Guardio Labs Exposes Enormous 'SubdoMailing' Scheme Exploiting Trusted Brands in a Digital Fraud Crisis

Image

When you think of hijacking, images of thrilling heists might come to mind. But what if we told you there's a different kind of hijacking happening in the digital realm? Guardio Labs, runners-up to GASA’s Best Scam Fighting Tool , recently uncovered a massive 'SubdoMailing' fraud that is using the trust of well-known brands to send millions of malicious emails and phishing attacks each day. 

Thanks to the impressive research efforts by Guardio Labs , attention is being given to this scheme. The “SubdoMailing”, as it is commonly known, uses domains from renowned brands and institutions to send out bogus emails to unsuspecting users.

Nati Tal  and Oleg Zaytsev , both from Guardio Labs, have written an extensive analysis (read it here ), detailing the scale, magnitude, and Modus Operandi of this email hijacking scheme. 

Thousands of Compromised Domains

Guardio's email protection systems noticed strange patterns in email data, prompting an investigation that unveiled an extensive subdomain hijacking operation . Over 8,000 domains, including eBay, The Economist, MSN, Marvel, McAfee, VMware, CBS, and others, have fallen victim. The saddest part is, the numbers keep rising, with hundreds more becoming casualties to this web of digital deception. This clandestine operation is churning out malicious emails like there's no tomorrow.

Deciphering a Shady Email Plot

Let's dissect a shady email that's been raising eyebrows, warning users about spooky activities in their cloud storage. Crafted cunningly as an image to slyly slip past spam filters, this email triggers a sequence of maneuvers through different domains. Guardio's scrutiny uncovered tweaks in SPF, DKIM, and DMARC authentication , giving these fraudulent emails a backstage pass into users' primary inboxes.

Here is an example of an email, purporting to say that cloud storage is full, that has slipped through the cracks and landed in people’s inboxes.

Image

Can you spot anything unusual? Notice the sender: healthylifes.uk.com ? Well, appearances can indeed be misleading, and here's the scoop. 

Firstly, take a closer look at the fact that the email is presented in image form . It's not merely an image- it's a clever ploy to slip past text-based spam filters. But here's where it gets interesting. Any interaction with this email sets off a chain reaction of click-redirects through various domains . Craftily, these redirects analyze your device type and whereabouts, directing you to tailored content, all in the pursuit of maximizing profit. Tricky, isn't it?

How do scammers pull off their schemes? Let's take a closer look at their playbook:

  • SPF (Sender Policy Framework) Check  — SPF acts as a guard against email spoofing by cross-referencing the IP addresses of the email-sending server with the domain’s roster of authorized senders. This one clears the bar, meeting other industry standards as well:

  • DKIM (DomainKeys Identified Mail)  — This email's content is securely authenticated through successful signing with a cryptographic key provided by the sender at healthylifes.uk.com .

  • SMTP (Simple Mail Transfer Protocol) Server — The server (62.244.33.18) responsible for dispatching the email is stationed in Kyiv.

  • SPF  — It passes the test, with marthastewart.msn.com vouching for the legitimacy of the SMTP Server IP address.

  • DMARC (Domain-based Message Authentication Reporting & Conformance) — A domain-driven policy enforcing SPF and DKIM also fits the bill, following the uk.com top-level domain's policy stating “sp=NONE” (indicating no policy for subdomains).

Hold on! What's the deal with Martha Stewart and Microsoft’s MSN being involved in validating this shady email?!

Intriguingly, the fraudulent Cloud storage email, originating from an SMTP server in Kyiv, was flagged as sent from Return_UlKvw@marthastewart.msn.com . While this might appear legitimate, akin to businesses using mass mailing services, an investigation reveals that a subdomain of msn.com authorized the SMTP server at 62.244.33.18 to send emails, casting doubt on the legitimacy of this approval process.

Examining the DNS record for marthastewart.msn.com unveils revealing insights. This subdomain, linked to msnmarthastewartsweeps.com through a CNAME record, inherits the latter's entire behavior, including its SPF policy: "v=spf1 include: harrisburgjetcenter.com include: greaterversatile.com -all." Notably, this SPF record's complexity, engineered with the "include:'' syntax, expands the IP list of approved senders using other domains' SPF records, resulting in a massive list of 17,826 IPs upon recursive querying, with 62.244.33.18 included.

This intricate SPF record, indicative of deliberate crafting, raises questions about ownership and motives. The Internet Archive Wayback Machine captured marthastewart.msn.com in 2001 when msnmarthastewartsweeps.com was briefly active before abandonment. Remarkably, the domain remained unclaimed for 21 years until September 2022 , when it was privately registered with Namecheap. Now under the control of a specific actor, this domain manipulates DNS records, consequently controlling the MSN subdomain record. In effect, the actor can send emails to anyone, masquerading as if they originated from msn.com and its approved mailers.

How Guardio is Helping to Fight "SubdoMailing"

In response to this escalating threat, Guardio has stepped up its game. They've created a special "SubdoMailing" checker website , a digital detective if you will. This platform allows domain administrators and site owners to swiftly check if Guardio's vigilant systems found any traces of abuse. The goal? Quick fixes and fortified prevention. Interested in securing your digital turf? Check out the "SubdoMailing" checker website here . It can be your digital guardian against the unseen threats lurking in the web's shadows.

Google is also gearing up to roll out updates in Gmail , particularly for bulk email senders, aiming to boost spam protection and reinforce email security. The upcoming changes will introduce advanced spam filtering and offer users greater control over their email preferences. 

It's crucial for others to join in and help combat the ongoing threat of email scams. Right now, there's a sneaky danger called 'SubdoMailing' that can go unnoticed. 

There is a pressing need for concerted action to address the menace of not just  Email 'SubdoMailing' scams but other similar threats as well. Greater initiatives are required to strengthen the overall resilience against email-based scams.
Mar 21, 2024
7 minute read
Category
News
Written by
Clement Njoki
Editor and Researcher
Share article

Latest blogs & research

Romance scams continue to grow worldwide, exploiting trust, emotional vulnerability, and online relationships to manipulate victims into financial and emotional harm. Timed around Brazil’s Valentine’s Day period, the latest GASA meet-up, Golpes do Amor — Como eles acontecem e como se proteger, explored how these scams operate, why they are so effective, and how individuals can better recognise warning signs before becoming victims. Hosted by the Brazil Chapter of the Global Anti-Scam Alliance (GASA), the discussion highlighted findings from O Estado dos Golpes no Brasil. According to the report, romance scams have already affected 18 per cent of surveyed Brazilian adults, while 6 per cent of victims reported falling for this type of scam more than once. Beyond financial losses, speakers emphasised the severe emotional consequences victims often experience, including shame, trauma, and loss of trust. Read the Report – O Estado dos Golpes no Brasil Speakers: Rose Leonel, Journalist and Founder – ONG Marias da Internet Tanila Savoy, Founder – Associação Nacional de Vítimas da Internet (ANVINT) Lisandréa Salvariego Colabuono, Police Chief and Coordinator – NOAD, Polícia Civil de São Paulo Renata Salvini, Brazil Chapter Director – Global Anti-Scam Alliance A major focus of the discussion was the manipulation techniques commonly used in romance scams. Speakers explained how scammers frequently create convincing identities, often pretending to be foreigners, military personnel, or individuals living abroad, while avoiding in-person meetings and building emotional dependency over time. Urgency and financial pressure were highlighted as major warning signs, particularly when victims are pushed to act quickly or send money under emotional circumstances. The webinar also explored the lasting psychological impact of these crimes and reinforced that victims should never be blamed. Rose Leonel shared her personal story of transforming trauma into advocacy after becoming a victim of non-consensual intimate image sharing, an experience that ultimately contributed to the creation of the Rose Leonel Law in Brazil. Speakers stressed the importance of reporting scams, noting that even small details can assist investigations and help prevent future victims. The conversation reinforced the need for greater public awareness, victim support, and collaboration between civil society, law enforcement, and digital platforms to address emotionally manipulative fraud more effectively. Through initiatives like this meet-up, GASA continues working with experts and organisations worldwide to strengthen scam prevention and support victims of online fraud. Watch the full discussion below to learn how individuals and organisations can better recognise and respond to romance scams.

Romance Scams in Brazil: Warning Signs and Prevention

Experts from Brazil discuss how romance scams work, their emotional impact, and how victims can protect themselves online.

Topic - Scam Awareness Video Event - GASA Meet-Ups Industry - Law Enforcement
Acción coordinada. Impacto real. México lidera el cambio

De Viena a la Acción: GASA México y UNODC México Cierran Brechas Operativas

GASA México y UNODC México formalizan un Acuerdo de Intercambio de Comunicaciones, convirtiendo los compromisos globales de Viena en acción coordinada contra el fraude.

News Topic - Fraud Policy Industry - Policy Makers Region - Latin America
un global fraud summit what comes next discussions

What the UN Global Fraud Summit Discussions Tell Us About What Comes Next

Watch expert discussions from the UN Global Fraud Summit on the industrialisation of fraud, global collaboration, public–private frameworks, and next steps for implementation.

Best Practices Industry - National Cyber Security Centers (NCSCs) Region - Europe Region - Global
gasa webinar

Game Over for Scammers: Regional Defenses Against Online Gambling–Related Scams

Experts from INTERPOL, ACMA, and DGOJ examine how gambling-related scams operate and how global enforcement is responding.

Region - Europe Video Topic - Fraud Policy Event - GASA Meet-Ups
22,000 Fraud Signals Bank Attack Trends – March 2026

What 22,000 Fraud & Cyber Crime Operator Signals Reveal About the State of Bank Attacks

Falkin's analysis of 22,661 fraud operator signals shows how bank attacks are evolving across regions, typologies, and AI-driven scam infrastructure.

Research Region - Global Scam Trends Topic - Fraud Research
Microsoft White Paper on Link Analysis and Digital Fingerprinting in Fraud Detection

Reinventing Fraud Detection Through Digital Fingerprinting and Link Analysis

A Microsoft white paper examines how digital fingerprinting and link analysis shift fraud detection from isolated events to connected, network-level intelligence.

Research Topic - Fraud Prevention Region - Global Topic - Scam Detection
gasa meet-up

On the Frontlines: Fighting AI-Powered Scams & Fraud

Experts from Microsoft, OpenAI, Google and C4ADS share how AI is shaping scams and how to fight back.

Topic - Fraud Prevention Region - Global Video Topic - Scam Detection

Telecoms on the Front Line: GASA at the Stimson Center Dialogue on Combating Scams

According to GASA’s Global State of Scams Report, telecommunications channels—voice and SMS in particular—remain a predominant “front door” for scams.

News Topic - Fraud Policy Region - North America Industry - Policy Makers