In early 2024, Guardio Labs disclosed a campaign they named SubdoMailing. The mechanics were unremarkable on their own — attackers re-registered abandoned subdomains belonging to organizations that included MSN, Indeed, UNICEF, and several universities. What made it work was the email-authentication side: many of the parent domains had SPF, DKIM, or DMARC policies broad enough that anything sent from any subdomain inherited the parent's reputation. Once an attacker controlled the subdomain, they controlled the sender reputation.
The campaign sent millions of phishing and spam emails from addresses that mail filters trusted by inheritance. None of the parent organizations had pushed a configuration change. They had simply forgotten which addresses they owned.
That is the threat model worth thinking about: not the headline incident, but the underlying class — abandoned web assets you no longer remember owning, repurchased by people who do.
How expired-domain hijacking actually works
The pattern repeats with predictable parameters:
- The asset gets abandoned. A subdomain was spun up for a 2018 conference, a partner integration, a regional microsite, an internal project that shipped and got mothballed. Nobody decommissions DNS when nobody remembers it exists.
- The registration lapses. Subdomains don't lapse on their own, but they ride on a parent domain or a third-party hosting account that does. When a vendor shuts down, when the credit card on file expires, when a long-departed engineer's personal AWS account holds the CNAME target — the asset becomes claimable.
- An attacker re-registers or repurchases the underlying name. Usually within hours of expiry, via automated bidding. (See The Dropcatching Industry on the bidder side.)
- The new owner inherits the trust. Backlinks, browser bookmarks, search-engine reputation, mail-server allowlists, OAuth tenant trust, SSO recovery paths — whatever the original owner had built up is now leased to whoever picked up the registration.
That last step is the multiplier. The attacker didn't have to earn the reputation; they just had to be patient enough to wait for someone to drop it.
Why this matters at the leadership level
A hijacked domain or subdomain in your brand's name produces consequences that don't stay in IT:
- Phishing sent from your reputation. Your customers' filters trust the From-address. Your incident-response team explains why.
- Search ranking damage. Outbound links from your live properties to hijacked old assets are a measurable demotion signal.
- Regulatory exposure. In healthcare, finance, education, and public-sector contexts, "we forgot we owned that" is not an audit-passing answer.
- Pivot risk. A hijacked subdomain frequently becomes a foothold for further work — credential phishing of internal staff, OAuth-app abuse, browser-based session theft. See the NJCCIC analysis on how subdomain takeovers feed downstream incidents.
The audit that actually matters
A useful external-link audit covers three jobs:
- Inventory. Every outbound destination your site actually serves to a browser, plus every subdomain that resolves under your parent domains. Nothing else can be checked because nothing else is known to exist.
- Reputation. For each entry in the inventory, the current state: live, dead, parked, recently re-registered, on a threat-intel list, drifted in content from when it was first seen.
- Drift detection. A snapshot at first-sight, compared to what the destination serves now. The SubdoMailing case is detectable in this dimension months before the spam wave actually hits.
The hand-rolled version of this is real work. Crawling every page, scripting login flows, resolving every CNAME, querying threat-intel APIs, diffing weekly. It scales until it doesn't, and the part that breaks is usually the part where nobody owns it.
Where LinkSentry slots in
The automated version of the above audit is what we built. Specifically:
- Inventory by observation, not crawling. Outbound destinations are reported by real visitor sessions, so coverage matches what users actually load — including pages behind login, dynamic content, and personalized rendering crawlers don't see.
- Continuous reputation checks. Each known destination is rechecked against threat-intel feeds, parking-nameserver signatures, and reputation services on a schedule fast enough that "we noticed before the customer screenshot" is the normal case.
- Drift alerts. When a destination's content materially changes from its first-seen baseline, or when its registration changes hands, you get told.
- Real-time alerting. Email, Slack, or webhook, depending on plan and severity.
SubdoMailing worked because the affected organizations had no inventory of what they owned and no monitor of what their listed assets were doing. The fix isn't more headcount. It's the inventory existing in the first place, and then a small daemon checking it.
Start there. Visit linksentry.io when you want the daemon.