Decoding the tricks: An analysis of poisoned domains in the SubdoMailing Attack

At Red Sift, we have been paying close attention to SubdoMailing – a domain takeover attack first discovered in February of 2024. Malicious actors exploited poorly maintained DNS records to send fraudulent emails impersonating legitimate brands. 

We identified affected organizations in our customer base and resolved the issue for all impacted users within 72 hours. 

The attack was widely reported to have been carried out by a single group of Israeli hackers sending spam driving readers to fake websites that were used to generate ad revenue. Since February we have been conducting our own analyses of the attack and believe that multiple groups are using SudboMailing to send fraudulent mail on behalf of legitimate brands. 

Let’s dive into the research.

Patterns in Domain Names

By analyzing various signals, we compiled an extensive dataset of poisoned domains – or domains included in the DNS of legitimate brands that were exploited by malicious actors. This article presents our findings from a comprehensive analysis of a sample of 6,225 domains, with 4,527 of them still active. Each active domain includes a list of IP ranges in their SPF record, encompassing IPs recursively retrieved from `include` statements.

These poisoned domains are recently registered. The attackers have different strategies for naming them. We highlight the following 4 strategies and list a few examples that we discovered in our analysis.

1. Impersonation: Mimicking Popular Brands and Services

In this strategy, bad actors used a typo-squatting strategy. They registered domains that were similar to popular brands or services that could have been mistyped into an organization’s DNS – thus giving them the ability to send mail on the organization’s behalf. While the list is extensive, here are a handful of examples we discovered. 

Big brands

  • Google
    • ghs.gglehosted.com
    • ghs.googlehoste.com
    • ghs.google-hosted.com
    • ghs.google hosted.co
  • Microsoft
    • clientconfig.microsofonline-p.net
    • clientconfig.microsoftoneline-p.net
    • clientconfig.microsoftonlie-p.net
  • Amazon
    • amazoses.com
    • amasonses.com
    • amazanpro.in
  • Marketo: 97 domains with the following format
    • mkto-ab010016.com
    • mkto-ab020157.com
    • mkto-ab030101.com
  • Shopify
    • xmyshopify.com
    • shopsmyshopify.com

Email/Internet-related brands

  • HubSpot
    • hubspotemails.net
    • 26282125hubspotemail.net
  • Mailjet
    • spfmailjet.com
    • spf-mailjet.com
  • Barracuda Networks
    • barracudaneworks.com
  • SendGrid
    • sendgrd.net
    • sengdrid.net
    • sengride.net
  • Squarespace
    • squaresspace.info
    • sqaurespace-mail.com

General internet services

  • Nameserver
    • onestopsocial.media.atnameserver.icu
    • luxuryvilla.ru.atnameserver.icu
  • Register servers
    • registar-servers.com
    • registrat-servers.com

2. Word Combinations: Generating Domains from English Terms

In this strategy, a domain name is a concatenation of a few words in English. The number of words vary, but between 2 and 4. If words are randomly selected from a dictionary, it’s unlikely that they will make sense when put together. In our analysis, we found that while 2-word domains may sound odd, most 3-4 word domains do make sense.

  • ailplug.com, chancecolon.com, woundfraction.com
  • bestdinnerideas.com, connectviaweb.com, fastcashloans.me
  • air-conditioner-with-heater.com, simplythebestevent.co.uk, workfromhomedigital.com

3. Word Mutations: Altering Uncommon English Words

The process starts with a base word then adds, removes or substitutes one or two letters to create a typo version, increasing the chance of successful domain registration. Some observations:

  • The majority domain lengths are around 10 within plus/minus 2.
  • Words are often rare or used in scientific domains such as medical.

Examples:

  • chromatop (chromatope), despoliat (despoilate), hypnophob (hypnophobia)
  • mancipator (emancipator), ntecedency (antecedency), riminogenic (criminogenic)
  • pelalagrin (pelaggrin), demaguogies (demagogues), mainvbstream (mainstream)

4. Subtle Patterns: Generating Semi-Random Domain Names

A large number of domains do not look completely random but subtle patterns exist. 

Examples:

  • Including numbers: 139come.com, 1paket.net, 20xx.gg
  • Abbreviation: mailsvrc3.com, mccsv.net, mfka.at
  • Non-English: benghalensis.com, juani.me, luezhaoxun.com

Discussion

We made two notable observations.

In an SPF lookup tree, a leaf node is a domain that specifies IPs explicitly in its SPF record, whereas an intermediate node is a domain that uses the include mechanism. The majority (56/59) of domains listed as examples of Strategy 1 (popular brands and services) are intermediate nodes. These intermediate nodes include other domains that seem to be generated using word combinations (Strategy 3) or less obvious patterns (Strategy 4). Below are the SPF trees for ghs.google-hosted.com and clientconfig.microsoftonline-p.net. All the nodes on the right side of the figures are leaf nodes with explicit IP mechanisms in their records.

The second observation concerns domains generated through the mutation of English words (Strategy 3).

  • All these domains are leaf nodes.
  • They are not included in any other domains and exist as flat structures.
  • The SPF records for these domains typically contain a very small number of IP addresses compared to other domains. Usually, they include up to 8 IP addresses, with a few exceptions that have 256 IP addresses (one /24 subnet).

The most important takeaway: These domains are substantially different from the others in multiple ways so it’s likely that they belong to a separate group of attackers.

Exploring Shared IP Addresses

In our analysis of 4,527 active domains, we identified only 938 unique SPF records. This indicates that many domains either share identical SPF records or have significant overlap in IP addresses. Our goal is to further investigate and map out the IP address sharing patterns in our collected data.

Extracting IP Addresses from SPF Records

To extract IPs from SPF records, we followed these steps:

  • For records containing explicit IPs, the process is straightforward (e.g., v=spf1 1.2.3.4/30).
  • For records using the include mechanism, we recursively resolved the included domains to gather all associated IPs (e.g., v=spf1 include:domain1.com include:domain2.com).

Visualizing the Domain Network

From there, we are able to build a network of domains where a node is a domain or group of domains that have the same SPF record. Two nodes have a connection if they share some IPs.

  • Node size represents the number of domains sharing the same SPF record. The largest group in our dataset includes 399 domains with the SPF record v=spf1 include:countrymessage.com include:whenstocks.com -all.
  • Edge size indicates the number of IPs shared between two domain groups.
  • Node color represents clusters where nodes within the same cluster have stronger connections compared to nodes in other clusters. Details on clustering are provided later.

Simplifying the Network for Clarity

To enhance clarity and focus on significant connections, we apply several operations:

  • Merging overlapping domains: Domains with highly overlapping IP addresses are merged.
  • Visualizing the largest component: Most domains are interconnected through various hops. We display only the largest connected component.
  • Filtering weak connections: Edges representing fewer than 128 shared IPs are removed, highlighting the ‘strong’ network.

Understanding the Clusters

Local Dense Connections

We used a community detection algorithm to identify clusters. Each cluster centers around a large domain group (large nodes), typically including intermediate domains. These intermediate domains may recursively include other intermediate or leaf domains, forming dense clusters. Leaf domains can share IPs with those in other clusters, connecting the clusters together.

Clusters make sense in terms of IP sharing. But what other characteristics do these clusters exhibit?

Domain Name Generation

Clusters comprise a mix of intermediate and leaf domains. Notably, the 59 brand domains are distributed across all clusters. Domains generated through word mutation are not visible in this visualization as they include few IPs and are filtered out.

Autonomous System Number (ASN)

An ASN (Autonomous System Number) is a unique identifier assigned to each autonomous system (AS) on the internet. An AS is a collection of IP networks and routers managed by a single organization that follows a common routing policy. Our analysis reveals that ASNs are distributed unevenly across different clusters, indicating diverse organizational controls in the entire attack.

Cluster
Top ASN 1
Top ASN 2
Top ASN 3
1
IONOS SE (10.32%)
Xiamen (9.56%)
AS-CHOOPA (7.36%)
2
IONOS SE (54.13%)
Shenzhen Tencent Computer Systems Company Limited (14.18%)
Scaleway S.a.s. (10.64%)
3
AS-COLOCROSSING (11.10%)
velia.net Internetdienste GmbH (6.01%)
MEVSPACE sp. z o.o. (3.43%)
4
Teknet Yazlim Ve Bilgisayar Teknolojileri (15.78%)
Unidentified (11.39%)
ASN-QUADRANET-GLOBAL (8.84%)
5
Locaweb Servicos de Internet SA (24.46%)
AMAZON-02 (24.04%)
Dattatec.com (13.37%)
6
Unidentified (14.37%)
EZZI-101-BGP (6.88%)
velia.net Internetdienste GmbH (6.59%)

Where do we go from here?

Analyzing a complex attack like SubdoMailing is no simple undertaking. But, our research indicates that SubdoMailing is simply one tactic used by groups around the world to send spam and impersonate legitimate brands. 

We continue to work with others across the industry to better understand the widespread nature of the attack and will continue to share periodic updates. 

If you are interested in understanding if your brand has been impacted by SubdoMailing, try Red Sift’s SPF Checker. We have also recently announced DNS Guardian – a new feature in Red Sift OnDMARC that security teams can use to swiftly identify and stop domain takeovers that lead to spam.

PUBLISHED BY

Phong Nguyen

25 Jun. 2024

SHARE ARTICLE:

Categories

Recent Posts

VIEW ALL
Security

How to drive cybersecurity as a top business priority

Jack Lilley

Everyone has a role to play in protecting the enterprise. Whether you’re shaping strategy or implementing solutions, aligning efforts to mitigate critical risks ensures a stronger, more resilient enterprise. If you missed Red Sift’s recent webinar on “From Data to Buy-In: Driving Cybersecurity as a Top Business Priority” we’ve got you covered. The session…

Read more
DMARC

BreakSPF: How to mitigate the attack

Red Sift

BreakSPF is a newly identified attack framework that exploits misconfigurations in the Sender Policy Framework (SPF) a widely used email authentication protocol. A common misconfiguration involves overly permissive IP ranges, where SPF records allow large blocks of IP addresses to send emails on behalf of a domain. These ranges often include shared infrastructures like…

Read more
Certificates

Never miss an expiring certificate again with Red Sift Certificates Lite

Francesca Rünger-Field

SSL/TLS certificates are the backbone of secure, uninterrupted digital experiences—but managing them effectively to prevent downtime remains a persistent challenge. With browser and certificate authorities looking to reduce certificate durations to as little as 90 or even 47 days, keeping track of renewals has never been more critical. That’s why we’re excited to introduce…

Read more
DMARC

Navigating G-Cloud 14 for DMARC solutions: A guide for former NCSC Mail…

Francesca Rünger-Field

Navigating G-Cloud 14 for DMARC solutions: A guide for former NCSC Mail Check users With the NCSC discontinuing key features of its Mail Check service, including DMARC aggregate and TLS reporting, after March 2025, UK public sector organisations must prepare for this change by transitioning to alternative email security solutions. To support this shift,…

Read more