Paul Seekamp
@nullenc0de.bsky.social
I spend a significant amount of time reading security stuff.
Co-Founder/Partner @CoastlineCyber
https://leanpub.com/internal-field-guide
Co-Founder/Partner @CoastlineCyber
https://leanpub.com/internal-field-guide
DNS is always a buzzword but security teams rarely know the threats. Glad to see all the checks in one place.
I'm adding radar.defendflow.xyz to my toolset going forward. Interesting tool and I learned something today.
I'm adding radar.defendflow.xyz to my toolset going forward. Interesting tool and I learned something today.
SecurityLens - Stop Threats Before They Start
radar.defendflow.xyz
October 30, 2025 at 2:39 AM
DNS is always a buzzword but security teams rarely know the threats. Glad to see all the checks in one place.
I'm adding radar.defendflow.xyz to my toolset going forward. Interesting tool and I learned something today.
I'm adding radar.defendflow.xyz to my toolset going forward. Interesting tool and I learned something today.
Why does this happen?
Common scenarios:
- Migrated DNS providers, forgot to update registrar
- Nameserver decommissioned by old provider
- Company merged/acquired, DNS lost in transition
- "Set it and forget it" mindset from 10+ years ago
It's technical debt.
Common scenarios:
- Migrated DNS providers, forgot to update registrar
- Nameserver decommissioned by old provider
- Company merged/acquired, DNS lost in transition
- "Set it and forget it" mindset from 10+ years ago
It's technical debt.
October 30, 2025 at 2:39 AM
Why does this happen?
Common scenarios:
- Migrated DNS providers, forgot to update registrar
- Nameserver decommissioned by old provider
- Company merged/acquired, DNS lost in transition
- "Set it and forget it" mindset from 10+ years ago
It's technical debt.
Common scenarios:
- Migrated DNS providers, forgot to update registrar
- Nameserver decommissioned by old provider
- Company merged/acquired, DNS lost in transition
- "Set it and forget it" mindset from 10+ years ago
It's technical debt.
The M365 angle is particularly nasty.
If your domain has an active Azure AD tenant (most businesses do), hijacking DNS lets attackers:
- Access OpenID configurations
- Exploit device code flows
- Potentially compromise admin consent endpoints
Your cloud identity lives here.
If your domain has an active Azure AD tenant (most businesses do), hijacking DNS lets attackers:
- Access OpenID configurations
- Exploit device code flows
- Potentially compromise admin consent endpoints
Your cloud identity lives here.
October 30, 2025 at 2:39 AM
The M365 angle is particularly nasty.
If your domain has an active Azure AD tenant (most businesses do), hijacking DNS lets attackers:
- Access OpenID configurations
- Exploit device code flows
- Potentially compromise admin consent endpoints
Your cloud identity lives here.
If your domain has an active Azure AD tenant (most businesses do), hijacking DNS lets attackers:
- Access OpenID configurations
- Exploit device code flows
- Potentially compromise admin consent endpoints
Your cloud identity lives here.
What can attackers do with a hijacked domain?
✗ Host phishing sites on YOUR trusted domain
✗ Intercept emails (if DNS MX records changed)
✗ Steal OAuth tokens from M365 integrations
✗ Damage brand reputation
✗ Launch supply chain attacks against your customers
✗ Host phishing sites on YOUR trusted domain
✗ Intercept emails (if DNS MX records changed)
✗ Steal OAuth tokens from M365 integrations
✗ Damage brand reputation
✗ Launch supply chain attacks against your customers
October 30, 2025 at 2:39 AM
What can attackers do with a hijacked domain?
✗ Host phishing sites on YOUR trusted domain
✗ Intercept emails (if DNS MX records changed)
✗ Steal OAuth tokens from M365 integrations
✗ Damage brand reputation
✗ Launch supply chain attacks against your customers
✗ Host phishing sites on YOUR trusted domain
✗ Intercept emails (if DNS MX records changed)
✗ Steal OAuth tokens from M365 integrations
✗ Damage brand reputation
✗ Launch supply chain attacks against your customers
Some notable (interesting) vulnerable domains from the test:
kickasstorrentsso.com (variation of KickassTorrents)
yandex.ua (Ukrainian domain for Yandex)
hi-pda.com (Popular Chinese tech forum)
kickasstorrentsso.com (variation of KickassTorrents)
yandex.ua (Ukrainian domain for Yandex)
hi-pda.com (Popular Chinese tech forum)
October 30, 2025 at 2:39 AM
Some notable (interesting) vulnerable domains from the test:
kickasstorrentsso.com (variation of KickassTorrents)
yandex.ua (Ukrainian domain for Yandex)
hi-pda.com (Popular Chinese tech forum)
kickasstorrentsso.com (variation of KickassTorrents)
yandex.ua (Ukrainian domain for Yandex)
hi-pda.com (Popular Chinese tech forum)
Here is a domain that looks to be already compromised.
October 30, 2025 at 2:39 AM
Here is a domain that looks to be already compromised.
Some examples:
Domain: bale.com worth $$$
Assets at risk: Microsoft 365 tenant, and various OAuth endpoints
Time to exploit: Minutes, not hours
Domain: bale.com worth $$$
Assets at risk: Microsoft 365 tenant, and various OAuth endpoints
Time to exploit: Minutes, not hours
October 30, 2025 at 2:39 AM
Some examples:
Domain: bale.com worth $$$
Assets at risk: Microsoft 365 tenant, and various OAuth endpoints
Time to exploit: Minutes, not hours
Domain: bale.com worth $$$
Assets at risk: Microsoft 365 tenant, and various OAuth endpoints
Time to exploit: Minutes, not hours
The scope? Eye-opening.
I found domains that have been on the WWW since the early days. Legacy domains. Established brands. Some with active Microsoft 365 tenants, email systems, and OAuth integrations still running.
These aren't abandoned sites. They're ACTIVE businesses.
I found domains that have been on the WWW since the early days. Legacy domains. Established brands. Some with active Microsoft 365 tenants, email systems, and OAuth integrations still running.
These aren't abandoned sites. They're ACTIVE businesses.
October 30, 2025 at 2:39 AM
The scope? Eye-opening.
I found domains that have been on the WWW since the early days. Legacy domains. Established brands. Some with active Microsoft 365 tenants, email systems, and OAuth integrations still running.
These aren't abandoned sites. They're ACTIVE businesses.
I found domains that have been on the WWW since the early days. Legacy domains. Established brands. Some with active Microsoft 365 tenants, email systems, and OAuth integrations still running.
These aren't abandoned sites. They're ACTIVE businesses.
Here's what makes this terrifying:
- No password needed
- No account takeover required
- No social engineering
- The domain registrar shows YOU still own it
- But attackers control where traffic goes
- No password needed
- No account takeover required
- No social engineering
- The domain registrar shows YOU still own it
- But attackers control where traffic goes
October 30, 2025 at 2:39 AM
Here's what makes this terrifying:
- No password needed
- No account takeover required
- No social engineering
- The domain registrar shows YOU still own it
- But attackers control where traffic goes
- No password needed
- No account takeover required
- No social engineering
- The domain registrar shows YOU still own it
- But attackers control where traffic goes
What's a Sitting Duck attack?
It's when a domain's DNS is misconfigured specifically "lame delegation" where the nameservers at your registrar don't match your DNS provider. This allows an attacker can claim your domain at the DNS level without touching your registrar.
It's when a domain's DNS is misconfigured specifically "lame delegation" where the nameservers at your registrar don't match your DNS provider. This allows an attacker can claim your domain at the DNS level without touching your registrar.
October 30, 2025 at 2:39 AM
What's a Sitting Duck attack?
It's when a domain's DNS is misconfigured specifically "lame delegation" where the nameservers at your registrar don't match your DNS provider. This allows an attacker can claim your domain at the DNS level without touching your registrar.
It's when a domain's DNS is misconfigured specifically "lame delegation" where the nameservers at your registrar don't match your DNS provider. This allows an attacker can claim your domain at the DNS level without touching your registrar.