Subdomain hijacking occurs when an attacker takes control of a legitimate subdomain, often through a dangling DNS record that points to an abandoned third-party service. The result is trusted branding attached to attacker-owned infrastructure, which can be used for phishing or malicious hosting.
Expanded Definition
Subdomain hijacking is the takeover of a legitimate subdomain after its DNS mapping remains in place but the downstream service is no longer controlled by the organisation. In NHI security, the risk is not just domain reputation loss, but the creation of a trusted-looking endpoint that can be used to impersonate services, harvest secrets, or deliver malicious content. The condition most often involves a dangling CNAME, expired cloud resource, or abandoned SaaS tenant that still answers for the original hostname.
Definitions vary across vendors on whether the term should include only dangling DNS records or also takeover of misconfigured hosted content, but the operational signal is the same: a trusted name now resolves to attacker-controlled infrastructure. This is closely related to DNS hygiene, asset lifecycle management, and external attack surface reduction. The NIST Cybersecurity Framework 2.0 treats this as a governance and asset-management failure, not merely a web issue. In practice, subdomain hijacking often follows weak deprovisioning of cloud or third-party services. The most common misapplication is assuming that deleting the application is enough, which occurs when DNS records are left pointing at a released service.
Examples and Use Cases
Implementing subdomain protection rigorously often introduces inventory and lifecycle overhead, requiring organisations to weigh faster service teardown against the cost of continuous DNS and dependency tracking.
- A marketing team decommissions a landing page hosted on a third-party platform, but the CNAME remains live and points to an unclaimed resource.
- A cloud workload is retired, yet the subdomain still resolves, allowing an attacker to claim the abandoned endpoint and serve phishing content under a trusted brand.
- A developer test environment is deleted without removing its DNS entry, creating a dangling hostname that can be registered by someone else.
- An organisation detects exposed credentials during investigation of a suspicious redirect chain, and the issue is tied back to a hijacked subdomain rather than the main site. This kind of exposure pattern is consistent with the risks discussed in DeepSeek breach and the broader attack dynamics described in LLMjacking: How Attackers Hijack AI Using Compromised NHIs.
- Security teams map ownership of external-facing services against DNS records and apply the same control discipline used in the NIST Cybersecurity Framework 2.0 to reduce takeover risk.
Why It Matters in NHI Security
Subdomain hijacking matters because it converts a defensive asset into an attacker trust amplifier. Users, email filters, browser reputation systems, and even internal staff may trust the parent brand while the subdomain is already under hostile control. In NHI environments, that can expose authentication flows, token exchanges, callback URLs, and agent endpoints that were never meant to be externally accessible.
NHIMG research shows how quickly exposed identity material can be abused in practice: when AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes and as quickly as 9 minutes in some cases, a pace that mirrors the urgency of unmanaged external surfaces in The State of Secrets in AppSec. The governance lesson is that DNS ownership must be managed as part of NHI lifecycle control, not as a one-time setup task. That includes deprovision checks, service ownership review, and monitoring for dangling records tied to cloud services and SaaS providers. Organisational teams typically encounter the impact only after a phishing campaign, brand abuse complaint, or incident response review, at which point subdomain hijacking becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Covers identity and asset lifecycle gaps that enable dangling subdomain takeovers. |
| NIST CSF 2.0 | ID.AM-1 | Asset inventories must include externally exposed services and DNS dependencies. |
| NIST CSF 2.0 | PR.AC-5 | Access and trust relationships depend on preventing unintended exposure of public endpoints. |
Track external service ownership and remove stale DNS references before decommissioning NHI-linked assets.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 23, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
