A new and increasingly sophisticated attack method is catching organisations off guard: domain registration hijacking. Recently observed in incidents across the fintech, tech, and professional services sectors, this technique allows attackers to quietly seize control of a company’s domain, reroute emails, and infiltrate critical SaaS platforms, all without social engineering your staff or deploying malware.
The security firm CyberCX issued a threat advisory after they identified multiple incidents where this method has led to sensitive data exposure. The M.O. of this activity is similar to Scattered Spider tactics techniques and procedures (TTPs) although not linked at present.
Solace Cyber believe the stealth, speed and simplicity of the technique makes it a prime candidate for future widespread abuse.

At its core, this method relies on social engineering the domain registrars / external DNS providers, rather than zero-day exploits or malware. Here’s how the attack chain typically plays out:
This technique doesn’t require a foothold in your network. It exploits a gap in registrar processes and your trust in domain DNS provider.
Unlike ransomware attacks that create visible chaos, domain registration hijacks happen quietly and often go undetected for hours or even days. Here are the core risks:
All that was used in these novel attacks were just patience, forged documents, and knowledge of registrar workflows. The threat actors were observed to work quick initiating changes in out of hour timeframes which leverage the abundance of IT staff noticing.


This isn’t a problem that can be patched with a simple update. Mitigating domain registration hijacking starts with process, not technology.
Solace Cyber recommends:
Here’s what to watch for:


This campaign is a reminder that attackers don't always need malware to win or susceptible network edge devices. Access can be granted with nothing more than a forged ID document and an unsuspecting registrar. Don’t let your DNS become your weakest link.
Reference: https://cybercx.com.au/blog/keys-to-the-saas-kingdom/

Solace Cyber helps companies across the UK recover from ransomware attacks and data breaches.
Ransomware Recovery
Ransomware Groups
BEC Recovery
About Us
Blog
News
SOLACE CYBER LTD is registered in England & Wales no. 14028838

Solace Cyber
Twin Sails House,
W Quay Rd,
Poole, BH15 1JF
United Kingdom