Subdomain Takeover

A subdomain takeover happens when a DNS record (typically a CNAME, but also A, NS, or MX records) points to a third-party service that no longer exists or is no longer claimed by the domain owner. Because the underlying resource has been deprovisioned, an attacker can register that same resource on the provider, serve their own content, and effectively control a subdomain of your domain — for example blog.yourcompany.com — without ever touching your DNS.

Why it matters

A subdomain you no longer use still inherits the trust of your brand. If an attacker claims it, they can host phishing pages on a legitimate-looking hostname, capture session cookies scoped to your parent domain, bypass CORS or OAuth allowlists, and serve malware under your name. Subdomain takeovers are usually rated critical because exploitation is often a one-click claim with no authentication required, and the impact — credential theft, brand abuse, and trust erosion — is immediate. See how to prioritize vulnerabilities for where this sits relative to other findings.

How it works

1. You point shop.yourcompany.com via CNAME to a SaaS host such as a static-site, CDN, or marketing platform.
2. Later, you cancel the SaaS account or tear down the project, but you forget to delete the DNS record. The record is now dangling: it resolves to a hostname the provider no longer assigns to you.
3. An attacker enumerates your subdomains, spots the dangling record, and registers the same resource name on that provider.
4. The provider now serves the attacker's content for your subdomain.

A concrete example

Suppose status.yourcompany.com is a CNAME to yourcompany.status-provider.io. You stop paying for the status page; the provider releases the project slug. An attacker signs up for the same provider, claims yourcompany.status-provider.io, and publishes a fake login form. Visitors see the page on status.yourcompany.com — a real subdomain of yours — and trust it. The fix is simply to delete the stale CNAME, but only if you know it exists.

How it shows up on your attack surface

Dangling records are invisible from the inside — your DNS zone looks fine; the gap is the missing resource on the provider side. They accumulate naturally as teams spin SaaS tools up and down, which is exactly the kind of drift that external attack surface management exists to catch. The two prerequisites are good subdomain discovery and verification that each record's target still serves your content.

How FortWatch helps

FortWatch's subdomain takeover scanner enumerates your subdomains, resolves their DNS records, and checks each target against known fingerprints — provider-specific error pages and unclaimed-resource signatures — to flag dangling records that are claimable. Confirmed takeovers are raised as critical issues with AI remediation steps. You can also map your DNS posture with our subdomain finder and review the broader topic in subdomain takeover via dangling DNS. The remediation is almost always to remove or repoint the stale record.