Paul Seekamp

DNS is always a buzzword but security teams rarely know the threats. Glad to see all the checks in one place.

I'm adding radar.defendflow.xyz to my toolset going forward. Interesting tool and I learned something today.

Why does this happen?

Common scenarios:

- Migrated DNS providers, forgot to update registrar
- Nameserver decommissioned by old provider
- Company merged/acquired, DNS lost in transition
- "Set it and forget it" mindset from 10+ years ago

It's technical debt.

The M365 angle is particularly nasty.
If your domain has an active Azure AD tenant (most businesses do), hijacking DNS lets attackers:

- Access OpenID configurations
- Exploit device code flows
- Potentially compromise admin consent endpoints

Your cloud identity lives here.

What can attackers do with a hijacked domain?
✗ Host phishing sites on YOUR trusted domain
✗ Intercept emails (if DNS MX records changed)
✗ Steal OAuth tokens from M365 integrations
✗ Damage brand reputation
✗ Launch supply chain attacks against your customers

Some notable (interesting) vulnerable domains from the test:

kickasstorrentsso.com (variation of KickassTorrents)
yandex.ua (Ukrainian domain for Yandex)
hi-pda.com (Popular Chinese tech forum)

Here is a domain that looks to be already compromised.

Some examples:

Domain: bale.com worth $$$
Assets at risk: Microsoft 365 tenant, and various OAuth endpoints
Time to exploit: Minutes, not hours

The scope? Eye-opening.

I found domains that have been on the WWW since the early days. Legacy domains. Established brands. Some with active Microsoft 365 tenants, email systems, and OAuth integrations still running.

These aren't abandoned sites. They're ACTIVE businesses.

Here's what makes this terrifying:

- No password needed
- No account takeover required
- No social engineering
- The domain registrar shows YOU still own it
- But attackers control where traffic goes

What's a Sitting Duck attack?

It's when a domain's DNS is misconfigured specifically "lame delegation" where the nameservers at your registrar don't match your DNS provider. This allows an attacker can claim your domain at the DNS level without touching your registrar.

I just scanned top 100k Alexa domains and found something alarming.

Some of the internet's most valuable domains worth hundreds of thousands of dollars can be hijacked in minutes through "Sitting Duck" attacks.

Here's how: