Subdomain Hijacking for Dummies: What SEO's Need To Know
Updated: 17th July 2025
There's very little information about subdomain hijacking targeted towards SEO's, so here's my experience and how I've integrated subdomain checks into my technical SEO audits.
The Story
I had been a 'regular' SEO for nearly a year, when my company decided to promote me into a purely technical SEO role. Very exciting, I thought, now I can work on stuff I actually know about.
A couple of days into being promoted, I get this email:
“Your site is being affected by a manual action – hacked content detected.”
I rushed over to the Manual Action section on Search Console and it was saying that christmas.client.co.uk was under attack!
A Christmas subdomain? What?
I asked my manager and he had no idea what the notice meant, so it was up to me to sort.
This was in the pre-AI age, so after a few Googles I find on this Hackernoon article and sent it over to the client.
Luckily, they were very responsive and technical, and we had the issue resolved in a couple of hours. But as SEO's we're not always this lucky. What could I do to prevent this happening again?
What actually happened
Subdomain takeovers happen when a subdomain is pointing to an external service like GitHub Pages or Heroku, or similar, but the service is no longer active. This creates a “dangling” DNS entry, and if someone else sets up a project on that service and claims your subdomain, they now control it.
Our client had set up an “advent calendar” campaign on the christmas.subdomain seven years ago. It was heavily promoted across their site, social media, blog. But it got forgotten, shut down, and left vulnerable.
A hacker found it, saw it was vulnerable, and decided to make a quick buck (or quid) utilising the free promotion and backlinks for their new casino site.
This type of thing is becoming more common, even impacting government websites - explained in this LinkedIn post by Daniel Foley Carter.
With all that's happening with AI, subdomains have also been a target because of their high authority and AI's inability to detect nuance.
However, I've never really seen any SEO's speak about it much, what we should be looking for and how to tackle the issue. Over the past few years when I've had a spare minute or two I've dug a little deeper, and here's a (ever evolving) guide on the approach I now take when I sense something funky about a subdomain.
What SEOs need to know about subdomain hijacking
Ultimately, nobody is expecting you to be cybersecurity experts, you're an SEO! However, expired and taken over subdomains can cause manual actions and hurt rankings and all your hard work, so ensuring that you're doing a bit of extra digging when you find out a client has a tonne of subdomains that were set up by "someone, sometime ago, not by me"
A large proportion of security issues are legacy.
How does Google treat subdomains?
Technically, Google sees subdomains as separate websites. That means separate crawl budgets, sitemaps, and authority. Which is why a lot of people say “don’t host your blog on a subdomain” (except me because I'm different)
However, associations with them can provide signals. The issue with the example of the christmas subdomain I came across was because the main website was linking back to the spammy website and was basically saying that they legitimise it. This also made the subdomain easier to find and hackers to exploit. If you are linking to a site that gets hacked, you're saying you support it, which is why it's important to check both internal and external links.
Google works on links. If you link to a link Google says is bad, that's bad. There's a lot of controversy about whether people linking to you (backlinks) also can be potentially toxic, and there's various sources to suggest this may be the case too
Considering all this, it's worth seeking out your client's subdomains and querying what's their usage, whether you want to go down the hijacking precautions or even the crawl budget route
INVESTIGATION
How to find subdomains
As part of my audits I use ViewDNS or DNSDumpster. They both have limits, so if your client has a lot of subdomains you might not be able to see them all without a cost. If they do have lots and lots this is worth having a conversation because likely they may be expired, out of use or legacy.
How to find what subdomains are hosted on
I use WhatCMS and Google's public DNS tool DIG on the affected subdomain (do not visit the hacked link directly).
How to check if subdomains are vulnerable
This is a GitHub project that is made up of public contributions and tests by security researchers. It basically tells you if what it's hosted on is unsafe - however there's no need to actually install it and try and use command line (shudders). They've provided a helpful table with basically what the program checks, so use ViewDNS to find subdomains, Wappalyzer to check them, and compare it to the list on the site.
Platforms to be wary of:
- AWS (Elastic Beanstalk or S3)
- Agile CRM
- Ghost
- GitHub Pages
- Heroku
- JetBrains
- Microsoft Azure
- Shopify
- Wordpress.com
Help! I've found a vulnerable subdomain!
If the subdomain that is being used is in the list above AND it is currently not 'in use' or there's plans to shut it down, make sure you prevent these dangling DNS entries and avoid subdomain takeover.
As SEO's, I don't think we should be expected to do the job of whoever is in charge of hosting but making them aware of the security and SEO impacts can hopefully ensure that they mitigate the issue.
I want to put a notice here that I am not a security expert, just a technical SEO that comes across this issue a lot and there's not much on the internet about it for SEO's so hopefully if I can write about it and make sure people include it in their audits it'll help keep them safe from subdomain hijacking :) .
Case Studies
EY / Ernst and Young - 17/07/2025
The hijacking of an EY.com subdomain was brought to light in this LinkedIn post. Thank you to Michael Curtis for sharing it. Michael also maintains a fantastic set of tools over at searchtoolbox.net, which is well worth exploring.
As part of my investigation, I used WhatCMS and Google's public DNS tool DIG on the affected subdomain. These tools confirmed that the subdomain was hosted on Microsoft Azure, which is what ultimately made it vulnerable. The EY's main website is also hosted on Azure, but it's always important to double-check, as subdomains can be routed to entirely different systems.
So what happened here? At some point, the company created a subdomain (e.g., subdomain.example.com) and pointed it to a Microsoft Azure service. That Azure service had a unique name, like subdomain-region.cloudapp.azure.com. Later, EY deleted the Azure service, but they forgot to remove the DNS record that still pointed the subdomain to it. This created an opportunity for someone else to take control.
A hacker noticed that the DNS was still pointing to Azure, but the corresponding Azure resource no longer existed. Because Azure allows anyone to create a new service using available names, the attacker registered a new Azure app using the same name that was previously used. Since the DNS was still routing traffic to that Azure hostname, and now the attacker controlled it, the subdomain effectively began displaying adult content hosted by the attacker, all under the company’s trusted domain name.
I say 'hacker' but it's not really hacking. It works not because the attacker breaks into a system, but because of forgotten or misconfigured DNS settings. The 'hacker' doesn’t need to access any internal servers, they just "inherit" control of a name that’s still pointing to an empty placeholder.