Coordinated Subdomain Takeover Campaign Targeting US Universities

April 7, 2026

A coordinated subdomain takeover campaign is targeting major US universities, including Johns Hopkins, UChicago, and Florida State. Attackers exploit orphaned CNAME records - subdomains still pointing to external services like GitHub or WordPress after projects are abandoned. By claiming those external resources, they gain control of the university’s subdomain. These hijacked .edu subdomains are used to host spam that gets indexed by Google, leveraging the trust and SEO authority of university domains. In some cases, misconfigured SPF, DKIM, and DMARC settings may also enable email spoofing. This underscores the need for organizations to maintain a clear DNS inventory and properly manage the lifecycle of all subdomains.

Email Security
Email Security
2
min read
Coordinated Subdomain Takeover Campaign Targeting US Universities

There's a coordinated subdomain takeover campaign targeting US universities - Johns Hopkins, UChicago, Florida State, and 10+ others.

Attackers are hijacking .edu subdomains and serving explicit spam that Google is indexing under trusted university domains.

University IT teams create CNAME records that point subdomains to external services (GitHub, WP, etc) . A student sets up a project site, graduates, and the site gets abandoned. But the DNS record stays.

They scan for orphaned CNAMEs, register the abandoned accounts on the external platform, and take full control of the university's subdomain.

As a result, malicious pages are ranking in Google under .edu domains & attackers get the SEO authority of a .edu for free + depending on the SPF, DKIM, and DMARC, hijacked subdomains can be exploited for email spoofing, bypassing p=reject for DMARC.

It's a good call for every organization to maintain a documented DNS map - subdomains, CNAME targets, forwarding rules, and redirect logic, and enforce a standardized process for creating, reviewing, and decommissioning DNS records.

Cybersecurity
Cyber Threat
Related posts
All posts
Coordinated Subdomain Takeover Campaign Targeting US Universities

Attackers are hijacking abandoned .edu subdomains via orphaned CNAME records, serving spam under trusted university domains and exploiting SEO authority.

Coordinated Subdomain Takeover Campaign Targeting US Universities
Email Security
Cloudflare's DMARC Documentation Exposed an Unregistered Domain And Dozens of Organizations Paid the Price

How an unregistered domain in Cloudflare's DMARC documentation silently exposed infrastructure data from dozens of organizations.

Cloudflare's DMARC Documentation Exposed an Unregistered Domain And Dozens of Organizations Paid the Price
Email Security
FinTech AccessPay Exposed Internal Email Infrastructure Data for Years

A misconfigured DMARC record sent sensitive email infrastructure data to an unregistered domain, creating a long-term exposure risk.

FinTech AccessPay Exposed Internal Email Infrastructure Data for Years
Email Security