Subdomain takeover vulnerabilities are, in most cases, the result of an organization using an external service and letting it expire. However, that expired subdomain is still a part of the organization's external attack surface, with domain DNS entries pointing to it. An attacker could then claim this subdomain and take control of it with little to no effort, a considerable blow to an organization's security posture.
How does this happen? For example, a company might enlist a service desk provider, "FreshDesk.' It would point a subdomain like "support.mycompany.com" to FreshDesk and then claim this domain with the Freshdesk service to activate it. However, a problem arises when the organization abandons the service because they migrate to other services or for some other reason. Meanwhile, after the service agreement expires, the subdomain remains pointing to the FreshDesk platform.
While this might not seem bad initially, the risk of allowing attackers to execute scripts under the subdomain enables them to obtain data from the main website. The risk becomes even more significant when this scenario involves a service that handles PPI, PHI, or trade secrets. Microsoft Defender External Attack Surface Management continuously maps the external-facing resources across your organization's attack surface to identify, classify, and prioritize risks, including subdomain expiration and takeover.
Microsoft Defender External Attack Surface Management discovers your organization's digital assets exposed to the Internet through its unique crawling and scanning capabilities. It maintains a complete inventory of the internet-facing resources connected to your organization and the unique attributes of each. It also offers the necessary tools to manage this inventory for different assets, including hosts, IP addresses, web pages, domains, IP blocks, ASNs, SSL Certs, and contacts.
MDEASM Inventory enables querying for all available attributes (over 200 currently) with multiple search operators, including "Expired Service" and "Service." A service is a hostname making use of a service. An expired service is a hostname (possibly susceptible to takeovers) that previously pointed to an active external service via DNS but now does not resolve.
Customers should use these two inventory filters in tandem because when a rule is written for an "Expired Service" category component, a "Service" category component is written concurrently to show when a service in question was in use and when it expired. This way, customers will always have visibility into the statuses of the services they use and can easily detect the presence of a working or inactive service.
Try it yourself: In MDEASM, query your approved inventory using the "Expired Service" search operator. It will return all digital assets matching this search criterion:
You can select each one of these assets - Host (server, Web Page, or IP Address, to see its full asset details and view all the available data and history:
Below are some of the Web Component details for one of the above-searched assets:
Service Name |
Description |
Google Cloud |
Google cloud services for storage |
GitHub Pages |
GitHub static website hosting |
Shopify |
Hosted eCommerce Platform |
Heroku |
Cloud application platform |
Statuspage |
Status page hosting |
Amazon S3 |
Cloud storage |
Tumblr |
Microblogging and social networking platform |
Zendesk |
Customer service software and support ticket system |
Freshdesk |
Customer support software and ticketing system |
Fastly |
Content delivery network |
WPEngine |
WordPress blog hosting |
UserVoice |
Product management software |
Unbounce |
Landing page builder and conversion marketing platform |
Tictail |
Social shopping platform |
Teamwork |
Project management, help desk, and chat software |
SurveyGizmo |
Online survey software |
Pingdom |
Website and performance monitoring |
Instapage |
Landing page platform |
Help Scout |
Customer service software and education platform |
Helpjuice |
Knowledge base software |
Ghost |
Publishing platform |
FeedPress |
FeedPress |
Desk |
Customer service and helpdesk ticket software |
Cloudfront |
Content delivery network |
Cargo |
Web publishing platform |
Campaign Monitor |
Email marketing |
Pantheon |
Hosted websites (Drupal, WordPress) |
WordPress |
Hosted WordPress installations |
Surge |
Static website publisher |
Bitbucket |
Project hosting |
Intercom |
Customer messaging platform |
WebFlow |
Website creation & Hosting |
WishPond |
Custom CMS for websites |
AfterShip |
Package tracking solution for eCommerce |
Aha |
Hosted Roadmap Service |
BrightCove |
Online video platform |
BigCartel |
Online shopping system |
Acquia |
Hosted SaaS for CMS |
Simplebooklet |
Online hosting for brochures |
GetResponse |
Marketing email/landing page solution |
Vend |
Retail Management software |
JetBrains YouTrack |
Online ticket tracking platform |
Azure |
Cloud hosting |
Readme |
Hosted Developer Hub software |
Apigee |
API management & analytics |
Smugmug |
Online store and video/audio/photography hoster |
Kajabi |
Online Business Platform |
You should now be able to query for hosts susceptible to a subdomain takeover attack and search all associated services and their current state. You can discover your attack surface discovery journey today for free.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.