It’s a wake-up call for brands – the SubdoMailing attack sees 8000 household names’ domains hijacked and exploited. Here’s why and how to protect your brand.

8000 brands targeted in the SubdoMailing attack

Some of the world’s biggest brands have recently been under attack from a prolific threat actor in a recent spate of hacking, named the SubdoMailing attack.

Millions of spam emails have been sent to victims in what at first looks to be a phishing email with a series of redirections designed to extort money – activity that’s only just been discovered after a few years.

Trusted household names

This recent high-profile attack demonstrates how the SubdoMailing hackers purposely used the trust we have in well-known brands to leverage funds by criminal means.

Over 8000 brands have been targeted, including McAfee, UNICEF, eBay, The Economist, MSN, CBS, Marvel, Symantec, and the list goes on.

Attack active approximately two years

The campaign has been described by cybercrime experts, Guardio Labs, as “massive” and is thought to have been active since 2022. The funds gained from which are, as yet, unknown, but suspected to be substantial.

Fraudulent adverts, fake giveaways and affiliate scheme scams have been successfully deployed by the hackers to extort money from people online who genuinely believed they were dealing with the brand/s they know and trust.

Five million emails a day

Every day of the campaign attack has seen around five million emails a day being sent from the legitimate domains of the over-8000 brands and 13,000 sub domains.

How did they do it?

The cybercriminals scanned the internet for expired external domains of reputable brands and registered them under another name to literally hijack the domain and send spam and phishing emails from it.

In addition, they also set up deceptive advertising and phishing pages designed to look and feel exactly like the brand they were impersonating.

The emails the hackers sent got through security checks and landed in people’s inboxes intact due to the hacker’s successful scanning of the internet for SPF* records which they were then able to import.

*SPF stands for Sender Policy Framework and is a record?that identifies the mail servers and domains that are allowed to send email on behalf of the domain.

Wake-up call

What’s alarming about the SubdoMailing attack is that the old domains of many ‘big’ trusted brands were able to be hijacked in this way, and that phishing and malicious emails were able to get through security with such apparent ease.

For all brands it’s a wake-up call about regularly reviewing and securing domain assets.

Checking and securing domain assets

  • Companies need to review their domain assets and check if there are any no longer in use.
  • If there are any domains registered in DNS not active, then they should be secured and removed from records promptly.

No substitute for robust security measures

  • Monitoring and scanning of CNAME records and SPF configurations should be done on a regular basis and any vulnerabilities addressed as soon as possible.
  • Monitoring email for unusual patterns in metadata and proactively checking for unauthorised use of domains for spamming/phishing activities are recommended.
  • There are also resources available to help domain owners check their domains are not being abused.

We want to help all businesses prioritise the security of their digital assets. We built a team of cybersecurity experts to do just that.

If you need help to check your domain/s is/are safe, including old domains and require ongoing surveillance to ensure fraudulent activity is kept at bay, get in touch with our team.


< Read more articles on our IT Academy