A subdomain points to an external service (e.g., cloud hosting, CDN) that is no longer in use, allowing an attacker to claim the service and serve content under the organization's domain.
An attacker could host malicious content on the organization's domain, steal cookies scoped to the parent domain, conduct phishing attacks with a trusted domain, or bypass content security policies.
Regularly audit DNS records and remove stale CNAME entries pointing to decommissioned services. Monitor for unclaimed subdomains. Implement automated checks for dangling DNS records.