← Back to blog

What Is Subdomain Takeover — and Is Your Business at Risk?

Subdomain takeover lets attackers claim an abandoned subdomain of your domain and host their own content on it — making phishing pages, malware, or fake login forms appear to come from your legitimate domain.

What is subdomain takeover?

Subdomain takeover is a vulnerability that occurs when a subdomain of your domain — say staging.yourdomain.com or app.yourdomain.com — points to an external service that no longer exists or has been deregistered.

When the external service is gone but your DNS record still points to it, an attacker can register that service themselves and claim the subdomain. Their content then appears to come from your domain.

This means an attacker can host a convincing phishing page at login.yourdomain.com, serve malware from cdn.yourdomain.com, or send emails that pass SPF checks because they are technically coming from your domain.

How it happens in practice

The typical scenario unfolds like this:

  1. Your development team sets up staging.yourdomain.com pointing to a Heroku, GitHub Pages, or Netlify deployment for a project.
  2. The project ends, the deployment is deleted, but nobody removes the DNS record.
  3. The DNS record continues to point to an address that now belongs to nobody.
  4. An attacker discovers the dangling DNS record, registers a free account on the same platform, and claims the target address.
  5. They now control staging.yourdomain.com and can serve whatever content they want.

This is not hypothetical. High-profile subdomain takeovers have been reported on domains belonging to major corporations, government agencies, and well-known consumer brands — not because their security teams were careless, but because subdomain records accumulate over time and cleanup rarely keeps pace with how fast they are created.

Which services are most commonly affected

Subdomain takeover is possible on any platform that assigns a unique URL to a deployment and allows that URL to be reclaimed. The most commonly exploited include:

  • GitHub Pages — "There isn't a GitHub Pages site here" is the classic fingerprint
  • Heroku — deleted app URLs can be re-registered
  • Netlify — unclaimed site names on netlify.app subdomains
  • AWS S3 — deleted bucket names in regions can be reclaimed
  • Shopify — custom domain pointing to a closed shop
  • Fastly, Azure, and other CDN/cloud providers — various CNAME-based takeover patterns

How to check if your domain is at risk

The key question is: do you have any DNS records — particularly CNAME records — pointing to external services where the target no longer exists?

Check your DNS records in your domain registrar or DNS provider's control panel. Look for CNAME records and follow each one: does the destination actually respond? If a CNAME points to myapp.herokuapp.com and that URL shows a "no such app" page, you have a dangling record.

For a more thorough check, Olimpio scans for subdomain takeover vulnerabilities automatically as part of the standard external scan — probing each discovered subdomain for the fingerprints associated with unclaimed services on major platforms.

Real-world impact

The reason subdomain takeover is taken seriously by security professionals is that the attack surface is compelling for several types of abuse:

Phishing. login.yourdomain.com is a highly convincing URL for a fake login page. Your users have no reason to distrust a subdomain of a domain they trust. Credentials entered there go straight to the attacker.

Cookie theft. Depending on how your cookies are scoped, an attacker controlling a subdomain may be able to steal authentication cookies from your main application.

Bypassing SPF. Some mail configurations allow email to be sent from subdomains, meaning a controlled subdomain could be used to send authenticated-looking email from your domain.

Malware distribution. A CDN or asset subdomain under attacker control can serve malicious JavaScript or files to users who trust your domain.

Reputation damage. Even if no active abuse occurs, a defaced or embarrassing subdomain under your domain reflects directly on your brand.

How to fix and prevent subdomain takeover

Audit your DNS records. Go through every subdomain and verify that each CNAME target is active and under your control. Any record pointing to an unclaimed or deleted external service should be removed immediately.

Remove DNS records when you decommission services. Make it a habit: when a project ends and a service is deleted, the first step is removing the DNS record, not the last step.

Monitor for new subdomains. Olimpio's scanning includes subdomain discovery — you will see all discovered subdomains in your findings, making it easier to spot ones that should not exist.

Use CNAME targets you control. Where possible, route external services through a CNAME you own rather than pointing directly at the provider's URL. This gives you more control if the provider's URL structure changes.

Subdomain takeover and Cyber Essentials

Subdomain takeover sits primarily under Cyber Essentials Control 1 (Firewalls) — specifically the requirement that your internet-facing footprint is intentional and under your control. An assessor discovering a subdomain pointing at an unclaimed third-party service would flag it as a configuration issue.

Run a free scan with Olimpio to check your subdomain exposure — it discovers subdomains automatically and checks each one for takeover vulnerability indicators.

Want to see what attackers see?

Run a free scan on your domain — no credit card, no setup, results in ~20 minutes.

Start your free scan →