Massive Spam Operation Hijacks Over 8,000 Trusted Brand Domains

In a startling revelation, Guardio Labs has uncovered a vast spam operation that has compromised more than 8,000 domains and 13,000 subdomains of reputable brands and institutions. The campaign, dubbed SubdoMailing, has been active since at least September 2022 and is responsible for distributing millions of spam and malicious phishing emails daily.

The affected entities include high-profile names such as ACLU, eBay, Lacoste, Marvel, McAfee, MSN, Pearson, PwC, Swatch, Symantec, The Economist, UNICEF, and VMware. The operation, orchestrated by a threat actor known as ResurrecAds, exploits the trust associated with these well-known domains to bypass security measures and engage in click monetization schemes.

Guardio Labs’ security researchers Nati Tal and Oleg Zaytsev have been closely monitoring the sophisticated distribution architecture of this spam proliferation. The emails sent out range from counterfeit package delivery alerts to phishing attempts aimed at stealing account credentials. ResurrecAds has been identified as a group that revives inactive domains linked to major brands, manipulating the digital advertising ecosystem for profit.

The infrastructure managed by ResurrecAds is extensive, including hosts, SMTP servers, IP addresses, and even private residential ISP connections. The campaign cleverly uses the credibility of the hijacked domains and their resources to circulate spam and phishing emails by the millions, evading detection and security protocols.

A detailed examination of the DNS records for one such subdomain,, revealed that it was linked to another domain (msnmarthastewartsweeps[.]com) through a CNAME record. This aliasing technique, which has been previously exploited by ad tech companies to circumvent third-party cookie blocking, is now being used for malicious purposes.

In response to the threat, Guardio has developed a SubdoMailing Checker, a tool that allows domain administrators and site owners to check for signs of compromise. This proactive measure aims to help counter the threat and assist in dismantling the malicious infrastructure.

The scale and sophistication of the SubdoMailing operation underscore the ongoing challenges in digital security, particularly the vulnerabilities that can be exploited in the domain name system. The incident serves as a reminder for organizations to remain vigilant and proactive in protecting their online presence against such nefarious activities.


Scroll to Top