CNAME and SPF Hijacking are on the rise

Rui Serra By Rui Serra • March 6, 2024

Email Security companies are keeping a close watch on the latest attacks, using CNAME and SPF Hijacking to fraudulently use subdomains from known companies. 

The latest - and gigantic - criminal  operation SubdoMailing has affected thousands of organizations' subdomains, which were left vulnerable to this attack. As of last week, thousands of companies, including Ebay and McAfee, were victims of Brand Impersonation.

(References: here and here)

But how exactly can subdomains be used for phishing? By hijacking the CNAME records, and the SPF records. Here's a broader view:


What is CNAME Hijacking?

CNAME (Canonical Name) records are a fundamental component of DNS, serving as aliases for domain names. They allow one domain to map to another, redirecting traffic seamlessly. CNAME hijacking occurs when malicious actors gain unauthorized control over a CNAME record, redirecting legitimate traffic to a malicious destination of their choosing.

What is SPF Hijacking?

SPF hijacking occurs when malicious actors gain unauthorized access to a legitimate domain's DNS (Domain Name System) records and modify the SPF record to include their own mail servers. By doing so, they can send fraudulent emails that appear to originate from the compromised domain, bypassing traditional spam filters and email authentication measures. 

  1. DNS Compromise: Cybercriminals exploit vulnerabilities in domain registrar accounts or compromise DNS management credentials to gain access to the domain's DNS records.

  2. SPF Record Modification: Once access is obtained, attackers modify the SPF record to include their own mail servers alongside legitimate ones authorized to send emails on behalf of the domain.

  3. Sending Fraudulent Emails: With the SPF record altered, attackers can send phishing emails, spam, or malware-laden messages that appear legitimate to email servers that perform SPF checks.

Dangers of SPF and CNAME Hijacking?
  1. Phishing Attacks: Attackers can redirect users from legitimate websites to fake ones, tricking them into divulging sensitive information such as login credentials or financial data.

  2. Malware Distribution: By redirecting traffic to compromised servers hosting malware, attackers can infect unsuspecting users' devices, leading to data breaches, system compromises, or ransomware attacks.

  3. Brand Reputation Damage: Organizations falling victim to CNAME and SPF hijacking risk tarnishing their brand reputation. Users encountering malicious content may associate the compromise with the legitimate organization, eroding trust and credibility.

  4. SEO Manipulation: Attackers can exploit CNAME hijacking to manipulate search engine rankings by redirecting traffic to illegitimate websites. This can adversely impact an organization's online visibility and credibility.

Prevention Strategies
  1. Implement DNSSEC: DNS Security Extensions (DNSSEC) cryptographically authenticate DNS responses, mitigating the risk of DNS-based attacks, including CNAME hijacking.

  2. Regular Monitoring and Auditing: Continuously monitor DNS records for unauthorized changes or anomalies. Conduct periodic audits to ensure the integrity of DNS configurations.

  3. Strong Authentication Mechanisms: Strengthen authentication mechanisms for accessing DNS management consoles or making changes to DNS records. Implement multi-factor authentication (MFA) to reduce the risk of unauthorized access.

  4. Third-Party DNS Providers: Choose reputable DNS providers with robust security measures and a proven track record of defending against DNS-based attacks.

  5. Domain Registrar Security: Secure domain registrar accounts with strong passwords and enable additional security features offered by registrars, such as domain locking and registry lock services.

  6. Regular Software Updates: Keep DNS servers and associated software up-to-date to patch known vulnerabilities and reduce the risk of exploitation by attackers.

  7. Email Filtering and Detection: Deploy advanced email security solutions that can detect and block suspicious emails originating from domains with modified SPF records.


Request Product Demo Now