Rise of SubdoMailing: A New Phishing Threat Exploiting Domain Trust

Severity: High (Score: 69.5)

Sources: Scworld, redsift.com

Summary

In late February 2024, a large-scale phishing campaign known as 'SubdoMailing' was uncovered, exploiting gaps in DMARC safeguards. This tactic allowed attackers to send emails from compromised subdomains, bypassing SPF and DMARC checks, and impersonating reputable organizations. The campaign reportedly sent 5 million emails daily from over 8,000 compromised domains and 13,000 subdomains. Attackers take advantage of misconfigured DNS records, allowing them to control subdomains and conduct phishing attacks without raising suspicion. The threat has evolved to include not just email but also social media impersonation, complicating detection efforts. As organizations increasingly rely on email security protocols, attackers are pivoting to exploit domain infrastructure vulnerabilities. The scale of these attacks poses significant risks to brand reputation and financial security. Current defenses may not be sufficient to mitigate this sophisticated threat. Key Points: • SubdoMailing exploits DMARC gaps, allowing phishing from compromised subdomains. • The campaign has sent 5 million emails daily, affecting thousands of domains. • Attackers use misconfigured DNS records to impersonate trusted brands.

Key Entities

• Malware (attack_type)
• Phishing (attack_type)
• SubdoMailing (campaign)
• Costco (company)
• AWS (company)
• Azure (company)
• CWE-200 - Exposure of Sensitive Information (cwe)
• analytics.example-company.com (domain)
• analytics-saas.com (domain)
• email-saas.com (domain)
• example-company.com (domain)
• login.yourcompany.com (domain)
• T1566.002 - Spearphishing Link (mitre_attack)
• T1566 - Phishing (mitre_attack)
• A/aaaa Records (platform)
• Cname (platform)
• Heroku (platform)
• MX Records (platform)
• Nameserver (platform)
• VMware (tool)