Connect with us

Hi, what are you looking for?


Email Security

Domains Once Owned by Major Firms Help Millions of Spam Emails Bypass Security

8,800 domains, many once owned by major companies, have been abused to get millions of emails past spam filters as part of SubdoMailing campaign.


Thousands of domains, many once owned by major companies, have been abused to get millions of emails past spam filters, online security firm Guardio reported on Monday.

The cybersecurity firm’s researchers have come across a significant campaign which they have dubbed SubdoMailing and attributed to a threat actor named ResurrecAds. 

Guardio reported identifying roughly 8,800 hijacked domains — specifically over 13,000 associated subdomains — being used to send out approximately five million emails per day. The number of abused domains is growing by the hundreds every day. 

The company has identified abused domains previously belonging to MSN, CBS News, New York City, Philips, Cornell University, VMware, Swatch, Scotiabank, and McAfee.

Since at least late 2022, ResurrecAds has been finding long-forgotten subdomains that have associated DNS records such as CNAME (alias for another domain), or SPF (lists all the servers authorized to send emails from a domain to prevent spoofing). 

The threat actor can register the domain and then abuse it and the existing DNS records to send out emails that have a bigger chance of getting past spam filters compared to a regular spam campaign. 

The emails sent out as part of the SubdoMailing campaign are designed to trick users into interacting with the message, which takes them through a series of redirects that check the device type and location, ultimately leading the victim to scams or phishing websites.

One specific example described by Guardio involves the subdomain ‘’, which Microsoft used more than two decades ago for a Martha Stewart sweepstakes. 

Advertisement. Scroll to continue reading.

ResurrecAds appears to be operating an ‘ad network’ whose goal is to generate as many clicks as possible for its clients.

“This [threat actor] appears to be systematically scanning the internet for vulnerable domains, identifying opportunities, purchasing domains, securing hosts and IP addresses and then meticulously orchestrating the ongoing campaign of email dissemination,” Guardio said. “This involves a vast network of both hijacked and deliberately acquired domain and IP assets, indicating a high level of organization and technical sophistication in maintaining this broad scale of operations.”

The cybersecurity firm has released an online tool that can be used to check whether a domain has been compromised and abused in the SubdoMailers campaign.

“The industry has had a false sense of security around trusted domains, as they have never been fully safe. At SlashNext, we see tens of thousands of malicious subdomains hiding in trusted domains. Currently, there are 149,345 live phishing threat URLs in our threat feed that are on legitimate, trusted domains,” Patrick Harr, CEO at anti-phishing company SlashNext, told SecurityWeek

“While it’s important to have DMARC, DKIM and SPF, it’s not going to detect these threats. It’s critical to have AI technology like computer vision in your security stack that can look past the domain reputation to detect these threats which are hiding on legitimate sites,” Harr added. 

Related: Google’s RETVec Open Source Text Vectorizer Bolsters Malicious Email Detection

Related: SMTP Smuggling Allows Spoofed Emails to Bypass Authentication Protocols

Related: Chinese Hackers Deliver Malware to Barracuda Email Security Appliances via New Zero-Day

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Shay Mowlem has been named CMO of runtime and application security company Contrast Security.

Attack detection firm Vectra AI has appointed Jeff Reed to the newly created role of Chief Product Officer.

Shaun Khalfan has joined payments giant PayPal as SVP, CISO.

More People On The Move

Expert Insights

Related Content

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to and Exchange Online.


Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...


Enterprise users have been warned that cybercriminals may be trying to phish their credentials by luring them with fake emails that appear to be...

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.

Cloud Security

Proofpoint removes a formidable competitor from the crowded email security market and adds technology to address risk from misdirected emails.