Thousands of domains, many once owned by major companies, have been abused to get millions of emails past spam filters, online security firm Guardio reported on Monday.
The cybersecurity firm’s researchers have come across a significant campaign which they have dubbed SubdoMailing and attributed to a threat actor named ResurrecAds.
Guardio reported identifying roughly 8,800 hijacked domains — specifically over 13,000 associated subdomains — being used to send out approximately five million emails per day. The number of abused domains is growing by the hundreds every day.
The company has identified abused domains previously belonging to MSN, CBS News, New York City, Philips, Cornell University, VMware, Swatch, Scotiabank, and McAfee.
Since at least late 2022, ResurrecAds has been finding long-forgotten subdomains that have associated DNS records such as CNAME (alias for another domain), or SPF (lists all the servers authorized to send emails from a domain to prevent spoofing).
The threat actor can register the domain and then abuse it and the existing DNS records to send out emails that have a bigger chance of getting past spam filters compared to a regular spam campaign.
The emails sent out as part of the SubdoMailing campaign are designed to trick users into interacting with the message, which takes them through a series of redirects that check the device type and location, ultimately leading the victim to scams or phishing websites.
One specific example described by Guardio involves the subdomain ‘marthastewart.msn.com’, which Microsoft used more than two decades ago for a Martha Stewart sweepstakes.
ResurrecAds appears to be operating an ‘ad network’ whose goal is to generate as many clicks as possible for its clients.
“This [threat actor] appears to be systematically scanning the internet for vulnerable domains, identifying opportunities, purchasing domains, securing hosts and IP addresses and then meticulously orchestrating the ongoing campaign of email dissemination,” Guardio said. “This involves a vast network of both hijacked and deliberately acquired domain and IP assets, indicating a high level of organization and technical sophistication in maintaining this broad scale of operations.”
The cybersecurity firm has released an online tool that can be used to check whether a domain has been compromised and abused in the SubdoMailers campaign.
“The industry has had a false sense of security around trusted domains, as they have never been fully safe. At SlashNext, we see tens of thousands of malicious subdomains hiding in trusted domains. Currently, there are 149,345 live phishing threat URLs in our threat feed that are on legitimate, trusted domains,” Patrick Harr, CEO at anti-phishing company SlashNext, told SecurityWeek.
“While it’s important to have DMARC, DKIM and SPF, it’s not going to detect these threats. It’s critical to have AI technology like computer vision in your security stack that can look past the domain reputation to detect these threats which are hiding on legitimate sites,” Harr added.
Related: Google’s RETVec Open Source Text Vectorizer Bolsters Malicious Email Detection
Related: SMTP Smuggling Allows Spoofed Emails to Bypass Authentication Protocols
Related: Chinese Hackers Deliver Malware to Barracuda Email Security Appliances via New Zero-Day