top of page
  • Admin

Attackers Come Out Of The Shadows To Compromise Legitimate Domains

Published: October 10, 2022 on our newsletter Security Fraud News & Alerts Newsletter.

Hiding something in plain sight is one of the most effective ways of concealing something. We’ve such things in the pass when attackers hid malware inside images. All appears normal on the surface, but something may be lurking unseen ready to create havoc. This is also the threat of shadow domains. Shadow domains join threats, such as phishing and malware distribution, as a way for hackers to hijack domains.

A domain is the top level of a website. For example, when you type in, the “” is the top-level domain. Everything that comes after that final dot com is a subdomain. Often, these are used for legitimate reasons, but as Palo Alto researchers noted, they are finding them used for attacks more often than anyone thought previously. That’s because they can also bypass other security checks.

The shadow domains are created by cybercriminals under “compromised” real domains. In the case Palo Alto researchers discovered, the attackers are particularly interested in Microsoft account credentials. And like the sharks of film and literature, these sneaky shadow domains lurk beneath the surface, making them extremely difficult to detect. This is due to the fact that the legitimate domain is not affected in any way. There is no obvious change, so the casual examination of the compromised top-level domain will simply not reveal that anything malicious is occurring behind the scenes (cue the Jaws music). But it is, and it sends your information back to a server hosted by the attackers.

When users click on the above phishing URL, they are redirected to a landing page, as shown in the image below. The phishing page is looking to steal Microsoft user credentials. It is not easy to spot these phishing or shadow domains, but making it a habit to examine every URL before clicking is becoming imperative to avoid falling for these attacks.

There are ways to make sure you’re going to the correct location. First, always use a website you trust. Type it into a web browser yourself and check it for typos before hitting that return or enter key. When you know you are at the correct and safe place, bookmark it and use that bookmark in the future. If you notice anything different about the website, check it again before entering credentials. If you still can’t be sure, wait and try a different way, such as using the mobile app. If you’re sure a domain has been compromised, report it to the organization so they can address it.

Watch for suspicious links and attachments in email that are from senders you don’t know or trust. Even if you do know them, if you aren’t expecting it, don’t click it.

Discovering a shadow domain is a time-consuming and labor-intensive job, so they can remain undetected for long periods of time. Users may unknowingly input their login details to this phony domain unaware that they are exposing their data until it is too late; if they notice at all.

Unfortunately, we see this happening more often these days. But, a little bit of double checking before entering details can help you stay out of the jaws of these cyberthieves.

Keep up to date: Sign up for our Fraud alerts and Updates newsletter

Want to schedule a conversation? Please email us at

bottom of page