Looking to streamline your TPRM? Join our Product Deep Dive Webinar with live Q&A!
Register Now
Blog
Resources
Blog
Breaches
eBooks, reports, & more
Events
News
Attack Surface Management
Categories
Attack Surface Management
Company News
Compliance and Regulations
Cybersecurity
Data Breaches
DevOps
Human Cyber Risk
Risks and Vulnerabilities
Third-Party Risk Management
Vendor Risk Management
How to Prevent Subdomain Takeovers
Last updated
October 8, 2025
{x} minute read

How to Prevent Subdomain Takeovers

Get a demo
Free trial
Download the PDF guide
Free trial
Written by
Leah Sadoian
Content Writer
Leah is an experienced cybersecurity writer. Her work is read by leaders in security, tech, education, healthcare, and government.
Reviewed by
Kaushik Sen
Chief Marketing Officer
Kaushik has a background in software engineering, enterprise solution architecture, and data analytics. He brings a unique, data-driven perspective to cybersecurity education.
Table of contents

Subdomain takeovers pose a significant and often overlooked threat to website security. In today's digital age, almost every business has a website to promote, inform, and provide resources to visitors. Websites that use multiple subdomains risk exposing themselves to cyberattacks.

Subdomain takeovers can lead to data breaches and reputational damage. However, these risks can be minimized with the right strategies, and your organization can stay protected. This blog post will provide an in-depth understanding of subdomain takeovers, their impact on organizations, and the best practices for safeguarding your website against potential takeovers.

What is a subdomain takeover?

It is important to understand what a domain is in the domain name system (DNS) context to comprehend what subdomain takeovers are and how hackers can exploit them. A domain is the main web address of a website, such as "example.com." Within this domain, subdomains can serve different functions or contain different content, such as "blog.example.com" or "shop.example.com."

A subdomain takeover happens when an attacker exploits a vulnerable subdomain and takes control of it. This usually occurs when a subdomain, as part of the DNS configurations, points to an external service like a cloud provider (Amazon, Azure, Microsoft), and that service is misconfigured or retired.

Attackers can claim that the DNS entry for that subdomain is still intact, and the service it points to becomes available for registration. They can then deploy malicious content, turning the subdomain into a launchpad for phishing campaigns and other cyber threats.

To understand how this attack differs from similar threats, read our breakdown on Domain Hijacking Explained.

How do subdomain takeovers occur?

Every domain, governed by the domain name system, has a set of records in the DNS zone associated with its IP addresses. Among these records is the CNAME or canonical name record, which directs a subdomain to another target domain or service.

Vulnerabilities arise when the external service, often hosted by cloud providers, is no longer active or incorrectly configured. If the nameservers still have the DNS record pointing to this service, it leaves the organizations at risk of subdomain takeover.

Here are some common scenarios of subdomain takeover attacks:

  • Orphaned Services: A company might create an app on its website using the subdomain “marketing.example.com” for a marketing campaign. Once the campaign ends, if the DNS configuration is unchanged, attackers can exploit this oversight and take over the subdomain.
  • Expired Third-Party Accounts: Companies might rely on third-party platforms like AWS from Amazon or GitHub for web applications. If the account lapses but the DNS still points there, it becomes an attractive attack vector for malicious entities.
  • Migration Oversights: During website migrations, old subdomains may get overlooked. If a company switches its hosting provider but doesn't audit all subdomain configurations during the move, some subdomains might be left pointing to the old, now potentially unclaimed, hosting service.

What is the impact of subdomain takeovers?

Subdomain takeovers can have severe consequences for organizations. These can include:

  • Reputational Damage: One of the immediate effects of a subdomain takeover is the tarnishing of an organization's reputation. Customers may attempt to access a promotional subdomain of a reputable brand only to find questionable or offensive content. Even if fixed quickly, such incidents can damage a brand’s perception and negatively impact customer trust.
  • Phishing and Data Theft: Malicious actors can craft convincing phishing campaigns using a hijacked subdomain. Unsuspecting users may input sensitive data, thinking they're on an official site. This data might include session cookies, personal details, or financial data.
  • Chain Attacks: A compromised subdomain can serve as a springboard for attacks on other parts of the organization's IT infrastructure. Attacks could, for instance, use cross-site scripting with JavaScript to compromise user data or deliver malware.

Take this example: Suppose a bank inadvertently left a subdomain vulnerable related to a past promotional event. An attacker, seizing this opportunity, could set up a page mimicking the bank's login portal. Customers, trusting the legitimate-looking URL, might then input their credentials, granting attackers potential access to thousands of bank accounts and sensitive data.

Top strategies to prevent subdomain takeovers

Ensuring the safety of subdomains has become an integral part of any website’s cybersecurity posture. Below are a few top strategies to prevent subdomain takeovers, protect your websites, and strengthen your digital assets.

Regularly audit and clean DNS records

It is important to regularly review your DNS records, especially CNAME records, to ensure the safety and accuracy of your domain configurations. Regular DNS configuration reviews, especially CNAME and TXT records, are crucial.

Removing or updating any outdated or irrelevant subdomain entries that point to third-party services that are no longer in use prevents vulnerable subdomains that attackers could take advantage of. By proactively reviewing your DNS records, you can ensure your domain is secure and configured correctly.

  • Automating DNS record audits: Establish a process to automatically scan and audit your CNAME records daily or weekly. Automated scripts or continuous monitoring tools can flag any CNAME that points to a non-existent or unverified external endpoint, making it easier to identify and remove stale records before they become a liability.

Monitor third-party services

When you use third-party services such as cloud platforms, hosting providers, or Content Delivery Networks (CDN) for your subdomains, it's vital to ensure that these services are always active and properly configured.

Additionally, note the expiration dates of these services and the end of their trial periods, as any lapses could potentially direct your subdomain toward an unclaimed address, leaving it vulnerable to security breaches.

  • Set up expiration alerts: Integrate the expiration and decommission dates of all cloud resources (S3 buckets, Azure containers, Heroku apps) into a centralized calendar or alert system to prevent orphaned resources.
  • Maintain a living asset inventory: Keep a real-time, comprehensive living asset inventory that extends beyond listing subdomains. This inventory should map each subdomain directly to its corresponding owner, service provider, and status.

Domain registrar locking

Protecting your online assets from unauthorized access should be a top priority. One way to do this is to take advantage of domain-locking features most domain registrars provide. These tools prevent unauthorized modifications to your DNS settings, making it harder for hackers to access your website.

Additionally, enabling multi-factor authentication for your domain registrar account adds an extra layer of security, making it even more difficult for unauthorized users to access your account. These security measures can safeguard your online assets from a potential subdomain takeover.

Certificate transparency monitoring

Certificate Transparency (CT) logs are a valuable tool for monitoring the issuance of new SSL/TLS certificates for your domain and subdomains.

By diligently overseeing these logs, you can be promptly alerted to any unauthorized certificates, signaling possible subdomain takeover attempts and allowing for timely intervention.

External attack surface management

External Attack Surface Management (EASM) is a crucial part of the defense against subdomain takeovers. It continuously maps and analyzes an organization's digital footprint from an outsider's perspective to identify vulnerabilities and exposures before they can be exploited.

One of its primary functions is to detect misconfigured or abandoned subdomains that may be susceptible to takeovers. Businesses often deploy subdomains for various purposes, but some may be left unattended or improperly configured. EASM tools proactively detect these weak points, enabling organizations to address them promptly.

By ensuring that every digital asset is accounted for and protected, companies can significantly reduce the risk of subdomain hijackings and maintain the integrity of their online presence.

What to do if a subdomain is compromised

If you detect a subdomain takeover, immediate and precise action is required to minimize damage. 

Follow this remediation playbook right away:

                                                                                                                                                                                                       
StepActionObjective
1. Verify and IsolateImmediately confirm the takeover is occurring and identify the compromised subdomain and the attacker-controlled content.Stop the attacker from gaining deeper access or collecting more data.
2. Remove the Vulnerable DNS RecordThe critical first step: Delete the CNAME or A record pointing to the unclaimed external service.This instantly breaks the connection between your legitimate domain and the attacker’s malicious content.
3. Reclaim or Reconfigure ResourcesIf the external service is still needed (e.g., an S3 bucket or Heroku app), immediately reclaim the resource and secure it. If it is not required, ensure it is completely deleted.Prevent the attacker from simply re-registering the service and resuming the takeover.
4. Monitor and AnalyzeMonitor your DNS records and Certificate Transparency (CT) logs in real-time for any new or unauthorized changes. Analyze server and network logs to determine the extent of the breach.Ensure the attacker has been completely evicted from your infrastructure.

Real-World Subdomain Takeovers

Subdomain takeovers have impacted organizations of all sizes, leading to reputation damage and data exposure.

Take the Uber/AWS CloudFront takeover, for example. In 2016, security researcher Frans Rosén discovered that rider.uber.com was vulnerable to takeover because its CNAME record pointed to a non-existent distribution on Amazon CloudFront. The issue occurred due to an oversight during DNS work. Rosén was able to claim the distribution and host a proof-of-concept page on the subdomain. Uber was quickly notified and fixed the issue by removing the vulnerable DNS record.

Protect your website from subdomain takeovers with UpGuard

Subdomain takeovers are just one type of cyber threat your organization will face. To truly upgrade your organization’s overall approach to cybersecurity, you need continuous, automated oversight. 

UpGuard’s all-in-one External Attack Surface Management (EASM) platform, Breach Risk, helps you understand the risks impacting your external security posture and ensures your assets are constantly monitored and protected.

Practitioner’s subdomain takeover detection and remediation checklist

                                                                                                                                                                                                       
AreaManual/Open-Source ToolsUpGuard EASM Automation
Asset DiscoveryAmass, Subfinder: Used for manually enumerating every subdomain in your environment.Continuous Monitoring: Automatically discovers all domains, subdomains, IPs, and exposed assets in real-time.
Vulnerability DetectionSubjack, Nuclei Templates: Tools requiring manual execution and configuration to check CNAME records against vulnerable services.Attack Surface Reduction: Automatically detects exploitable vulnerabilities and CNAME misconfigurations that put domains at risk.
MonitoringCustom Bash Scripts/GitHub Open-Source Tools: Requires setup to run scheduled checks and send alerts.Real-Time Alerting: Gets real-time information and manages exposures, including domains and employee credentials.
RemediationManual ticket generation and risk prioritization based on scan results.Workflows and Waivers: Simplifies and accelerates how you remediate issues and waive accepted risks, integrating with existing ticketing systems.

Breach Risk helps you understand the risks impacting your external security posture and ensures your assets are constantly monitored and protected. Our user-friendly platform makes it easy to view your organization’s cybersecurity at a glance and communicate internally about risks, vulnerabilities, or current security incidents.

Other features include:

  • Data Leak Detection: Protects your brand, intellectual property, and customer data with timely detection of data leaks and avoid data breaches
  • Continuous Monitoring: Get real-time information and manage exposures, including domains, IPs, and employee credentials
  • Attack Surface Reduction: Reduce your attack surface by discovering exploitable vulnerabilities and domains at risk of typosquatting
  • Shared Security Profile: Eliminate having to answer security questionnaires by creating a Trust Page
  • Workflows and Waivers: Simplify and accelerate how you remediate issues, waive risks, and respond to security queries
  • Reporting and Insights: Access tailor-made reports for different stakeholders and view information about your external attack surface

Frequently asked questions (FAQs)

How do I know if my subdomain is vulnerable to takeover?

A subdomain is vulnerable to takeover if its CNAME record points to an external resource (like an Amazon S3 bucket, GitHub Pages, or Heroku app) that is currently unclaimed or orphaned. You can manually check by using a DNS lookup tool to find the CNAME target, then attempting to access that target URL or register a new service with the same name. Automated EASM tools, like UpGuard, perform this check continuously to flag vulnerable CNAME records immediately.

What tools can I use to scan for subdomain takeover risks?

Security practitioners often use a combination of open-source tools:

  • Amass/Subfinder: Used for comprehensive subdomain enumeration (finding all your subdomains).
  • Subjack: A dedicated tool designed to check if a subdomain is pointing to an unclaimed cloud service.
  • Nuclei templates: Customizable vulnerability scanner templates that include checks for specific subdomain takeover fingerprints.

For organizations with a large attack surface, External Attack Surface Management (EASM) platforms are the most effective solution, as they automate the function of all these tools into a single, real-time monitoring system.

Is subdomain takeover a form of domain hijacking?

No, they are distinct types of attacks.

  • Subdomain takeover exploits a misconfiguration in the DNS record (specifically a CNAME) that points to an orphaned external resource. The attacker claims the orphaned resource, not the domain itself.
  • Domain hijacking involves the attacker gaining unauthorized control of the domain registrar account (e.g., through stolen credentials or social engineering) and then changing the domain's nameservers. This gives the attacker control over the entire domain and all subdomains.

Related posts

Learn more about the latest issues in cybersecurity.
Attack Surface Management

Breach Risk Threat Monitoring: A Path to Clarity in Cyber Noise

Cut through the noise of constant security alerts to proactively identify and mitigate urgent breach risks before they escalate with threat monitoring.
Shane Moosa
Shane Moosa
September 3, 2025
Attack Surface Management

Typosquatting Explained with Real-World Examples

Learn more about typosquatting, what it is, how it works, and how to protect your business. Explore legal strategies, tools, and real-world examples here.
Abi Tyas Tunggal
Abi Tyas Tunggal
December 1, 2025
Cybersecurity

Why is Cybersecurity Important?

If your business isn't concerned about cybersecurity, it's only a matter of time before you're an attack victim. Learn why cybersecurity is important.
Abi Tyas Tunggal
Abi Tyas Tunggal
December 1, 2025
Attack Surface Management

What are Security Ratings? Cybersecurity Risk Scoring Explained

This is a complete guide to security ratings and common use cases. Learn why security and risk management teams have adopted security ratings in this post.
Abi Tyas Tunggal
Abi Tyas Tunggal
December 1, 2025
Attack Surface Management

Attack Surface Monitoring Guide for Security Teams

Learn how to implement attack surface monitoring to reduce external risk, discover exposed assets in real time, and strengthen your cybersecurity posture.
Revashni Moodley
Revashni Moodley
December 3, 2025
Attack Surface Management

Attack Surface Discovery: A Quick Overview

Explore how attack surface discovery works, what tools help identify hidden risks, and how security teams can secure complex environments in real time.
Revashni Moodley
Revashni Moodley
December 3, 2025
All posts