This is example data. Real dashboards update continuously based on your assets.
Back to Domain Dashboard

Subdomain takeover via Azure - staging.example.com

Demo — read-only

Summary

A subdomain takeover vulnerability was detected on staging.example.com. The subdomain has a CNAME record pointing to an Azure resource (e.g. *.cloudapp.net) that was deleted or never created. The target no longer exists, so resolution returns NXDOMAIN (or an error), but the CNAME still points to that Azure hostname. An attacker can create the same resource in their own Azure subscription and serve content on your subdomain.

The subdomain currently has a CNAME pointing to:

  • abandoned-app.cloudapp.net (or similar *.cloudapp.net / *.azurewebsites.net)

This is different from DNS zone takeover (where NS records point to an abandoned zone). Here the subdomain points to a deleted Azure app/resource; there are no NS records involved.

Security Impact

If an attacker claims the orphaned Azure resource:

  • Host malicious content on your subdomain (staging.example.com)
  • Steal cookies and session tokens from users visiting the subdomain
  • Phish users by hosting fake login pages on a trusted domain
  • Bypass security policies that allowlist your domain
  • Damage your brand reputation by hosting inappropriate or malicious content

This is a medium-severity vulnerability; same impact as high-severity takeovers but may require the attacker to claim the resource in the same cloud region or under the same naming rules.

How to Verify

Check that the subdomain points to Azure and fails to resolve:

dig staging.example.com CNAME +short
dig staging.example.com A +short
  • CNAME should return something like abandoned-app.cloudapp.net (or *.cloudapp.net / *.azurewebsites.net).
  • A (or resolution) often returns nothing (NXDOMAIN) or an error because the Azure resource was deleted. If you get NXDOMAIN while the CNAME still points to an Azure hostname, the subdomain is likely vulnerable to takeover.

Optional: Try visiting https://staging.example.com. If you see an Azure “site not found” or connection error while the CNAME points to *.cloudapp.net, the resource is unclaimed and an attacker could create it.

Remediation

  • Remove the CNAME (if subdomain is not needed): Delete the staging.example.com CNAME record or point it to a valid destination.
  • Recreate the Azure resource (if subdomain is needed): In Azure, create the Cloud App / App Service (or equivalent) that matches the CNAME target so your organization controls the content.

If you encountered an issue or false positive, contact [email protected].

ExposureIntel - Attack Surface Management Tools | External Asset Discovery & Exposure Monitoring