OSINT
Why attackers love your forgotten subdomains
Robin Hill
April 7, 2025
Summary
Subdomain takeover, dangling DNS, and orphaned IPs are low-effort, high-impact attack techniques that fly under the radar. They’re a favourite starting point for attackers and can go undetected until it’s too late. Organisations need to move beyond vulnerability scanning and invest in mapping and monitoring their digital footprint. EASM solutions like DarkInvader help fill that gap, giving clients visibility, clarity, and early warning before opportunistic attackers strike.

You can spend all the time in the world patching vulnerabilities, updating systems, and scanning for CVEs, but if you have a subdomain still pointing to a long-forgotten GitHub Pages site or an old AWS bucket, an attacker could waltz in and take over part of your digital presence, without ever touching your infrastructure.

Subdomain takeover, dangling DNS, and orphaned IP addresses are not flashy. They're not high-tech breaches involving zero days or nation state actors. But they are a favourite technique in the early stages of attacker reconnaissance. They’re quiet, opportunistic, and incredibly effective.

Here’s the deal. When a company spins up a marketing microsite, a test environment, or a temporary feature using a third-party service like Heroku or GitHub Pages, they often create a DNS record pointing to it. That might be something like campaign.example.com or dev.example.com. But when that service is no longer needed, the instance gets deleted. What’s often forgotten is the DNS record. It stays behind like a forgotten “to-do” , pointing to nothing.

Attackers know this. They use automated tools to scan the internet, looking for DNS records pointing to services that have been decommissioned. Once they find one, they simply claim the original resource, create a GitHub Pages repo or deploy a matching app, and just like that, they now control dev.example.com. That’s subdomain takeover. And it’s ridiculously common.

In a similar vein, there’s the idea of orphaned IP addresses. If your infrastructure used to point to a public IP, say in AWS, and that IP is released but your clients or systems still occasionally try to connect to it, an attacker might be able to lease that same IP and start receiving traffic that was never meant for them. It sounds far-fetched, but it happens.

What makes this even more concerning is that these kinds of checks can be done without the target ever knowing. Attackers can resolve DNS, check HTTP responses, and analyse error codes from the outside. No scanning, no login attempts, no noisy alerts. Just passive, low-risk recon. It’s the digital equivalent of trying doorknobs to see if any were left unlocked.

The real problem is that most security teams are focused on known vulnerabilities. They run vulnerability scans, patch systems, and watch the usual suspects. But their visibility of their actual public facing infrastructure, all the domains, subdomains, IPs, services, and cloud resources exposed to the internet, is often incomplete or outdated. This creates blind spots. And attackers love blind spots.

This is where External Attack Surface Management (EASM) comes in. Platforms like DarkInvader work by mapping out everything an organisation exposes to the internet, automatically and continuously. They find all the domains, subdomains, cloud buckets, third-party integrations, and more, even the ones you’ve forgotten about. And crucially, they flag things like dangling DNS records, mismatched configurations, and orphaned IPs before someone else gets there first.

Think of it like having a mirror held up to your infrastructure, showing you exactly how an attacker sees you. Because let’s face it, you can’t secure what you don’t know exists.

Robin Hill

Robin Hill, a co-founder of DarkInvader, brings over 20 years of success in corporate sales, primarily within the enterprise sector. He previously co-founded RandomStorm, a cybersecurity company that was successfully acquired by Accumuli PLC in 2014. Throughout his career, Robin has demonstrated a strong sales focus, driving growth and building lasting client relationships. His deep expertise in sales and his experience leading innovative security firms have positioned him as a key figure in both the business and cybersecurity landscapes.

Sign Up for Your Free Account

Unlock continuous, real-time security monitoring with DarkInsight. Sign up for your free account today and start protecting your external attack surface from potential threats.

Create My Free Account

Platform Features

Asset DiscoveryAsset MonitoringDual Vulnerability ScanningDark Web MonitoringTelegram Monitoring
Leaked CredentialsOSINT MonitoringDNS MonitoringBrand MonitoringVIP MonitoringResearch Team
Website TakedownsManagement ReportsThird-Party IntegrationsClient-Facing APISupplier Risk Management

Company

AboutPartnersPlansContact

Resources

Privacy PolicyFAQBlog

DarkInvader, Calls Wharf, 2 The Calls, Leeds, LS2 7JU
 ©2024 DarkInvader, All Rights Reserved