How to avoid subdomain takeover in Azure environments

Active but unused subdomains in Microsoft Azure give attackers the opportunity to use them for malicious purposes. Here's how to identify and delete vulnerable subdomains before attackers do.

Have you set up a domain and pointed to a cloud resource and then deleted the site? Have you left behind the CNAME in your domain name services settings? Many admins have, and attackers know it. These lapses allow attackers to create a site in your subdomain records and take over these sites. Subdomain takeovers are too common especially in large organizations that create and delete many resources. CNAME records in particular are open to takeovers. Malicious actors often use these sites to redirect traffic and activity to various other sites. Even Microsoft isn’t immune to the problem.

Domain Name Service (DNS) is an often-misunderstood part of network infrastructure. Too often misconfiguration of DNS can lead to massive issues in your network. It can make it look like your website has been hacked when merely the records have been changed. It might also expose your assets to being used in attacks.

How attackers exploit subdomains

As Microsoft notes, exposing yourself to subdomain takeover starts when you set up and provision an Azure resource. Let’s say the name of the Azure resource is app-on-azure001.azurewebsites.net. You then assign a CNAME record in your actual DNS zone with a subdomain that routes the traffic to the Azure resource. Rather than sending users to app-on-azure001.azurewebsites.net, you can send them to easierurl.domain.com. Later, you determine that you do not need the subdomain. You deprovision or delete the website. At this time, you should remove the subdomain.yourdomain.com from the domain name services zone. If the CNAME is still in place, it’s advertising that it’s an active domain but it’s not routing traffic through an active Azure resource. This is what is deemed as a “dangling DNS record”.

Attackers use various tools and scripts to search for and find these subdomains. A basic DNS lookup easily tells an attacker of CNAME records that are now non-routing. The attacker then provisions an Azure resource with the same name you assigned to your now missing Azure resource. Their attack website is now called app-on-azure001.azurewebsites.net and your subdomain.domain.com is now routing their site through your domain name resources. Attacks will include loss of control over your content and harvesting of cookie and visitor information to the attacker’s site.