Researchers at Guardio Labs have uncovered a sprawling cyber operation dubbed “SubdoMailing,” which has hijacked over 8,000 domains belonging to esteemed brands and institutions to disseminate massive volumes of spam and malicious phishing emails daily, effectively circumventing security measures.

The operation, which has been active for at least two years, involves the manipulation of thousands of hijacked subdomains affiliated with recognized brands like Marvel, Columbia, EasyJet, VMware, and others.

The attackers use various tactics to make their emails appear legitimate and evade security measures, including abusing the Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting, and Conformance (DMARC) protocols.

The threat actor employs methods such as CNAME hijacking and SPF record exploitation. In CNAME attacks, the threat actors identify subdomains with CNAME records pointing to unregistered external domains, which they then register themselves. Additionally, SPF-Takeover involves exploiting abandoned domains in SPF records, allowing the injection of malicious IPs using the legitimate domain name as the sender.

Guardio Labs has attributed this campaign to a threat actor they track as “ResurrecAds,” who systematically scans the internet for vulnerable domains, purchasing domains, securing hosts and IP addresses, and meticulously executing the ongoing spam campaign. This indicates a high level of organization and technical sophistication.

“Central to their operation is the strategy of reviving “dead” domains of or affiliated with big brands, using them as backdoors to exploit legitimate services and brands. This approach enables them to circumvent contemporary email protection measures, showcasing their adeptness at manipulating the digital advertising ecosystem for nefarious gains,” the researchers wrote.