What is a subdomain takeover?

A subdomain takeover happens when an attacker gains control of one of your subdomains — not by hacking your servers, but by claiming an abandoned third-party resource that one of your DNS records still points to. The result is that an attacker can serve their own content on a hostname like support.yourcompany.com, with all the trust your real domain carries.

How a subdomain takeover happens

The root cause is a dangling DNS record. The typical sequence:

• You set up a service on a subdomain — say a help center — and create a CNAME record pointing help.yourcompany.com at the provider’s hostname.
• Later, you stop using that service and delete the account or resource — but the CNAME record is left behind in your DNS.
• The provider’s hostname is now unclaimed. An attacker registers that exact resource on the same provider, and because your CNAME still points to it, your subdomain now resolves to the attacker’s content.

No breach of your infrastructure is required. The vulnerability is the orphaned pointer.

Why it is dangerous

• Phishing with real credibility. Attackers host fake login or payment pages on a subdomain your customers and staff already trust — far more convincing than a lookalike domain.
• Cookie and session theft. Cookies scoped to your parent domain may be readable from the taken-over subdomain, enabling session hijacking.
• Allowlist and trust bypass. Systems that trust *.yourcompany.com — for CORS, OAuth redirects, or content embedding — can be abused.
• Reputation and deliverability damage if the subdomain is used for spam or malware.

Commonly affected services

Subdomain takeover is possible wherever you point a CNAME at a provider-controlled hostname whose underlying resource can be released and re-claimed: cloud and static hosting, CDNs, app/PaaS platforms, help-desk and documentation tools, and marketing/email services. The provider is not the problem — leaving the DNS record after decommissioning is.

How to detect subdomain takeover risk

• Build a complete subdomain inventory. You cannot audit records you do not know exist — continuous discovery is the foundation of external attack surface management.
• Resolve every record and identify CNAMEs pointing to third-party services.
• Check for the dangling fingerprint — a target that returns a provider’s “no such site / not found” page is a classic takeover candidate.
• Prioritize active risk — records pointing at known takeover-prone services that no longer resolve to a live resource.

How to prevent it

• Decommission in the right order: remove the DNS record first, or at the same time as you tear down the service — never leave the CNAME behind.
• Keep an owner for every DNS record so stale entries get cleaned up.
• Audit DNS regularly and treat unknown or unattributed records as suspect.
• Monitor continuously — new subdomains and services appear faster than manual audits can keep up.

The fastest way to see your exposure is a free external scan of your domain, which discovers subdomains and flags takeover and dangling-DNS risks alongside your other external exposures.