.com\/blog\/wp-content\/uploads\/2026\/02\/adex-lookialike-domain-typosquatting.png\" srcset=\"https:\/\/adex.com\/blog\/wp-content\/uploads\/2026\/02\/adex-lookialike-domain-typosquatting.png\" sizes=\"100vw\" alt=\"adex-lookialike-domain-typosquatting\" decoding=\"async\" class=\"lazy\"><\/a>\n    <div class=\"block__preview_box\">\n        <a href=\"https:\/\/adex.com\/blog\/category\/current_risks\/\" class=\"block__preview_box-cat\">Current risks<\/a>        <h3 class=\"block__preview_box-title\" id=\"from-domain-intelligence-to-udrp-decision-a-typosquatting-case\"><a href=\"https:\/\/adex.com\/blog\/typosquatting-case\/\">From Domain Intelligence to UDRP Decision: A Typosquatting Case<\/a><\/h3>\n    <\/div>\n<\/div>\n<style>\n.block__preview {display: flex;align-items: center;justify-content: center; margin: 32px 0;}\n.block__preview a {text-decoration: none;}\n.block__preview_img {min-width: 360px;max-width: 360px;min-height: 188px;width: 100%;height: 100%;}\n.block__preview_img img {width: 100%;height: 100%;}\n.block__preview_box {margin-left: 40px;max-width: 360px;}\n.block__preview_box-cat {color: #00B8A7 !important;font-weight: 600;font-size: 12px;line-height: 16px;text-transform: uppercase; display: block; margin-bottom: 4px;}\n.block__preview_box-cat:hover {color: #FE645A !important; text-decoration: none !important;}\n.block__preview_box-title {font-size: 20px;font-weight: 700;line-height: 24px;color: #0B172D;}\n.block__preview_box-title a {color: #0B172D !important;}\n.block__preview_box-title a:hover {color: #FE645A !important;}\n@media screen and (max-width: 768px) {.block__preview {flex-direction: column;}.block__preview_box {max-width: 100%; margin-top: 32px;margin-left: 0px;}.block__preview_img {max-width: 100%;min-width: 100%;min-height: 100%;}}<\/style>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"frequently-asked-questions\">Frequently Asked Questions<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"how-do-i-check-if-my-subdomain-is-vulnerable-to-takeover-right-now\">How do I check if my subdomain is vulnerable to takeover right now?<\/h3>\n\n\n\n<p>Pull a complete subdomain list from your authoritative DNS plus Certificate Transparency logs, resolve each record, and run a fingerprint scanner (subjack or nuclei&#8217;s <strong><em>takeovers<\/em><\/strong> templates). Anything returning a known orphan fingerprint \u2013 <strong><em>NoSuchBucket<\/em><\/strong>, &#8220;There isn&#8217;t a GitHub Pages site here&#8221;, &#8220;No such app&#8221;, and so on \u2013 is a candidate that should be confirmed by hand before remediation. The runbook above walks the steps end-to-end.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"what-tools-detect-subdomain-takeover\">What tools detect subdomain takeover?<\/h3>\n\n\n\n<p>On the open-source side, subjack, nuclei (with the takeover templates), subzy, and dnsReaper are the staples for direct takeover detection, with BadDNS (released early 2025) now in the same category and worth tracking because it auto-syncs signatures from Nuclei and dnsReaper. aquatone remains useful for the preceding step \u2013 enumerating and visually triaging large subdomain lists, but it is not itself a fingerprint scanner. Most commercial attack-surface management vendors include takeover detection in their offering. EdOverflow&#8217;s &#8220;Can I take over XYZ?&#8221; repository is the canonical reference list of currently fingerprintable services.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"how-is-subdomain-takeover-different-from-typosquatting\">How is subdomain takeover different from typosquatting?<\/h3>\n\n\n\n<p>Typosquatting uses an attacker-owned lookalike domain (<strong><em>brnd.com<\/em><\/strong> instead of <strong><em>brand.com<\/em><\/strong>), whereas subdomain takeover uses your real domain by hijacking a subdomain through a dangling DNS record. The defenses differ accordingly: typosquatting needs brand-monitoring and registrar takedowns, while takeover requires DNS hygiene and orphan monitoring.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"is-the-cloud-provider-or-the-domain-owner-responsible\">Is the cloud provider or the domain owner responsible?<\/h3>\n\n\n\n<p>Operationally, the domain owner is responsible: the cloud provider&#8217;s contract typically allows resource names to be reused after deletion, and the dangling DNS record is the owner&#8217;s artifact.&nbsp;<\/p>\n\n\n\n<p>Some providers (notably Azure for several services) have added validation flows that block reclamation even when DNS is misconfigured, but ownership of the underlying procedural failure sits with the domain owner.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"can-ad-networks-block-subdomain-takeover-automatically\">Can ad networks block subdomain takeover automatically?<\/h3>\n\n\n\n<p>Not from a single signal: reputation scoring alone passes hijacked subdomains because the parent domain is genuinely trusted, and while stacking NS\/IP consistency, content-vertical classification, and behavioral anomaly review catches a meaningful fraction, false-positive rates on any single layer keep human review in the loop on edge cases.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"what-should-i-do-if-i-find-a-takeover-on-someone-elses-domain\">What should I do if I find a takeover on someone else&#8217;s domain?<\/h3>\n\n\n\n<p>Disclose responsibly: identify the domain owner&#8217;s security contact through <strong><em>security.txt<\/em><\/strong>, the company&#8217;s vulnerability disclosure program, or a direct email to a security alias, and provide reproduction steps, the fingerprint response, and a short remediation recommendation. Do not host content on the reclaimed resource beyond what is necessary to demonstrate the issue.<\/p>\n\n\n    <div class=\"block__buttons\">\n        <a href=\"https:\/\/app.adex.com\/auth\/login\" class=\"block__buttons_btn\">JOIN ADEX<\/a>    <\/div>\n<style>\n    .block__buttons {\n        text-align: center;\n    }\n\n    .block__buttons_btn {\n        background-color: rgba(254, 100, 90, 1) !important;\n        border-radius: 200px !important;\n        padding: 16px 24px !important;\n        font-weight: 600 !important;\n        font-size: 18px !important;\n        line-height: 24px !important;\n        text-align: center !important;\n        display: inline-block !important;\n        color: #fff !important;\n        text-decoration: none !important;\n        text-transform: uppercase !important;\n    }\n\n    .block__buttons_btn:hover {\n        color: rgba(11, 31, 58, 1) !important;\n    }\n<\/style>\n","protected":false},"excerpt":{"rendered":"<p>Could an abandoned subdomain become an attacker\u2019s landing page? Learn how subdomain takeover works, why ad platforms can miss it, and what actually helps close the exposure gap.<\/p>\n","protected":false},"author":4,"featured_media":5669,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[18,16],"class_list":["post-5662","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-guides","tag-fraud","tag-threat"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.4 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Subdomain Takeover: How Trusted Domains Get Weaponized<\/title>\n<meta name=\"description\" content=\"Subdomain takeover lets attackers exploit dangling DNS and trusted domains. Learn how it works, why domain owners miss it, and what stops it.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/adex.com\/blog\/subdomain-takeovers-prevention\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Subdomain Takeover: How Trusted Domains Get Weaponized\" \/>\n<meta property=\"og:description\" content=\"Subdomain takeover lets attackers exploit dangling DNS and trusted domains. Learn how it works, why domain owners miss it, and what stops it.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/adex.com\/blog\/subdomain-takeovers-prevention\/\" \/>\n<meta property=\"og:site_name\" content=\"ADEX\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/adexsaas\/\" \/>\n<meta property=\"article:published_time\" content=\"2026-05-25T11:37:23+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2026-05-25T11:37:24+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/adex.com\/blog\/wp-content\/uploads\/2026\/05\/Adex-Subdomain-Takeover-Trusted-Domains.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1200\" \/>\n\t<meta property=\"og:image:height\" content=\"628\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Kira Vessiari\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@adexsaas\" \/>\n<meta name=\"twitter:site\" content=\"@adexsaas\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Kira Vessiari\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"18 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/subdomain-takeovers-prevention\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/subdomain-takeovers-prevention\\\/\"},\"author\":{\"name\":\"Kira Vessiari\",\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/#\\\/schema\\\/person\\\/2bf2469195f0e5bffe2e1d5b2ef12b61\"},\"headline\":\"Subdomain Takeover: How Trusted Domains Get Weaponized \u2013 and What Actually Stops It\",\"datePublished\":\"2026-05-25T11:37:23+00:00\",\"dateModified\":\"2026-05-25T11:37:24+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/subdomain-takeovers-prevention\\\/\"},\"wordCount\":4008,\"publisher\":{\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/subdomain-takeovers-prevention\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/adex.com\\\/blog\\\/wp-content\\\/uploads\\\/2026\\\/05\\\/Adex-Subdomain-Takeover-Trusted-Domains.png\",\"keywords\":[\"Fraud\",\"Threat\"],\"articleSection\":[\"Guides\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/subdomain-takeovers-prevention\\\/\",\"url\":\"https:\\\/\\\/adex.com\\\/blog\\\/subdomain-takeovers-prevention\\\/\",\"name\":\"Subdomain Takeover: How Trusted Domains Get Weaponized\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/subdomain-takeovers-prevention\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/subdomain-takeovers-prevention\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/adex.com\\\/blog\\\/wp-content\\\/uploads\\\/2026\\\/05\\\/Adex-Subdomain-Takeover-Trusted-Domains.png\",\"datePublished\":\"2026-05-25T11:37:23+00:00\",\"dateModified\":\"2026-05-25T11:37:24+00:00\",\"description\":\"Subdomain takeover lets attackers exploit dangling DNS and trusted domains. Learn how it works, why domain owners miss it, and what stops it.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/subdomain-takeovers-prevention\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/adex.com\\\/blog\\\/subdomain-takeovers-prevention\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/subdomain-takeovers-prevention\\\/#primaryimage\",\"url\":\"https:\\\/\\\/adex.com\\\/blog\\\/wp-content\\\/uploads\\\/2026\\\/05\\\/Adex-Subdomain-Takeover-Trusted-Domains.png\",\"contentUrl\":\"https:\\\/\\\/adex.com\\\/blog\\\/wp-content\\\/uploads\\\/2026\\\/05\\\/Adex-Subdomain-Takeover-Trusted-Domains.png\",\"width\":1200,\"height\":628,\"caption\":\"Adex - subdomain takeover visual showing how trusted domains get weaponized in ad ecosystems.\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/subdomain-takeovers-prevention\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/adex.com\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Subdomain Takeover: How Trusted Domains Get Weaponized \u2013 and What Actually Stops It\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/adex.com\\\/blog\\\/\",\"name\":\"ADEX - Ad Fraud & Invalid Traffic Prevention Platform\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/#organization\"},\"alternateName\":\"ADEX\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/adex.com\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/#organization\",\"name\":\"ADEX - Ad Fraud & Invalid Traffic Prevention Platform\",\"url\":\"https:\\\/\\\/adex.com\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/adex.com\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/05\\\/CDD2258_copy-48-1.svg\",\"contentUrl\":\"https:\\\/\\\/adex.com\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/05\\\/CDD2258_copy-48-1.svg\",\"width\":148,\"height\":30,\"caption\":\"ADEX - Ad Fraud & Invalid Traffic Prevention Platform\"},\"image\":{\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/www.facebook.com\\\/adexsaas\\\/\",\"https:\\\/\\\/x.com\\\/adexsaas\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/#\\\/schema\\\/person\\\/2bf2469195f0e5bffe2e1d5b2ef12b61\",\"name\":\"Kira Vessiari\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/cc59bc385c83827a6549fd86c717ef334484d083fba0e770f9b2365acdf272f2?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/cc59bc385c83827a6549fd86c717ef334484d083fba0e770f9b2365acdf272f2?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/cc59bc385c83827a6549fd86c717ef334484d083fba0e770f9b2365acdf272f2?s=96&d=mm&r=g\",\"caption\":\"Kira Vessiari\"},\"sameAs\":[\"https:\\\/\\\/adex.com\",\"https:\\\/\\\/www.linkedin.com\\\/in\\\/kiravessiari\\\/\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Subdomain Takeover: How Trusted Domains Get Weaponized","description":"Subdomain takeover lets attackers exploit dangling DNS and trusted domains. Learn how it works, why domain owners miss it, and what stops it.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/adex.com\/blog\/subdomain-takeovers-prevention\/","og_locale":"en_US","og_type":"article","og_title":"Subdomain Takeover: How Trusted Domains Get Weaponized","og_description":"Subdomain takeover lets attackers exploit dangling DNS and trusted domains. Learn how it works, why domain owners miss it, and what stops it.","og_url":"https:\/\/adex.com\/blog\/subdomain-takeovers-prevention\/","og_site_name":"ADEX","article_publisher":"https:\/\/www.facebook.com\/adexsaas\/","article_published_time":"2026-05-25T11:37:23+00:00","article_modified_time":"2026-05-25T11:37:24+00:00","og_image":[{"width":1200,"height":628,"url":"https:\/\/adex.com\/blog\/wp-content\/uploads\/2026\/05\/Adex-Subdomain-Takeover-Trusted-Domains.png","type":"image\/png"}],"author":"Kira Vessiari","twitter_card":"summary_large_image","twitter_creator":"@adexsaas","twitter_site":"@adexsaas","twitter_misc":{"Written by":"Kira Vessiari","Est. reading time":"18 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/adex.com\/blog\/subdomain-takeovers-prevention\/#article","isPartOf":{"@id":"https:\/\/adex.com\/blog\/subdomain-takeovers-prevention\/"},"author":{"name":"Kira Vessiari","@id":"https:\/\/adex.com\/blog\/#\/schema\/person\/2bf2469195f0e5bffe2e1d5b2ef12b61"},"headline":"Subdomain Takeover: How Trusted Domains Get Weaponized \u2013 and What Actually Stops It","datePublished":"2026-05-25T11:37:23+00:00","dateModified":"2026-05-25T11:37:24+00:00","mainEntityOfPage":{"@id":"https:\/\/adex.com\/blog\/subdomain-takeovers-prevention\/"},"wordCount":4008,"publisher":{"@id":"https:\/\/adex.com\/blog\/#organization"},"image":{"@id":"https:\/\/adex.com\/blog\/subdomain-takeovers-prevention\/#primaryimage"},"thumbnailUrl":"https:\/\/adex.com\/blog\/wp-content\/uploads\/2026\/05\/Adex-Subdomain-Takeover-Trusted-Domains.png","keywords":["Fraud","Threat"],"articleSection":["Guides"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/adex.com\/blog\/subdomain-takeovers-prevention\/","url":"https:\/\/adex.com\/blog\/subdomain-takeovers-prevention\/","name":"Subdomain Takeover: How Trusted Domains Get Weaponized","isPartOf":{"@id":"https:\/\/adex.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/adex.com\/blog\/subdomain-takeovers-prevention\/#primaryimage"},"image":{"@id":"https:\/\/adex.com\/blog\/subdomain-takeovers-prevention\/#primaryimage"},"thumbnailUrl":"https:\/\/adex.com\/blog\/wp-content\/uploads\/2026\/05\/Adex-Subdomain-Takeover-Trusted-Domains.png","datePublished":"2026-05-25T11:37:23+00:00","dateModified":"2026-05-25T11:37:24+00:00","description":"Subdomain takeover lets attackers exploit dangling DNS and trusted domains. Learn how it works, why domain owners miss it, and what stops it.","breadcrumb":{"@id":"https:\/\/adex.com\/blog\/subdomain-takeovers-prevention\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/adex.com\/blog\/subdomain-takeovers-prevention\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/adex.com\/blog\/subdomain-takeovers-prevention\/#primaryimage","url":"https:\/\/adex.com\/blog\/wp-content\/uploads\/2026\/05\/Adex-Subdomain-Takeover-Trusted-Domains.png","contentUrl":"https:\/\/adex.com\/blog\/wp-content\/uploads\/2026\/05\/Adex-Subdomain-Takeover-Trusted-Domains.png","width":1200,"height":628,"caption":"Adex - subdomain takeover visual showing how trusted domains get weaponized in ad ecosystems."},{"@type":"BreadcrumbList","@id":"https:\/\/adex.com\/blog\/subdomain-takeovers-prevention\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/adex.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Subdomain Takeover: How Trusted Domains Get Weaponized \u2013 and What Actually Stops It"}]},{"@type":"WebSite","@id":"https:\/\/adex.com\/blog\/#website","url":"https:\/\/adex.com\/blog\/","name":"ADEX - Ad Fraud & Invalid Traffic Prevention Platform","description":"","publisher":{"@id":"https:\/\/adex.com\/blog\/#organization"},"alternateName":"ADEX","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/adex.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/adex.com\/blog\/#organization","name":"ADEX - Ad Fraud & Invalid Traffic Prevention Platform","url":"https:\/\/adex.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/adex.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/adex.com\/blog\/wp-content\/uploads\/2022\/05\/CDD2258_copy-48-1.svg","contentUrl":"https:\/\/adex.com\/blog\/wp-content\/uploads\/2022\/05\/CDD2258_copy-48-1.svg","width":148,"height":30,"caption":"ADEX - Ad Fraud & Invalid Traffic Prevention Platform"},"image":{"@id":"https:\/\/adex.com\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/adexsaas\/","https:\/\/x.com\/adexsaas"]},{"@type":"Person","@id":"https:\/\/adex.com\/blog\/#\/schema\/person\/2bf2469195f0e5bffe2e1d5b2ef12b61","name":"Kira Vessiari","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/cc59bc385c83827a6549fd86c717ef334484d083fba0e770f9b2365acdf272f2?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/cc59bc385c83827a6549fd86c717ef334484d083fba0e770f9b2365acdf272f2?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/cc59bc385c83827a6549fd86c717ef334484d083fba0e770f9b2365acdf272f2?s=96&d=mm&r=g","caption":"Kira Vessiari"},"sameAs":["https:\/\/adex.com","https:\/\/www.linkedin.com\/in\/kiravessiari\/"]}]}},"_links":{"self":[{"href":"https:\/\/adex.com\/blog\/wp-json\/wp\/v2\/posts\/5662","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/adex.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/adex.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/adex.com\/blog\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/adex.com\/blog\/wp-json\/wp\/v2\/comments?post=5662"}],"version-history":[{"count":13,"href":"https:\/\/adex.com\/blog\/wp-json\/wp\/v2\/posts\/5662\/revisions"}],"predecessor-version":[{"id":5677,"href":"https:\/\/adex.com\/blog\/wp-json\/wp\/v2\/posts\/5662\/revisions\/5677"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/adex.com\/blog\/wp-json\/wp\/v2\/media\/5669"}],"wp:attachment":[{"href":"https:\/\/adex.com\/blog\/wp-json\/wp\/v2\/media?parent=5662"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/adex.com\/blog\/wp-json\/wp\/v2\/categories?post=5662"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/adex.com\/blog\/wp-json\/wp\/v2\/tags?post=5662"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}