Subdomain abuse has become mainstream

It was in 1742 that Thomas Gray penned a famous poem about young innocence unknowing or even uninterested in the challenges ahead in adult life. You yourself would be familiar with this poem based on its closing statement “Innocence is bliss, ‘tis folly to be wise.”

​Starting in mid-February of this year, a massive cyber-attack began, originally targeting the Linkedin brand. By the end of the month, the same technique was used to generate massive amounts of generic malicious spam impacting most of the legitimate TLD domains – globally!! The cyber-attack used a simple technique of “using” a subdomain of a TLD domain ie “” and using that as the basis in the FROM field of an email. So your inbox would have an email similar to the picture below. 

These subdomains weren’t registered as you would typically do so using your registrar’s online tools. These subdomains were used or added to the FROM field of the email as easily as adding text in a word document. This field is not controlled or monitored by the majority of organisations globally. There is a separate article of email’s 2 FROM fields here – “The Fundamental flaw in email”.

The interesting aspect of this cyber-attack for the majority of organisations, was that they were “blissfully unaware” of the impact of this attack on their:Internal infrastructure – spam emails could easily bypass standard email security measures and cause havoc internally with the release of ransomware,Impact legit email delivery as your domains are backlisted. Damage to your digital brand as customers don’t trust your emailsLost productivity and increase costs as customers call the contact centre to discuss the spam they received, or even worse the damage caused to their own personal PCs

There is equally a simple resolution to this issue, so don’t despair – there is no need to spend big dollars from your shrinking budget on this security and digital brand issue. The approach is to simply configure DMARC for all your active domains and subdomainsConfigure DMARC for all your active domains and subdomainsUse DMARC’s sub-domain policy tag to disallow use of all sub-domains that do not have an explicit DMARC record.Implement a project to make ALL your email sources and 3rd party senders DMARC compliantMove DMARC configuration from passthrough to quarantine and to reject

DMARC has the ability to disallow the use of these fake sub-domains. A DMARC compliance project is as simple as baking a cake and definitely not as complex as designing a car engine. So what are you waiting for – start baking !!

​By Con Lokos