Subdomain takeover → cookie theft → account takeover

§ Context

Assumed environment: session cookies set with Domain=.target.com (common). At least one DNS record points to an unclaimed cloud resource the attacker can register.

§ Steps

1. 01
   Account takeoverInitial Access

   T1078— Valid Accounts
2. 02
   Phish target users with a same-org linkInitial Access

   W-OPEN-REDIRECT— Open Redirect

   Cookies for .target.com are sent to the takeover host.

3. 03
   Host attacker content under the trusted hostInitial Access

   W-SUBDOMAIN-TAKEOVER— Subdomain Takeover
4. 04
   Claim the unclaimed resourceInitial Access

   W-SUBDOMAIN-TAKEOVER— Subdomain Takeover

   Register the Heroku app / GitHub Pages / Azure resource with the matching name.

5. 05
   Find dangling CNAMEInitial Access

   W-SUBDOMAIN-TAKEOVER— Subdomain Takeover
6. 06
   Harvest authenticated session cookiesCredential Access

   T1539— Steal Web Session Cookie
7. 07
   Enumerate subdomainsReconnaissance

   W-RECON-SUBDOMAIN— Subdomain Enumeration

§ References

• T1078Valid Accounts
• T1539Steal Web Session Cookie

§ Frequently asked

What is the "Subdomain takeover → cookie theft → account takeover" attack path?

Dangling CNAME on a corporate subdomain (e.g. mail.target.com → unclaimed Heroku app). Claim it, serve a malicious page, harvest session cookies scoped to *.target.com. It chains 7 steps drawn from real-world offensive-security techniques.

What starting position does this attack require?

The first step is Account takeover (T1078) — a initial access primitive. Assumed environment: session cookies set with Domain=.

What is the final impact of this kill-chain?

The final step lands on Enumerate subdomains (W-RECON-SUBDOMAIN), which falls under Reconnaissance. From here, an operator typically pivots into post-exploitation or maintains persistence.

How can defenders detect or prevent this attack?

Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

§ Related dossiers

• Shared techniques2

  5G core GTP-U user-plane injection → subscriber MITM

  Attacker on a transit network between mobile-core hops (or with compromised UPF). GTP-U packets are typically unfiltered between PEs; inject packets into subscriber bearers — credential capture, free-of-charge tunnels, downstream attacks.

• Shared techniques2

  Subdomain takeover → ACME DNS-01 → trusted cert for victim host

  Find a dangling CNAME / NS record. Claim the underlying resource; complete Let's Encrypt's DNS-01 challenge for the parent hostname. Now have a publicly-trusted cert for victim.example.com — chain into AITM.

• Shared techniques2

  FIDO2 caBLE hybrid → phone authenticator hijack

  Attacker phishing site shows the legitimate FIDO2 QR. Victim scans with their phone authenticator. The link completes the WebAuthn ceremony in the attacker's browser — they're now signed in as the victim.

• Shared techniques2

  F5 BIG-IP iControl auth bypass (CVE-2022-1388) → root on LB

  Connection-header smuggle bypasses iControl REST auth, command-injection RCE as root. Load balancers see all traffic — recover TLS keys, session cookies, internal SSO config.

• Shared techniques2

  Citrix Bleed → steal authenticated session → MFA bypass

  Send a long Host header to a vulnerable NetScaler — memory disclosure leaks an authenticated session token already past MFA. Replay the token to log into the corporate VPN.

• Shared techniques2

  Compromised extension auto-update → fleet compromise

  Take over a popular extension's developer account (credential stuffing on the store, abandoned email domain). Push a malicious version — every existing install runs attacker code on next launch.