Did you know that over 30% of high-profile organizations have abandoned cloud resources vulnerable to hijacking?

A new breed of cyber attackers—led by a threat group known as Hazy Hawk—is capitalizing on these misconfigurations to redirect users to scam sites, phishing pages, and malware. The attack method is deceptively simple, but the impact can be devastating—especially when trusted domains belonging to governments, enterprises, and academic institutions are weaponized against the public.

Introduction: Cloud Misconfigurations—An Open Door for Attackers

With 94% of enterprises already using cloud services and 87% of organizations adopting a multi-cloud strategy (Flexera, 2024), the attack surface is expanding faster than most security teams can keep up. Cloud services such as AWS S3, Microsoft Azure, and Google Cloud provide unmatched scalability—but with it comes complexity and, often, neglected cloud hygiene.
In recent investigations, security researchers have found a significant increase in the hijacking of abandoned cloud resources—where cloud services are decommissioned, but their associated DNS records are left active. These “dangling” DNS entries become the perfect entry point for threat actors.
Among the groups exploiting this is Hazy Hawk, a financially motivated threat actor known for hijacking domains and using them to launch large-scale scams, phishing attacks, and malware campaigns—all while hiding behind the trust and credibility of major global organizations.

1. Hazy Hawk’s Modus Operandi: Exploiting Dangling DNS Records

The core technique used by Hazy Hawk is DNS takeover via dangling CNAME records—a form of misconfiguration where a DNS subdomain points to an external cloud resource that is no longer active.

How it works:

• An organization discontinues use of a cloud service but forgets to remove the DNS record.
• The attacker identifies this dangling record and re-registers the cloud resource.
• Now, the subdomain (which might still be *.gov, *.edu, or *.org) points to a malicious server.

Security firm Detectify reports that one in 20 cloud-based web applications they scanned had at least one dangling DNS record. Attackers are automating their scans and weaponizing these findings at scale.

Recent victims include:

• U.S. Centers for Disease Control and Prevention (CDC)
• Deloitte
• PricewaterhouseCoopers (PwC)
• Public universities across Europe and North America

The common denominator? Each had a neglected cloud resource still referenced by a live DNS entry.

2. From Trusted Domains to Malicious Gateways

Once Hazy Hawk gains control of a domain, the subdomain is immediately transformed into a malware delivery channel. These compromised domains may look legitimate to users, browsers, and even enterprise-level security tools.

Here’s what happens:

• The attacker loads fake landing pages that mimic real services.
• Visitors are redirected through a Traffic Distribution System (TDS) to determine optimal malicious content delivery.
• Based on geolocation and device fingerprinting, the user is routed to:

• Ad fraud schemes
• Fake antivirus alerts
• Credential-harvesting phishing pages
• Scareware and drive-by malware downloads

According to a 2025 report by Zscaler, 39% of TDS-linked redirects originate from hijacked domains that once belonged to trusted institutions.

3. Why This Matters: Enterprise Risk and Reputation on the Line

While these attacks are not sophisticated in the traditional sense, their impact is disproportionately large. Unlike APTs or zero-day exploits, hijacked DNS-based attacks don’t require bypassing firewalls or brute-forcing credentials. They rely purely on negligence.

Why you should care:

• Reputation damage: Users may associate your brand with malicious content, especially if your subdomain is flagged.
• Search engine penalties: Google may blacklist hijacked domains, hurting your SEO and trust score.
• Regulatory consequences: A hijacked domain used to phish users can lead to GDPR, HIPAA, or other compliance violations.

A Gartner 2024 study estimates that 75% of cloud security failures through 2025 will result from misconfiguration or poor governance, not cloud provider flaws. DNS hijacking falls squarely into this category.

4. Push Notification Abuse: The New Favorite Vector

One particularly insidious tactic used by Hazy Hawk is browser push notification abuse. Here’s how it plays out:

• A user visits a hijacked subdomain.
• A prompt appears: “Allow Notifications for Updates.”
• If allowed, the attacker can send persistent, malicious push notifications directly to the user’s desktop or mobile browser—even when the user is offline.

These notifications often contain:

• Phishing lures ("Your package is delayed – click to track!")
• Tech support scams
• Fake antivirus alerts
• Investment fraud or crypto giveaways

A 2024 analysis from Proofpoint shows that 61% of malicious push notifications ultimately direct users to credential-harvesting sites or malware payloads.

Digialert’s Perspective: Cloud Asset Hygiene Is Not Optional

At Digialert, our red team operations and threat hunting units have observed a clear uptick in DNS hijacking incidents. We’ve helped several enterprise clients uncover critical DNS misconfigurations that could’ve otherwise led to domain takeovers.

Here’s what we recommend to stay ahead of the threat:

• Automate Cloud Asset Discovery: Use asset management tools to track all your cloud services and corresponding DNS records. This includes third-party integrations and legacy systems.
• Implement Continuous DNS Scanning: Schedule weekly or monthly scans for dangling DNS entries. Services like dnstwist or internal scripting tools can assist here.
• Create a Cloud Decommissioning Checklist: Make DNS cleanup a mandatory part of any deprovisioning workflow. Security should never be an afterthought.

Every abandoned cloud service is a potential attack vector. What seems like an IT housekeeping task is actually a front-line security control.

What Organizations Are Getting Wrong

From our investigations, here’s where most enterprises stumble:

• DNS is often managed separately from cloud infrastructure teams.
• Cloud decommissioning processes don’t involve security reviews.
• There's little accountability for DNS hygiene post-project shutdown.

Even Fortune 500 companies fall into these traps. The need for unified governance and automation has never been more urgent.

The Bigger Picture: This Threat Will Keep Growing

The cloud isn’t going away. In fact, it's getting more fragmented with hybrid, multi-cloud, and edge computing environments expanding. Attackers like Hazy Hawk will continue evolving—using automation to scan, hijack, and exploit these configurations at scale.

Expect:

• More phishing campaigns from hijacked subdomains
• Further abuse of push notification APIs
• Rise in scam traffic from compromised reputable domains

According to IBM’s 2025 Threat Intelligence Index, DNS-based attacks are up 58% year-over-year, and more than half are traced back to cloud misconfigurations.

Is Your DNS Secure? Let’s Find Out.

You don’t need to be the next case study on domain hijacking. At Digialert, we help enterprises:

• Discover and secure abandoned cloud resources
• Audit and remediate DNS configurations
• Set up real-time monitoring for cloud attack surfaces

Want to know if your DNS records are vulnerable? Reach out to our threat intelligence team for a free assessment.

Let’s protect your brand, your users, and your digital trust.

Follow for More Threat Insights

• Stay ahead of cloud security risks—follow Digialert for actionable intelligence, breach breakdowns, and expert strategies.
• Connect with cybersecurity thought leader VinodSenthil for updates on real-world threat analysis, red teaming, and enterprise security innovation.