Threat Actor Hijacked Subdomains at 30+ Major Universities, Researcher Found

Subdomain takeover attacks exploit the lingering DNS entries that many organizations, especially large universities, fail to retire. When a project is decommissioned, its CNAME record often remains pointing to a now‑defunct host. Attackers scan for these orphaned records, claim control of the underlying domain, and replace the content with malicious pages. Higher‑education institutions, with sprawling web footprints and frequent research collaborations, are prime targets because each subdomain inherits the parent institution's authority, instantly granting the hijacker high search‑engine rankings.

The immediate fallout extends beyond technical intrusion. Search engines index the spam‑laden pages, associating the university’s brand with illicit content and driving unwanted traffic to the campus network. This not only damages reputation but can also trigger phishing or malware distribution campaigns that prey on students, faculty, and alumni. Moreover, the inflated SEO value of these subdomains can be monetized by the attacker, turning academic credibility into a revenue stream for illicit actors.

Mitigating this risk requires a proactive DNS governance program. Universities should conduct regular audits to identify and delete unused CNAME records, implement automated alerts for DNS changes, and adopt subdomain monitoring tools that flag anomalous content. Integrating these practices into broader cybersecurity frameworks—such as zero‑trust networking and continuous asset inventory—will reduce the attack surface. As the higher‑education sector increasingly digitizes, robust DNS hygiene will be essential to safeguard both institutional reputation and the safety of its online community.