Subdomain Takeover
1-minute read
What it is
A subdomain takeover occurs when a subdomain (for example, blog.example.com) continues to point to a third-party service that is no longer active, but the DNS record still exists. An attacker can claim that unused external service account and gain control over the subdomain, effectively publishing content under your trusted domain.
Why it matters
Subdomain takeovers allow attackers to:
- Host malicious or phishing content under a legitimate brand
- Steal user credentials or session data
- Damage reputation and user trust
- Trigger browser or search-engine warnings
It is especially common in cloud hosting, SaaS integrations, or short-lived staging environments where DNS records are forgotten after the service is decommissioned.
How to reduce risk
- Regularly audit DNS records, certificates, and subdomains
- Remove unused or orphaned CNAME records
- Decommission external services only after DNS references are cleaned up
- Continuously monitor the external attack surface for dangling records
Related Terms: Attack Surface, DNS Hijacking, Domain Spoofing
External Resources: