Many times, an attacker will still be acquiring knowledge about their target via reconnaissance activities when their campaign is in the initial phases at that time, they will not attack DNS until later in the campaign after they have gathered enough information about the target's environment.
Therefore, the attacker already has a good understanding of what domains are of significant importance to the organization they are attacking, along with a good understanding of what times of day or days of the week their victim logs into those domains. Furthermore, the attacker will have a good understanding of what modifications will go unnoticed or unmonitored by their victim.
Finally, by monitoring DNS traffic related to the attacker, the victim will be able to obtain a well-rounded view of the attacker's overall intent, maturity, and timeline of the attacks that constitute a larger operational plan.
Campaign Signal 1: Focus on Individual Records Rather than Whole Domain
A single record (ex: login.company.com) is targeted instead of the entire domain.
Only a specific record (such as login.company.com) is being targeted rather than an overall domain (for example, company.com).
How This Works
1. Only login.company.com has been changed
2. The MX records were switched for a short time and then reverted back to their original settings
3. The TTLs were lowered to facilitate an easy return to normal function
This indicates that the operation is geared toward stealing credentials rather than interrupting service.
Expected Observations
1. The DNS change will be in effect for a period of about 30 to 90 minutes.
2. The traffic will have been specifically pointed to a TLS-compliant duplicate.
3. The DNS will have been re-established prior to any attempts at monitoring.
This is a well-planned effort, not an innovative idea.
Detection Example
dig login.company.com A +ttlunits
Short TTLs on sensitive subdomains are often deliberate.
Campaign Signal 2: Infrastructure & Domain Reuse
When an attacker hijacks multiple domains, they often will reuse the same infrastructure for all of the hijacked domains. For example, an attacker will use the same hosting provider, issuer of SSL certificates, and redirect URL structure when hijacking multiple domains. Because of the familiarity between all of the hijacked domains, the attackers are able to maximize their efficacy.
Practical Hunting Example
dig compromised-domain.com A +short
whois <resolved-ip>
Finding the same ASN or hosting provider across incidents often links campaigns.
Campaign Signal 3: Timing of Changes Aligned With Legitimate Business Operations
Attackers will often time DNS hijacking actions to coincide with:
1. Payday (i.e., when employees receive their paychecks)
2. Product launches
3. Normal business hours by location
4. Routine maintenance schedules
Identifying the Timing Between Hijacks as a Pattern
An example of this was a recent hijacking of an SSO domain:
1. The hijacking occurred 15 minutes before shift change
2. The hijacking occurred during routine IT maintenance
3. The hijacking occurred while alerts from monitoring systems were already at a high level
Due to the combination of these three activities in such a close time frame, the probability of being detected increased significantly.
Campaign Signal 4: DNS used for validation only not for persistence
Mature attack campaigns will use DNS infrequently. Once an attacker obtains their session or credentials they will move on from DNS and create their persistence later.
The methods used for persistence after obtaining credentials or sessions include:
1. Cloud IAM access
2. OAuth tokens
3. API keys
4. Email rules
Therefore, DNS is not used as a backdoor but rather as a doorbell.
Campaign Signal 5: Selective Geography
Some DNS hijacks affect only specific geographical locations, and attackers accomplish this by:
1. Hijacking regional resolvers
2. Targeting ISP infrastructure
3. BGP route manipulation
This prevents global monitoring services from detecting the hijacks.
Example of validation
dig company.com @8.8.8.8
dig company.com @1.1.1.1
The results returned for these two queries will vary if there are not benignly maintained DNS caches across the resolvers
Tools That Are Commonly Utilized in DNS-Driven Campaigns
These tools are straightforward and lawful.
The attackers will typically use the following tools:
1. Registrar web panels
2. Cloud DNS API's
3. Dig and nslookup
4. Curl for verification/testing
5. Short-lived automation scripts
There is a reason why no customized malware is created.
Example: Tracking DNS Changes Across a Campaign
Security teams often reconstruct campaigns backwards.
Simple Change Monitoring Script
import subprocess
import time
baseline = subprocess.check_output(["dig", "login.company.com", "+short"])
while True:
current = subprocess.check_output(["dig", "login.company.com", "+short"])
if current != baseline:
print("DNS change detected:", current)
time.sleep(300)
Crude, but effective for critical domains.
Why DNS Hijacks Expose Campaign Maturity
Low-skill attacks are noisy.
Campaigns are careful.
Indicators of higher maturity:
1. Short exposure windows
2. Minimal record changes
3. Clean rollback
4. Consistent infrastructure reuse
5. Alignment with business timing
DNS behavior tells you who you are dealing with, not just what happened.
What DNS Hijacks Tell Defenders Early
DNS activity often reveals:
1. The attacker’s objective
2. Whether credential theft is underway
3. If cloud or email compromise will follow
4. How confident the attacker feels
This is one of the few points where defenders can still get ahead.
Functional Offensive Fortification Areas
Focus on specific offences rather than on a broader method of reporting them. Effective teams will concentrate their efforts on:
1. Monitoring the number of record changes for the critical subdomains.
2. Alerting when a TTL value is reduced.
3. Tracking registrar and admin level access for DNS services.
4. Comparing responses for DNS between regions.
5. Correlating DNS activity with authentication logs.
DNS does not operate independently of other security functions; it provides a first indication of what is likely to occur next.
Key Takeaways
1. DNS hijacks reveal campaign intent and maturity
2. Short, precise changes are more dangerous than outages
3. Infrastructure reuse links incidents together
4. DNS activity often precedes identity compromise
When DNS changes feel “too clean,” they usually are.