Domain hijacking is the unauthorized takeover of a registered domain name. Once the attacker controls the registration or registrar account, they can redirect traffic, intercept email, and impersonate the business. It is an identity and trust failure as much as a technical one.
Expanded Definition
Domain hijacking is a registration and trust compromise, not just a DNS issue. It occurs when an attacker gains control of a domain registrar account, transfer authorization, or related recovery channel, then uses that control to alter nameservers, reroute mail, or impersonate the domain owner. In NHI security, the domain itself functions like a high-value identity boundary because it anchors email reputation, authentication flows, and public trust.
Definitions vary across vendors when the takeover happens through registrar abuse versus credential theft, but the operational outcome is the same: the attacker can act as the legitimate domain holder. That places it squarely within identity governance and resilience concerns described by the NIST Cybersecurity Framework 2.0, especially where access control and recovery processes intersect. NHI Management Group treats domain hijacking as a control failure across registrar access, DNS change authority, and out-of-band recovery.
The most common misapplication is treating it as a pure DNS outage, which occurs when responders fix resolution symptoms without first validating registrar ownership and account recovery integrity.
Examples and Use Cases
Implementing domain protections rigorously often introduces operational friction, requiring organisations to weigh recovery speed against the risk of unauthorised changes.
- A registrar admin account is phished, and the attacker changes MX records to intercept executive email and password resets.
- Someone socially engineers support at the registrar and initiates an unauthorized transfer, then redirects web traffic to a fraudulent site.
- A compromised NHI with access to domain management tooling updates nameservers during off-hours, breaking email delivery and enabling impersonation.
- An organisation detects a takeover only after certificate issuance and login alerts begin failing, revealing that the domain owner email has been changed.
- During incident review, teams discover the attacker had persistence through recovery contacts, not just the primary registrar password, similar to the attack patterns discussed in the DeepSeek breach research and the identity abuse patterns seen in LLMjacking: How Attackers Hijack AI Using Compromised NHIs.
These cases align with standards thinking in NIST Cybersecurity Framework 2.0, where recovery and access governance must be designed to prevent unauthorized control changes as well as detect them.
Why It Matters in NHI Security
Domain hijacking is especially dangerous because it compromises the trust layer that many NHIs depend on: mail routing, SSO domain verification, DNS-based service discovery, and certificate issuance workflows. Once the domain is taken, the attacker can impersonate the organisation in ways that are difficult to distinguish from legitimate activity, even when endpoint security remains intact. That makes registrar credentials, DNS admin roles, and recovery paths part of the NHI attack surface.
The stakes rise further when a hijacked domain is used to reset access to cloud consoles, SaaS platforms, or code hosting accounts. NHIMG research on The State of Secrets in AppSec shows that leaked credentials are often remediated slowly, with an average time to remediate of 27 days, which extends the window in which a hijacked domain can be used for follow-on compromise. When attackers can act within minutes of exposure, as highlighted in LLMjacking: How Attackers Hijack AI Using Compromised NHIs, domain control becomes an urgent identity governance issue rather than a branding problem.
Organisations typically encounter the full business impact only after customers, partners, or email systems start failing, at which point domain hijacking becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC | Covers access governance and identity assurance for registrar and DNS control paths. |
| NIST CSF 2.0 | DE.CM | Domain takeover is often detected through abnormal DNS, mail, or account-change telemetry. |
| OWASP Non-Human Identity Top 10 | NHI-02 | Registrar credentials and recovery secrets are sensitive non-human identity assets. |
Restrict registrar and DNS admin access, then verify recovery paths and change authority regularly.
