Under Attack? Contact Us Start a Free Demo

Why Domain Shadowing Attacks are Increasing in 2022 and How to Prevent Them?

What is Domain Shadowing?

Domain Shadowing is picking up traction in 2022 as researchers observed multiple cyber attacks recently leveraging this technique. Domain shadowing attack is a special case of DNS hijacking technique that involves hacking a domain administrator’s account and creating multiple subdomains within the domain, so as to bypass the denylists. This is an extremely stealthy way of exploitation and highly difficult to detect by traditional security systems.

How Domain Shadowing Works?

Typically, cybercriminals gain access to domain owner accounts through phishing, dictionary attacks, or other techniques. The next step is to create a large number of subdomains, each of which can be used for malicious purposes before being destroyed. Many of them are replaced automatically to speed up the rotation of used addresses and avoid detection.

Cybercriminals host malicious pages linked to URLs on their servers; these malicious pages do not link to any pages on the victim’s main site, nor does the main site link to any subdomains belonging to the victim. The address bar displays the main domain, which has a good reputation, which may make users unaware they are on a suspicious site. Domain owners may also not be aware that their account has been compromised or malicious subdomains have been created.

Cybercriminals use these subdomains for various nefarious purposes including (and not limited to):

  • C2 servers
  • Malware distribution
  • Scams
  • Phishing attacks

Why Domain Shadowing is Becoming Popular in 2022?

In 2022, threat actors consider domain shadowing one of the top techniques because of its highly stealthy way of operation. There are several reasons why this is especially difficult to detect:

  • An attacker does not need access to your web server to launch an attack.
  • Despite being notified or alerted regarding the subdomain creation, you won’t find anything by searching your server because the new subdomain threat actors set up are owned and hosted somewhere else, using the root domain reputation to sell malware.
  • Palo Alto’s recent report on domain shadowing states, out of 12,197 shadowed domains detected by Palo Alto between April 25 and June 27, 2022, only 200 were found on the VirusTotal. This illustrates how effectively domain shadowing is endorsed in cyber attacks by the threat actors.

How to Prevent Domain Shadowing Attacks?

Though it is extremely difficult to identify the creation of suspicious and malicious sub-domains for your domain, by considering a proactive and vigilant approach, one can avoid domain shadowing attacks.

  • Domain owners can check their DNS records for subdomains they don’t recognize. Subdomains you do not recognize should be removed as soon as you can. You might need to change your password and, in some cases, your security access if you discover any unrecognized subdomains.
  • As a general user, pay close attention to whom you’re following a link from in your e-mail and pay close attention to who sent the message. Whenever you are prompted to log in, double-check the address bar. If the domain name, including any subdomains, is not familiar, do not log in. Alternatively, you can contact the institute yourself to confirm details before accessing the website.

How to Defend Your Network from Advanced Cyber Attacks?

Cybersecurity threats and Zero-day vulnerabilities are increasing at a tremendous pace. It is extremely difficult for cyber security analysts and incident responders to investigate and detect cyber security threats using conventional tools and techniques. NetSecurity’s ThreatResponder, with its diverse capabilities, can help your team detect the most advanced cyber threats, including APTs, zero-day attacks, rootkits, file-less malware, and ransomware attacks. It can also help automate incident response actions across millions of endpoints, making it easy, fast, and hassle-free.

Want to try our ThreatResponder, cutting-edge Endpoint Detection & Response (EDR), and ThreatResponder FORENSICS, the Swiss knife for forensic investigators in action? Click on the below button to request a free demo of our NetSecurity’s ThreatResponder platform.


The page’s content shall be deemed proprietary and privileged information of NETSECURITY CORPORATION. It shall be noted that NETSECURITY CORPORATION copyrights the contents of this page. Any violation/misuse/unauthorized use of this content “as is” or “modified” shall be considered illegal and subjected to articles and provisions that have been stipulated in the General Data Protection Regulation (GDPR) and Personal Data Protection Law (PDPL).