Decoding the tricks: An analysis of poisoned domains in the SubdoMailing Attack

At Red Sift, we have been paying close attention to SubdoMailing – a domain takeover attack first discovered in February of 2024. Malicious actors exploited poorly maintained DNS records to send fraudulent emails impersonating legitimate brands. 

We identified affected organizations in our customer base and resolved the issue for all impacted users within 72 hours. 

The attack was widely reported to have been carried out by a single group of Israeli hackers sending spam driving readers to fake websites that were used to generate ad revenue. Since February we have been conducting our own analyses of the attack and believe that multiple groups are using SudboMailing to send fraudulent mail on behalf of legitimate brands. 

Let’s dive into the research.

Patterns in Domain Names

By analyzing various signals, we compiled an extensive dataset of poisoned domains – or domains included in the DNS of legitimate brands that were exploited by malicious actors. This article presents our findings from a comprehensive analysis of a sample of 6,225 domains, with 4,527 of them still active. Each active domain includes a list of IP ranges in their SPF record, encompassing IPs recursively retrieved from `include` statements.

These poisoned domains are recently registered. The attackers have different strategies for naming them. We highlight the following 4 strategies and list a few examples that we discovered in our analysis.

1. Impersonation: Mimicking Popular Brands and Services

In this strategy, bad actors used a typo-squatting strategy. They registered domains that were similar to popular brands or services that could have been mistyped into an organization’s DNS – thus giving them the ability to send mail on the organization’s behalf. While the list is extensive, here are a handful of examples we discovered. 

Big brands

  • Google
    • ghs.gglehosted.com
    • ghs.googlehoste.com
    • ghs.google-hosted.com
    • ghs.google hosted.co
  • Microsoft
    • clientconfig.microsofonline-p.net
    • clientconfig.microsoftoneline-p.net
    • clientconfig.microsoftonlie-p.net
  • Amazon
    • amazoses.com
    • amasonses.com
    • amazanpro.in
  • Marketo: 97 domains with the following format
    • mkto-ab010016.com
    • mkto-ab020157.com
    • mkto-ab030101.com
  • Shopify
    • xmyshopify.com
    • shopsmyshopify.com

Email/Internet-related brands

  • HubSpot
    • hubspotemails.net
    • 26282125hubspotemail.net
  • Mailjet
    • spfmailjet.com
    • spf-mailjet.com
  • Barracuda Networks
    • barracudaneworks.com
  • SendGrid
    • sendgrd.net
    • sengdrid.net
    • sengride.net
  • Squarespace
    • squaresspace.info
    • sqaurespace-mail.com

General internet services

  • Nameserver
    • onestopsocial.media.atnameserver.icu
    • luxuryvilla.ru.atnameserver.icu
  • Register servers
    • registar-servers.com
    • registrat-servers.com

2. Word Combinations: Generating Domains from English Terms

In this strategy, a domain name is a concatenation of a few words in English. The number of words vary, but between 2 and 4. If words are randomly selected from a dictionary, it’s unlikely that they will make sense when put together. In our analysis, we found that while 2-word domains may sound odd, most 3-4 word domains do make sense.

  • ailplug.com, chancecolon.com, woundfraction.com
  • bestdinnerideas.com, connectviaweb.com, fastcashloans.me
  • air-conditioner-with-heater.com, simplythebestevent.co.uk, workfromhomedigital.com

3. Word Mutations: Altering Uncommon English Words

The process starts with a base word then adds, removes or substitutes one or two letters to create a typo version, increasing the chance of successful domain registration. Some observations:

  • The majority domain lengths are around 10 within plus/minus 2.
  • Words are often rare or used in scientific domains such as medical.

Examples:

  • chromatop (chromatope), despoliat (despoilate), hypnophob (hypnophobia)
  • mancipator (emancipator), ntecedency (antecedency), riminogenic (criminogenic)
  • pelalagrin (pelaggrin), demaguogies (demagogues), mainvbstream (mainstream)

4. Subtle Patterns: Generating Semi-Random Domain Names

A large number of domains do not look completely random but subtle patterns exist. 

Examples:

  • Including numbers: 139come.com, 1paket.net, 20xx.gg
  • Abbreviation: mailsvrc3.com, mccsv.net, mfka.at
  • Non-English: benghalensis.com, juani.me, luezhaoxun.com

Discussion

We made two notable observations.

In an SPF lookup tree, a leaf node is a domain that specifies IPs explicitly in its SPF record, whereas an intermediate node is a domain that uses the include mechanism. The majority (56/59) of domains listed as examples of Strategy 1 (popular brands and services) are intermediate nodes. These intermediate nodes include other domains that seem to be generated using word combinations (Strategy 3) or less obvious patterns (Strategy 4). Below are the SPF trees for ghs.google-hosted.com and clientconfig.microsoftonline-p.net. All the nodes on the right side of the figures are leaf nodes with explicit IP mechanisms in their records.

The second observation concerns domains generated through the mutation of English words (Strategy 3).

  • All these domains are leaf nodes.
  • They are not included in any other domains and exist as flat structures.
  • The SPF records for these domains typically contain a very small number of IP addresses compared to other domains. Usually, they include up to 8 IP addresses, with a few exceptions that have 256 IP addresses (one /24 subnet).

The most important takeaway: These domains are substantially different from the others in multiple ways so it’s likely that they belong to a separate group of attackers.

Exploring Shared IP Addresses

In our analysis of 4,527 active domains, we identified only 938 unique SPF records. This indicates that many domains either share identical SPF records or have significant overlap in IP addresses. Our goal is to further investigate and map out the IP address sharing patterns in our collected data.

Extracting IP Addresses from SPF Records

To extract IPs from SPF records, we followed these steps:

  • For records containing explicit IPs, the process is straightforward (e.g., v=spf1 1.2.3.4/30).
  • For records using the include mechanism, we recursively resolved the included domains to gather all associated IPs (e.g., v=spf1 include:domain1.com include:domain2.com).

Visualizing the Domain Network

From there, we are able to build a network of domains where a node is a domain or group of domains that have the same SPF record. Two nodes have a connection if they share some IPs.

  • Node size represents the number of domains sharing the same SPF record. The largest group in our dataset includes 399 domains with the SPF record v=spf1 include:countrymessage.com include:whenstocks.com -all.
  • Edge size indicates the number of IPs shared between two domain groups.
  • Node color represents clusters where nodes within the same cluster have stronger connections compared to nodes in other clusters. Details on clustering are provided later.

Simplifying the Network for Clarity

To enhance clarity and focus on significant connections, we apply several operations:

  • Merging overlapping domains: Domains with highly overlapping IP addresses are merged.
  • Visualizing the largest component: Most domains are interconnected through various hops. We display only the largest connected component.
  • Filtering weak connections: Edges representing fewer than 128 shared IPs are removed, highlighting the ‘strong’ network.

Understanding the Clusters

Local Dense Connections

We used a community detection algorithm to identify clusters. Each cluster centers around a large domain group (large nodes), typically including intermediate domains. These intermediate domains may recursively include other intermediate or leaf domains, forming dense clusters. Leaf domains can share IPs with those in other clusters, connecting the clusters together.

Clusters make sense in terms of IP sharing. But what other characteristics do these clusters exhibit?

Domain Name Generation

Clusters comprise a mix of intermediate and leaf domains. Notably, the 59 brand domains are distributed across all clusters. Domains generated through word mutation are not visible in this visualization as they include few IPs and are filtered out.

Autonomous System Number (ASN)

An ASN (Autonomous System Number) is a unique identifier assigned to each autonomous system (AS) on the internet. An AS is a collection of IP networks and routers managed by a single organization that follows a common routing policy. Our analysis reveals that ASNs are distributed unevenly across different clusters, indicating diverse organizational controls in the entire attack.

Cluster
Top ASN 1
Top ASN 2
Top ASN 3
1
IONOS SE (10.32%)
Xiamen (9.56%)
AS-CHOOPA (7.36%)
2
IONOS SE (54.13%)
Shenzhen Tencent Computer Systems Company Limited (14.18%)
Scaleway S.a.s. (10.64%)
3
AS-COLOCROSSING (11.10%)
velia.net Internetdienste GmbH (6.01%)
MEVSPACE sp. z o.o. (3.43%)
4
Teknet Yazlim Ve Bilgisayar Teknolojileri (15.78%)
Unidentified (11.39%)
ASN-QUADRANET-GLOBAL (8.84%)
5
Locaweb Servicos de Internet SA (24.46%)
AMAZON-02 (24.04%)
Dattatec.com (13.37%)
6
Unidentified (14.37%)
EZZI-101-BGP (6.88%)
velia.net Internetdienste GmbH (6.59%)

Where do we go from here?

Analyzing a complex attack like SubdoMailing is no simple undertaking. But, our research indicates that SubdoMailing is simply one tactic used by groups around the world to send spam and impersonate legitimate brands. 

We continue to work with others across the industry to better understand the widespread nature of the attack and will continue to share periodic updates. 

If you are interested in understanding if your brand has been impacted by SubdoMailing, try Red Sift’s SPF Checker. We have also recently announced DNS Guardian – a new feature in Red Sift OnDMARC that security teams can use to swiftly identify and stop domain takeovers that lead to spam.

PUBLISHED BY

Phong Nguyen

25 Jun. 2024

SHARE ARTICLE:

Categories

Recent Posts

VIEW ALL
Thought Leadership

How the EU can mandate for stronger email security

Antony Seedhouse

Executive summary: The article examines how the EU can proactively close email security gaps by leveraging the NIS2 Directive to mandate robust, harmonized standards like DMARC, DKIM, and SPF across all member states. By acting now, the EU not only protects its digital ecosystem but also sets a global benchmark for cybersecurity best practices.…

Read more
News

Europe’s #1 for DMARC: Red Sift OnDMARC does it again

Francesca Rünger-Field

G2’s Summer 2025 Report has landed, and we’re proud to share that Red Sift OnDMARC remains the #1-rated DMARC solution in Europe. This marks another strong season for OnDMARC, with continued recognition across G2’s category reports. We were featured in 18 reports this quarter, taking top spots in the Mid-Market Results Index and Mid-Market…

Read more
Cybersecurity

Healthcare and cybersecurity: 73% of breaches lack DMARC enforcement

Faisal Misle

The healthcare sector has become a target for both low-level and occasionally spectacularly successful cyberattacks. Hospitals, insurers, medical supply chains, service and medical providers are prime targets for threat actors, with email phishing attacks, ransomware, and data breaches on the rise. In 2024, 94% of U.S. healthcare organizations experienced a cyberattack, with the average…

Read more
BIMI

VMC and CMC: What are the new requirements?

Jack Lilley

Executive Summary: Staying updated on Verified Mark Certificates (VMCs) and Certified Mark Certificates (CMCs) is crucial for organizations aiming to authenticate their logos and enhance brand trust in email communications. Discover the key changes in the latest security requirements and compare the differences between VMCs and CMCs.​ This article: Introduction Verified Mark Certificates (VMCs) and…

Read more