Subdomain takeover occurs when a DNS record (typically a CNAME) points to an external service that has been decommissioned — a cloud storage bucket, a SaaS platform, or a hosting service that no longer hosts your content. An attacker can claim that abandoned service and serve content under your subdomain, enabling phishing (hosting a credential-harvesting page under your trusted domain), cookie theft (if cookies are scoped to the parent domain), content injection, and reputation damage. Testing involves: enumerating all subdomains through DNS reconnaissance, identifying dangling DNS records pointing to unclaimed services, and verifying that all external service references are active and properly controlled. This is a common finding in organisations with large or historically complex DNS environments.
Technical2026-10-06
Subdomain Takeover: How Abandoned DNS Records Become Attack Vectors สำหรับองค์กรไทย
When subdomains point to decommissioned services, attackers can claim them. A common and impactful vulnerability. Guidance for TH market.