Would you click a link from msn.com? What if it came from a subdomain of UNICEF - and passed every spam filter, every DMARC check, landing directly in your primary inbox?
That is exactly what happened. And it is happening at scale.
The mechanics are surprisingly simple:
π Phishing behind borrowed trust - Criminals rent subdomains on Cloudflare Pages, GitHub Pages, Firebase, Netlify, or free website builders. A credential harvester at login-verify.workers.dev inherits Cloudflare's domain reputation. Your email gateway sees "trusted." Your filter waves it through[ref].
π Hijacking forgotten DNS records - When organisations retire services but forget to remove DNS records, attackers register the now-expired target domain and silently claim the subdomain. One MSN subdomain pointed to an abandoned sweepstakes domain since 2001. Attackers re-registered it in 2022 and inherited the right to send email on behalf of MSN.
π§ Bypassing email authentication - SPF, DKIM, and DMARC checks pass because the mail genuinely originates from trusted infrastructure. Cloudflare's 2023 phishing report found 89% of malicious emails passed all three authentication layers. Your security team ticked the compliance box. Fraudsters ticked the bypass box.
πͺ± Parasite SEO - Attackers inject malicious content into high-authority subdomains (sites.google.com, blogspot.com, github.io) to rank scam pages in organic search results. Google named this "Site Reputation Abuse" in 2024 - after noticing brand subdomains serving content nobody approved.
π΅οΈ Nation-state C2 in plain sight - Iranian APT group UNC1549 operated 125+ Azure subdomains to attack UAE aerospace and defence organisations. Chinese APT41 routes command-and-control traffic through Cloudflare Workers with full encryption. Security teams cannot block .azurewebsites.net without also blocking legitimate business traffic. That is not a flaw in the strategy - it is the strategy.
π Fake storefronts, real SSL - yourbank-login.netlify.app takes minutes to spin up, green padlock included, zero domain registration cost, gone before the abuse report is processed.
In February 2024, Guardio Labs[ref] exposed SubdoMailing - a campaign hijacking 8,000+ legitimate domains and 13,000 subdomains from brands including MSN, VMware, UNICEF, and Marvel, firing 5 million fraudulent emails daily through 22,000 rotating IPs - every single one passing DMARC, SPF, and DKIM.
According to Interisle Consulting's 2024 Phishing Landscape report, subdomain-hosted phishing surged 51% year-on-year to 450,000+ reported names - 24% of all global phishing. Cloudflare Pages phishing alone rose 198% in the same period[ref].
For individuals: do not stop your URL inspection at the brand name. Fraudsters count on you missing everything around it. Navigate directly to the organisation's official site - never through email links.
For organisations: regularly check which subdomains and email settings still point to old services you no longer use - and delete them. Make sure your email authentication is set to actively block suspicious messages, not just monitor them. And keep an eye on whether new certificates are being issued under your domain name without your knowledge. A subdomain you forgot exists is a subdomain someone else is using.