8,000+ Subdomains of Trusted Brands Hijacked for Massive Spam Operation

Multiple Spam Operations

More than 8,000 subdomains belonging to legitimate brands and institutions were hijacked as part of a sophisticated distribution architecture for spam proliferation and click monetization.

Guardio Labs tracked the coordinated malicious activity, which has been going on since September 2022, under the name SubdoMailing. The emails ranged from “fake package delivery alerts to outright phishing for account credentials.”

The Israeli security company attributed the campaign to what it called a threat actor ResurrecAdswho are known to resuscitate dead domains of or with big brands to end up manipulating the digital advertising ecosystem for ill-gotten gains.

“‘ResurrecAds’ manages an extensive infrastructure consisting of a wide range of hosts, SMTP servers, IP addresses, and even private residential ISP connections, along with many additional his domain name,” security researchers Nati Tal and Oleg Zaytsev SAYS in a report shared by The Hacker News.

In particular, the campaign “uses the trust associated with these domains to spread spam and malicious phishing emails to millions every day, cunningly using their credibility and stolen resources to eliminate the security measure.”

These subdomains belong to or are affiliated with major brands and organizations such as the ACLU, eBay, Lacoste, Marvel, McAfee, MSN, Pearson, PwC, Symantec, The Economist, UNICEF, and VMware among others.

The campaign is known for its ability to bypass standard security blocks, with the entire body conceived as an image to evade text-based spam filters, clicking which initiates a series of redirecting to different domains.


“These redirects analyze your device type and geographic location, leading to content tailored to maximize revenue,” the researchers explained.

“This can be anything from an annoying ad or affiliate link to more deceptive tactics like quiz scams, phishing sites, or even a malware download that aims to cheat you out of your money more directly. “

Multiple Spam Operations

Another important aspect of these emails is that they are also able to avoid the Sender Policy Framework (SPF), an email authentication method designed to prevent fraud by ensuring that the mail server is authorized to send email for a given domain.

It’s not just SPF, because emails also pass DomainKeys Identified Mail (DKIM) and Domain-based Message Authentication, Reporting and Conformance (DMARC) checks that help prevent messages from being marked as spam.

Multiple Spam Operations

In an example of a fraudulent cloud storage warning email highlighted by Guardio, the message originated from an SMTP server in Kyiv, but was flagged as being sent from Return_UlKvw@marthastewart.msn.com.

A closer look at the DNS record for marthastewart.msn.com reveals that the subdomain is linked to another domain (msnmarthastewartsweeps(.)com) with that CNAME record, an aliasing technique used in the past by companies advertising technology to reach the third. -party cookie blocking.

“This means that the subdomain inherited the entire behavior of msnmarthastewartsweeps(.)com , including its SPF policy,” the researchers said. “In this case, the actor can send emails to whoever they want as if msn(.)com and their approved mailers sent those emails!”

Multiple Spam Operations

It is worth pointing out here that both domains were previously legitimate and in short active at some point in 2001, before they were left in an abandoned state for 21 years. Until September 2022 when msnmarthastewartsweeps(.)com is privately registered with Namecheap.

Other hijacking methods involve threat actors regularly scanning for long-forgotten subdomains with dangling CNAME records in abandoned domains and then registering them to control them.


CNAME takeovers can also have serious consequences if such identified subdomains are seized to host fake phishing pages designed to capture users’ credentials. As such, there is no evidence that any hijacked subdomains were used for this purpose.

Guardio said that instances were also found where the DNS SPF record in a known domain holds abandoned domains associated with defunct email or marketing-related services, thereby allowing attackers to gain ownership of such domains , inject their own IP addresses into the record, and finally send emails for the primary domain name.

In an effort to counter the threat and dismantle the infrastructure, Guardio made available a SubdoMailing Checkera website that enables domain administrators and site owners to search for signs of compromise.

“This operation is carefully designed not to use these assets for the distribution of various malicious ‘Advertisements,’ aiming to generate as many clicks as possible for these clients in the ‘ad network’,” the researchers said.

“Armed with a vast collection of compromised well-known domains, servers, and IP addresses, this ad network deftly navigates through the malicious email propagation process, seamlessly switching and hopping between its assets in will.”

Did you find this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Leave a comment