Content Delivery Exploit Opens Websites to Brand Hijacking
Dark ReadingArchived May 21, 2026✓ Full text saved
The Underminr domain-fronting attack allows threat actors to modify Web requests and leverage trusted websites to cloak malicious activity.
Full text archived locally
✦ AI Summary· Claude Sonnet
CYBER RISK
CYBERSECURITY OPERATIONS
VULNERABILITIES & THREATS
СLOUD SECURITY
NEWS
Content Delivery Exploit Opens Websites to Brand Hijacking
The Underminr domain-fronting attack allows threat actors to modify Web requests and leverage trusted websites to cloak malicious activity.
Nate Nelson,Contributing Writer
May 21, 2026
5 Min Read
SOURCE: HERNANDEZ JOSE MARIA VIA ALAMY STOCK PHOTO
Researchers are sounding the alarm on a class of exploit inherent in Internet infrastructure itself for which there is no simple fix and nearly half of all websites globally are at risk.
Conceptually, the issue is a successor to "domain fronting," a trivial Internet routing sleight of hand popular in the mid-2010s. Domain fronting allowed Web surfers to announce to domain name system (DNS) and content delivery network (CDN) providers that they were visiting one website, while in fact being directed to another, simply by switching one field — the HTTP Host header — in their Web requests. It caught enough attention back in 2018 that CDNs have largely mitigated it.
The new issue, deemed "Underminr," works around those mitigations and has the very same effect. Although domain fronting is often associated with censorship bypass, the analysts at ADAMnetworks point out its more nefarious use: allowing attackers to conceal their malicious activity online by hijacking the brand reputations of legitimate websites.
Related:What It'll Take to Make AI BOMs Usable in a Modern Security Program
Hackers are already exploiting Underminr, they report, and your website is very likely available for their pleasure. ADAMnetworks found that 42% of websites are vulnerable, and in the US, that number climbs to 51%.
Understanding Underminr
Think back to school, YouTube explainers, or wherever you first learned about how the Internet works. Back then, you learned that when you request to visit a specific website — say, darkreading.com — that request travels to a Domain Name System (DNS) server, which resolves that human-readable domain to an IP address, like 104.16.224.171, associated with the website's server.
Today, the picture is a degree more complicated. Like many websites today, darkreading.com sits behind a massive content delivery network (CDN) — in its case, Cloudflare. Cloudflare groups lots of domains behind the edge IP address 104.16.224.171. If you attempt to visit darkreading.com, it hits 104.16.224.171, then Cloudflare determines which site you intended to visit using two other fields contained in your request: the Server Name Identification (SNI) that belongs to the Transport Layer Security (TLS) handshake process, and the HTTP Host header inside of the encrypted part of the request that follows.
The problem that ADAMnetworks identified rests on two weaknesses in this picture. First, DNS and CDN systems operate in relative silos: the former does its job, then passes the buck to the latter, and they don't cross-reference. Second, CDNs often group relatively established and trusted domains with relatively new and untrusted ones, all behind the same edge IPs.
Related:Is 2026 the Year AI Bills of Materials Get Real?
That allows an attacker to perform a DNS lookup for a perfectly trusted domain, like darkreading.com, at 104.16.224.171. Any Protective DNS filter will see the request as perfectly legitimate, and wave it on through. Next up, in the fields read by the CDN, the attacker can indicate that they wish to visit an entirely different website hosted at that same edge IP address. Neither the DNS or CDN providers will see that the other interpreted the same request differently. And even if the swapped website is malicious, large CDNs can't often suss that out, avoiding any red flag or alert.
In the end, the attacker can filter traffic to a malicious site through a trusted one, like a shield. From there they can do anything — run scams, perform malicious command-and-control (C2) operations, exfiltrate data from victims — while leveraging the trusted domain to evade DNS-, signature-, and behavior-based detection. On the flip side, by being associated with malicious cyber activity, the trusted site faces loss of brand reputation, and any number of other business, legal, and logistical headaches therein.
CDN Architecture Determines Underminr Risk
To gauge Underminr's blast radius, ADAMnetworks scanned the top five million domains on the Web. The result: nearly half of all websites are exposed.
Related:The Boring Stuff Is Dangerous Now
Those websites aren't evenly distributed, though. In the US, around half of all sites are at risk. In Eastern Europe, one-third. In China's ultra-regulated Internet, less than 9%. That disparity betrays that Underminr is not an inescapable reality of the Internet; it's a design flaw.
One need not dig all the way to China for a CDN that protects the integrity of one's website, though. Boutique, security-focused providers that don't serve armies of anonymous clientele eliminate the risk. And for a model of what larger providers can do to protect their customers, one might look to Fastly. "They were late to the game of fixing the domain fronting problem that existed 10 years ago," recalls ADAMnetworks CEO David Redekop. Though slow out of the blocks, he says, "they fixed it the best by creating grades of customers, or what I like to call 'bucketizing.'"
Bucketizing — Redekop's own term for a phenomenon without an official name — is a practice where a CDN like Fastly intentionally groups domains together according to their reputations. "Fastly said: 'You know what? The New York Times and The Guardian: let's put them together in a bucket. But if you have some new domain name that's buying Fastly CDN services, let's put it together with the other new domain names," Redekop explains.
In bucketizing domains by reputation, Fastly vastly reduced the risk that the same IP would host, say, The New York Times homepage and a malicious C2 server. That didn't technically prevent domain fronting, but it sure sucked all the appeal out of it. And since domain fronting and Underminr are almost exactly the same issue, with one minor distinction — instead of disagreeing SNI and HTTP Host fields, the fields that disagree are SNI and DNS — it had the same effect for Underminr. Every single Fastly customer today is at risk of Underminr, but does it matter if all they can do is swap nytimes.com for theguardian.com?
Redekop emphasizes that if organizations want to protect their sites, they really only have one course of action. "If they want to do something about their own domain name," he says, "what they could do is move it off of the content delivery network that enables the Underminr."
About the Author
Nate Nelson
Contributing Writer
Nate Nelson is a journalist and award-winning scriptwriter. In addition to Dark Reading he writes for Darknet Diaries, the most popular show in cybersecurity across all media.
He began his career as a freelancer, ghostwriting Forbes and CNBC op-eds for executives in tech and finance. Then he transitioned to journalism at Threatpost, where he covered cybersecurity news and trends. Throughout those years he co-created a cybersecurity podcast, Malicious Life, which in its day climbed into the Top 20 technology podcasts charts on Apple Podcasts and Spotify.
He holds degrees from New York University and Bard College. As a born and bred New Yorker, he enjoys a superiority complex, but is polite enough to keep it to himself.
Want more Dark Reading stories in your Google search results?
ADD US NOW
More Insights
Industry Reports
How Organizations Are Managing Incident Response
How Enterprises Are Developing Secure Applications
Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy
How Enterprises Are Harnessing Emerging Technologies in Cybersecurity
Ditch the Data Center: Understanding Flexible Cloud Infrastructure Security Management
Access More Research
Webinars
Building SecOps That Make the Most of Every Dollar
AI-Powered Credential Security: Intelligence Without Exposure
AI-Powered Cybersecurity for Resource-Constrained Organizations
How Security Teams should apply Threat Intelligence into their Defenses
Your Guide to Securing AI Adoption in Your Organization
More Webinars
You May Also Like
CYBER RISK
How Can CISOs Respond to Ransomware Getting More Violent?
by James Doggett
JAN 28, 2026
CYBER RISK
US Cyber Pros Plead Guilty Over BlackCat Ransomware Activity
by Alexander Culafi
JAN 05, 2026
CYBER RISK
Switching to Offense: US Makes Cyber Strategy Changes
by Robert Lemos, Contributing Writer
NOV 21, 2025
CYBER RISK
Microsoft Exchange 'Under Imminent Threat,' Act Now
by Arielle Waldman
NOV 12, 2025
Editor's Choice
THREAT INTELLIGENCE
From Stuxnet to ChatGPT: 20 News Events That Shaped Cyber
byDark Reading Editorial Team
MAY 6, 2026
31 MIN READ
CYBER RISK
Physical Cargo Theft Gets a Boost From Cybercriminals
byRobert Lemos
MAY 4, 2026
5 MIN READ
CYBER RISK
NSA Chief During Snowden Affair Shares Regrets, Reflections 13 Years Later
byDark Reading Editorial Team
APR 28, 2026
Want more Dark Reading stories in your Google search results?
Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.
SUBSCRIBE
RSAC 2026: key news & insights
At RSAC 2026, Dark Reading captured critical intelligence on AI, new attack methods, geopolitics, and much more
Get Your Recap
Webinars
Building SecOps That Make the Most of Every Dollar
THURS, JULY 9, 2026 AT 1PM EST
AI-Powered Credential Security: Intelligence Without Exposure
WED, JUNE 17, 2026, AT 1PM EST
AI-Powered Cybersecurity for Resource-Constrained Organizations
THURS, JUNE 18, 2026, AT 1PM EST
How Security Teams should apply Threat Intelligence into their Defenses
THURS, JUNE 11, 2026 AT 1PM EST
Your Guide to Securing AI Adoption in Your Organization
TUES, JUNE 9, 2026 AT 1PM EST
More Webinars
BLACK HAT USA | MANDALAY BAY, LAS VEGAS
The premier cybersecurity event of the year returns to Mandalay Bay with a re‑engineered, six‑day program built to ignite innovation, push boundaries, and bring the global security community together like never before. Use code: DARKREADING to save $200 on a Briefings pass or $100 on a Business pass.
GET YOUR PASS