A new and increasingly sophisticated attack method is catching organisations off guard: domain registration hijacking. Recently observed in incidents across the fintech, tech, and professional services sectors, this technique allows attackers to quietly seize control of a company’s domain, reroute emails, and infiltrate critical SaaS platforms, all without social engineering your staff or deploying malware.
The security firm CyberCX issued a threat advisory after they identified multiple incidents where this method has led to sensitive data exposure. The M.O. of this activity is similar to Scattered Spider tactics techniques and procedures (TTPs) although not linked at present.
Solace Cyber believe the stealth, speed and simplicity of the technique makes it a prime candidate for future widespread abuse.
How Domain Registration Hijacking Works
At its core, this method relies on social engineering the domain registrars / external DNS providers, rather than zero-day exploits or malware. Here’s how the attack chain typically plays out:
- Impersonation and Social Engineering: Threat actors forge identity documents (e.g. passports) to impersonate domain owners and trick registrars into transferring domain ownership or control.
- DNS Record Modification: Once control is achieved, attackers modify MX records, redirecting inbound emails to attacker-controlled servers.
- Silent Email Interception: With access to email flows, attackers monitor, reset, and intercept credentials via self-service password reset mechanisms.
- SaaS Infiltration: Platforms like Entra, Slack, Jira, and Confluence have been observed to be accessed by the threat actor through intercepted resets or domain-based verification mechanisms.
This technique doesn’t require a foothold in your network. It exploits a gap in registrar processes and your trust in domain DNS provider.
The Risks: Why This Is So Dangerous
Unlike ransomware attacks that create visible chaos, domain registration hijacks happen quietly and often go undetected for hours or even days. Here are the core risks:
- Credential Compromise: By rerouting emails, attackers can reset admin credentials across your organisation’s SaaS ecosystem.
- Persistent Access: Even after DNS is restored, attackers may retain stolen credentials or session tokens.
- Data Theft and Extortion: Data theft from cloud providers would be possible with the access gained. In addition, all redirected mail flows will also be captured by the threat actor via MX record changes. The changes allow for financial fraud as well directly by mail flow interception.
All that was used in these novel attacks were just patience, forged documents, and knowledge of registrar workflows. The threat actors were observed to work quick initiating changes in out of hour timeframes which leverage the abundance of IT staff noticing.
What Organisations Can Do Right Now
This isn’t a problem that can be patched with a simple update. Mitigating domain registration hijacking starts with process, not technology.
Solace Cyber recommends:
- Enable Registry Lock: Work with your domain registrar to implement a registry lock, preventing DNS changes without multi-factor authentication and some other form of out-of-band confirmation.
- MFA / 2FA: Implement MFA and 2FA for all DNS providers / Domain registrars ensuring multifactor methods do not rely on your domain / email.
- Use Secondary Channels for Verification: Ensure DNS changes require a separate, pre-registered communications channel. Ideally one not reliant on your domain.
- Audit DNS Regularly: Monitor for unauthorized changes to DNS records, especially MX records.
- Restrict Email-Based Resets: Where possible, disable or limit email-based password reset options for critical admin accounts.
- Log and Alert on SaaS Changes: Use SIEM tools to alert on changes to SaaS admin settings, logins from new IPs, or unexpected resets.
- Awareness and Training: Educate staff especially IT and domain admin roles on the risks of domain impersonation and social engineering.
Red Flags: Signs You May Be Under Attack
Here’s what to watch for:
- Unexpected DNS Changes: Look out for MX record changes in registrar logs.
- Self-service Password Reset Spikes: Especially password reset requests for admin or privileged users.
- Unusual SaaS Access Patterns: New devices or locations accessing tools like Entra, Slack, or Confluence.
- Missing Emails: Complaints of delayed or missing inbound email traffic.
- Out-of-Hours Activity: These attacks often begin overnight to delay detection.
Building Long-Term Resilience
- Lock Critical Domains: Talk to your domain registrar to apply registry lock features to all corporate domains and subdomains. Where possible establish procedures for out-of-band authentication with your DNS provider.
- Segment Domain Admin Roles: Use dedicated, tightly controlled accounts for registrar access.
- Document DNS: Ensure email and DNS configurations documented to be able to restore functionality quickly.
- Run Simulations: Conduct red-team exercises that include domain takeover scenarios.
Final Thoughts
This campaign is a reminder that attackers don't always need malware to win or susceptible network edge devices. Access can be granted with nothing more than a forged ID document and an unsuspecting registrar. Don’t let your DNS become your weakest link.
Reference: https://cybercx.com.au/blog/keys-to-the-saas-kingdom/
