How can organizations prevent subdomain takeovers?

Organizations can prevent subdomain takeovers by regularly auditing DNS records, promptly removing or updating entries associated with decommissioned services, and implementing automated DNS monitoring tools.

What were the consequences of the Hazy Hawk subdomain takeover?

The Hazy Hawk subdomain takeover led to explicit content being hosted under trusted university domains, potentially damaging reputations and exposing users to malicious content.

Hazy Hawk's 2026 Subdomain Takeover: A Wake-Up Call for DNS Security

Q: What is a subdomain takeover?

A subdomain takeover occurs when an attacker gains control over a subdomain by exploiting abandoned or misconfigured DNS records, allowing them to host malicious content under a trusted domain.

In April 2026, the Hazy Hawk group exploited abandoned DNS records to hijack subdomains of 34 major U.S. universities, highlighting critical vulnerabilities in DNS management.

Published: June 16, 2026

Share this on:

Executive Summary

In April 2026, the threat actor group known as Hazy Hawk executed a coordinated subdomain takeover campaign targeting 34 major U.S. universities, including MIT, Harvard, and Stanford. By exploiting abandoned DNS records pointing to decommissioned cloud services, they hijacked these subdomains to host explicit content, which was subsequently indexed by search engines under the universities' trusted .edu domains. This incident underscores the critical need for organizations to maintain rigorous DNS hygiene and promptly remove or update DNS entries associated with decommissioned services to prevent unauthorized subdomain takeovers.

Why This Matters Now

The Hazy Hawk incident highlights the escalating threat of subdomain takeovers, emphasizing the urgency for organizations to audit and secure their DNS configurations to prevent similar exploits.

Attack Path Analysis

An attacker identifies a dangling DNS CNAME record pointing to a deprovisioned AWS S3 bucket. They register a new S3 bucket with the same name, gaining control over the subdomain. The attacker then serves malicious content from the subdomain, potentially escalating privileges by capturing user credentials. They move laterally by exploiting trust relationships within the domain. Command and control are established through the compromised subdomain, facilitating further attacks. Sensitive data is exfiltrated via the subdomain, leading to significant impact on the organization's reputation and security.

Kill Chain Progression

Initial Compromise

High

Privilege Escalation

Medium

Lateral Movement

Medium

Command & Control

Medium

Exfiltration

Medium

Impact

Medium

Initial Compromise

Description

An attacker identifies a dangling DNS CNAME record pointing to a deprovisioned AWS S3 bucket and registers a new S3 bucket with the same name, gaining control over the subdomain.

Confidence:

High

Related CVEs

Included CVEs with severity scores, affected products, exploit status, and reference links.

CVE-2024-5528
CVSS 5.4
A subdomain takeover vulnerability in GitLab CE/EE allows attackers to exploit misconfigurations in GitLab Pages, potentially leading to unauthorized control over subdomains.
Affected Products:
GitLab GitLab CE/EE – < 16.11.6, 17.0.0 - 17.0.3, 17.1.0 - 17.1.1
Exploit Status:
proof of concept
References:
https://gitlab.com/gitlab-org/gitlab/-/issues/464558 https://hackerone.com/reports/2523654
CVE-2023-36474
CVSS 6.1
Interactsh server configurations prior to version 1.0.0 are vulnerable to subdomain takeover due to default CNAME entries pointing to GitHub Pages, allowing attackers to host malicious content.
Affected Products:
ProjectDiscovery Interactsh – < 1.0.0
Exploit Status:
proof of concept
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-36474 https://github.com/projectdiscovery/interactsh/issues/64
CVE-2025-27794
CVSS 6.8
Flarum versions prior to 1.8.10 are vulnerable to session hijacking via authoritative subdomain cookie overwrite, allowing attackers to replace session tokens for applications on sibling subdomains.
Affected Products:
Flarum Flarum – < 1.8.10
Exploit Status:
proof of concept
References:
https://nvd.nist.gov/vuln/detail/CVE-2025-27794 https://github.com/flarum/framework/security/advisories/GHSA-hg9j-64wp-m9px

MITRE ATT&CK® Techniques

Resource Development

T1584.001

Compromise Infrastructure: Domains

Command and Control

T1071.001

Application Layer Protocol: Web Protocols

Initial Access

T1566.002

Phishing: Spearphishing Link

Execution

T1204.001

User Execution: Malicious Link

Command and Control

T1568.003

Dynamic Resolution: DNS Calculation

Potential Compliance Exposure

Mapping incident impact across multiple compliance frameworks.

PCI DSS 4.0 – Ensure all system components are protected from known vulnerabilities

Control ID: 6.2.1

The presence of dangling DNS records leading to subdomain takeover indicates a failure to protect system components from known vulnerabilities, potentially exposing cardholder data to unauthorized access.

NYDFS 23 NYCRR 500 – Cybersecurity Policy

Control ID: 500.03

The incident reveals deficiencies in the organization's cybersecurity policy, particularly in managing DNS configurations and decommissioning processes, leading to potential unauthorized access.

DORA – ICT Risk Management Framework

Control ID: Article 5

The exploitation of dangling DNS records suggests inadequate ICT risk management practices, failing to identify and mitigate risks associated with decommissioned resources.

CISA ZTMM 2.0 – Asset Management

Control ID: 3.1

The incident highlights lapses in asset management, where decommissioned resources were not properly accounted for, leading to security vulnerabilities.

NIS2 Directive – Cybersecurity Risk Management Measures

Control ID: Article 21

The subdomain takeover incident indicates a failure to implement effective cybersecurity risk management measures, exposing network and information systems to potential threats.

Sector Implications

Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.

Financial Services

Critical risk from subdomain takeover enabling phishing attacks on banking portals, compromising customer credentials and violating PCI compliance requirements for secure payment processing.

Health Care / Life Sciences

Dangling DNS records expose patient portals to takeover attacks, enabling PHI theft and HIPAA violations through malicious content served via trusted healthcare domains.

E-Learning

Educational platforms vulnerable to subdomain takeover allowing attackers to serve malicious content through trusted academic domains, compromising student and faculty credentials.

Government Administration

Public sector DNS misconfigurations enable threat actors to hijack citizen-facing services, undermining public trust and exposing sensitive government communications to interception.

Sources

Threat tactic spotlight: Subdomain takeoverhttps://aws.amazon.com/blogs/security/threat-tactic-spotlight-subdomain-takeover/
Verified

CVE-2024-5528: GitLab Subdomain Takeover Vulnerabilityhttps://vulert.com/vuln-db/CVE-2024-5528

Verified

NVD - CVE-2023-36474https://nvd.nist.gov/vuln/detail/CVE-2023-36474

Verified

Frequently Asked Questions

A subdomain takeover occurs when an attacker gains control over a subdomain by exploiting abandoned or misconfigured DNS records, allowing them to host malicious content under a trusted domain.

Cloud Native Security Fabric Mitigations and ControlsCNSF

Aviatrix Zero Trust CNSF is pertinent to this incident as it embeds security directly into the cloud fabric, reducing the attacker's ability to exploit implicit trust and move laterally within the environment.

Initial Compromise

Control: Cloud Native Security Fabric (CNSF)

Mitigation: The attacker's ability to exploit the compromised subdomain for malicious activities would likely be constrained, limiting their reach within the cloud environment.

Privilege Escalation

Control: Zero Trust Segmentation

Mitigation: The attacker's ability to escalate privileges by capturing user credentials would likely be constrained, limiting their access to sensitive resources.

Lateral Movement

Control: East-West Traffic Security

Mitigation: The attacker's ability to move laterally across systems would likely be constrained, limiting their reach within the cloud environment.

Command & Control

Control: Multicloud Visibility & Control

Mitigation: The attacker's ability to establish command and control channels would likely be constrained, limiting their ability to coordinate further attacks.

Exfiltration

Control: Egress Security & Policy Enforcement

Mitigation: The attacker's ability to exfiltrate sensitive data would likely be constrained, limiting the potential data loss.

Impact (Mitigations)

The organization's exposure to reputational damage and financial loss would likely be reduced, limiting the overall impact of the incident.

Impact at a Glance

Affected Business Functions

Web Hosting
E-commerce Platforms
Online Services

Operational Disruption

Estimated downtime: 3 days

Financial Impact

Estimated loss: $50,000

Data Exposure

Potential exposure of customer data and sensitive business information due to unauthorized control over subdomains.

Recommended Actions

• Implement continuous monitoring of DNS records to detect and remediate dangling CNAME entries.
• Enforce strict deprovisioning procedures to ensure DNS records are removed before deleting associated resources.
• Utilize Cloud Network Security Framework (CNSF) controls to enforce zero trust segmentation and prevent unauthorized access.
• Apply egress security and policy enforcement to monitor and control outbound traffic from subdomains.
• Conduct regular security audits and penetration testing to identify and mitigate potential subdomain takeover vulnerabilities.

Secure the Paths Between Cloud Workloads

A cloud-native security fabric that enforces Zero Trust across workload communication—reducing attack paths, compliance risk, and operational complexity.

Stop Advanced Threats Get a Free Workload Attack Path Assessment Under Active Attack?

Hazy Hawk's 2026 Subdomain Takeover: A Wake-Up Call for DNS Security

Executive Summary

Why This Matters Now

Attack Path Analysis

Kill Chain Progression

Initial Compromise

Description

Related CVEs

CVE-2024-5528

Affected Products:

Exploit Status:

References:

CVE-2023-36474

Affected Products:

Exploit Status:

References:

CVE-2025-27794

Affected Products:

Exploit Status:

References:

MITRE ATT&CK® Techniques

Compromise Infrastructure: Domains

Application Layer Protocol: Web Protocols

Phishing: Spearphishing Link

User Execution: Malicious Link

Dynamic Resolution: DNS Calculation

Potential Compliance Exposure

PCI DSS 4.0 – Ensure all system components are protected from known vulnerabilities

NYDFS 23 NYCRR 500 – Cybersecurity Policy

DORA – ICT Risk Management Framework

CISA ZTMM 2.0 – Asset Management

NIS2 Directive – Cybersecurity Risk Management Measures

Sector Implications

Financial Services

Health Care / Life Sciences

E-Learning

Government Administration

Sources

Frequently Asked Questions

Cloud Native Security Fabric Mitigations and ControlsCNSF

Impact at a Glance

Affected Business Functions

Recommended Actions

Key Takeaways & Next Steps

Secure the Paths Between Cloud Workloads