A newly identified cybercrime group is exploiting abandoned cloud infrastructure to hijack subdomains and launch malicious campaigns under the names of trusted organizations. This threat actor, known as Hazy Hawk, is using overlooked DNS configurations to target enterprise brands and government entities alike—highlighting a growing blind spot in cloud security [...]
A newly identified cybercrime group is exploiting abandoned cloud infrastructure to hijack subdomains and launch malicious campaigns under the names of trusted organizations. This threat actor, known as Hazy Hawk, is using overlooked DNS configurations to target enterprise brands and government entities alike—highlighting a growing blind spot in cloud security management.
Hazy Hawk leverages a technique involving dangling CNAME records—DNS entries that point to cloud-based resources (like Azure apps or AWS S3 buckets) that no longer exist or have been decommissioned. When an organization forgets to remove or update these records, attackers can claim the underlying cloud resource, effectively taking control of the domain or subdomain it points to.
Once hijacked, the attackers can use these domains to host malicious content, phishing pages, or redirect users through traffic distribution systems (TDS) to scams or malware—without ever compromising the core infrastructure of the victim organization.
Among those impacted by this technique are high-profile entities including:
These compromised subdomains, although technically “abandoned,” still retain trust with users and automated systems, making them ideal for spreading malware, social engineering schemes, or deceptive pop-ups that trick users into enabling notifications or downloading software.
Attacks like this are especially dangerous because they:
This represents a classic case of security by omission—where gaps in routine cloud hygiene create unintentional risk exposure.
To defend against attacks like those executed by Hazy Hawk, organizations should prioritize the following security practices:
Conduct routine audits of your DNS records, especially CNAME entries pointing to cloud services. Remove or update any that reference unused, expired, or decommissioned infrastructure.
Use asset management tools to maintain an accurate inventory of active cloud services and their associated DNS configurations.
Deploy DNS security solutions that can detect and block access to known malicious redirectors or domains hosted by third parties.
Train staff to recognize unusual redirects, unsolicited popups, and browser-based permission requests tied to notifications or downloads.
Use automated tools or third-party services to monitor your domains for takeover risks. There are open-source and commercial solutions that alert on dangling DNS entries.
A recent wave of cyberattacks has revealed that the threat actor group known as Scattered Spider is now actively targeting retail organizations across the United States. Previously focused on high-profile ...
