27. 01. 2026
Automation, Development, DevOps, Offensive Security, Red Team, SEC4U
03. 06. 2026
Matteo Lorenzini
SATAYO, SEC4U, Threat Intelligence
The Hidden Threat of Subdomain Takeovers
As a Cyber Threat Intelligence (CTI) Analyst, my daily work often involves analyzing suspicious domains that look like our clients’ brands. One of our goal is to prevent phishing campaigns and brand abuse. We usually hunt for external threats like typosquatting. However, sometimes the most dangerous threat comes directly from the legitimate infrastructure of the company itself.
A perfect example of this is the Subdomain Takeover vulnerability. Just recently, security researcher Andrew Dorman (known as ACD421) disclosed a critical security flaw involving Anthropic’s famous AI, Claude. This fresh case is a great reminder that even the most advanced tech companies can leave a door open.
How a Forgotten DNS Record Becomes a Weapon
To understand this vulnerability, we need to look at how companies manage their cloud services today.
Often, a company wants to launch a temporary project, like a blog or a promotional page. The IT team creates a subdomain (for example, promo.company.com) and uses a CNAME DNS record to point it to a third-party cloud provider, like GitHub Pages or an AWS S3 bucket (e.g., company-promo.github.io).
When the project ends, the marketing team deletes the workspace on the cloud provider. The storage space becomes free and available to the public again. But there is a massive problem: the IT team forgets to remove the CNAME record from the company’s DNS settings.
This creates a “dangling DNS”. The official subdomain is still pointing to a cloud space that the company no longer owns.
An attacker can simply create a new free account on that cloud provider, claim the abandoned name (company-promo.github.io), and automatically take control of promo.company.com. They do not need to hack the company servers. They just rent the empty space the DNS is blindly pointing to.
The Attack Chain: The Claude.ai Proof of Concept
In the recent case analyzed by Andrew Dorman, the vulnerability was actually a lethal combination of two different flaws: an OAuth Open Redirect and a potential Subdomain Takeover.
The researcher noticed that the authentication system of claude.ai did not strictly validate the “redirect URI” during the login process. If an attacker managed to find a dangling subdomain (like excel.claude.ai) and take control of it, they could create a malicious login link.
If a victim clicked the link, they would see the real Anthropic login page. But after the login, the secret authorization token would be sent to the attacker’s subdomain. This would lead to a complete Account Takeover. The attacker combined a flaw in the code (OAuth) with a flaw in the infrastructure (DNS) to create a high-impact exploit.
The CTI Perspective: Phishing and Brand Trust
From a threat intelligence perspective, a hijacked subdomain is the ultimate weapon for brand abuse.
Usually, we train users to check the domain name in the URL bar to spot phishing. But in a Subdomain Takeover, the URL is technically real. The attacker uses the official domain of the company, and they can easily generate a valid SSL certificate. This grants maximum trust from the victims and easily bypasses many traditional email security filters.
Active Defense: How to Protect Your Infrastructure
Mitigating this risk requires strict IT hygiene. Security teams should implement the following steps to prevent external abuse:
- Inventory Management: Keep a strict inventory of all cloud assets and the DNS records pointing to them.
- Process Integration: Create a standard procedure for decommissioning cloud services. Deleting the DNS record must be the very first step, before deleting the cloud resource.
- Continuous Auditing: Regularly scan your organization’s DNS zones for dangling CNAME records.
Gaining Visibility with Threat Intelligence
Managing an ever-changing external attack surface manually is very difficult for large organizations. This is where a Threat Intelligence Platform, like SATAYO, provides immense value.
By monitoring the external digital footprint, tracking domain variations, and analyzing external configurations, it is possible to maintain a clear map of your digital assets. Good threat intelligence helps security teams maintain control over their perimeter and detect potential abuse infrastructure before attackers can launch a successful phishing campaign against clients or employees.
Conclusion
The claude.ai case teaches us a very important lesson: cloud environments change rapidly, and basic IT hygiene is fundamental. Cleaning up old DNS records is just as important as patching software. If a dangling DNS can happen to a leading AI company, it can definitely happen to anyone.
References:
- ACD421 (Andrew Dorman) GitHub Proof of Concept: https://github.com/ACD421/excel-claude-ai-poc
Matteo Lorenzini
Author
