Underminr Attack Hijacks Brand Trust via CDN Misconfiguration, 42% of Websites at Risk
Researchers disclose Underminr, a domain-fronting attack exploiting CDN architecture to route malicious traffic through trusted domains, putting 42% of websites at risk.
Researchers have disclosed a new class of attack dubbed "Underminr" that exploits fundamental weaknesses in content delivery network (CDN) architecture to hijack the brand trust of legitimate websites. The technique, uncovered by ADAMnetworks, allows threat actors to route malicious traffic—including command-and-control (C2) communications and phishing pages—through high-reputation domains, bypassing security filters that rely on DNS reputation. According to the researchers, 42% of all websites globally are vulnerable, with the figure climbing to 51% in the United States.
Underminr is a modern successor to "domain fronting," a technique popular in the mid-2010s that allowed attackers to manipulate HTTP Host headers to disguise the true destination of web requests. While CDN providers largely mitigated classic domain fronting by 2018, Underminr works around those fixes by exploiting a different set of fields. Instead of mismatching the SNI and HTTP Host headers, Underminr exploits a disagreement between the Server Name Identification (SNI) field in the TLS handshake and the DNS lookup result. This allows an attacker to perform a DNS lookup for a trusted domain like darkreading.com, then use the SNI field to request a different, malicious site hosted on the same CDN edge IP.
The attack succeeds because DNS and CDN systems operate in relative silos—they do not cross-reference each other's decisions. CDNs often group domains of varying reputations behind the same edge IP addresses, meaning a trusted brand and a newly registered malicious site can share the same IP. When an attacker's request passes through a protective DNS filter, the filter sees only the legitimate domain and waves it through. The CDN then reads the SNI field and routes the request to the malicious site, never raising an alert. The result is that the attacker's traffic appears to originate from a trusted brand, evading DNS-, signature-, and behavior-based detection.
The implications for brand owners are severe. Beyond the immediate risk of having their domain used as a shield for cybercrime, victim organizations face reputational damage, legal liability, and operational headaches if their domain is associated with malicious activity. ADAMnetworks CEO David Redekop noted that the attack is already being exploited in the wild, though specific campaigns were not detailed in the disclosure. The researchers emphasized that Underminr is not an inescapable reality of the Internet but a design flaw that can be mitigated.
Not all CDN providers are equally vulnerable. ADAMnetworks found that boutique, security-focused CDNs that do not serve anonymous clientele eliminate the risk entirely. Among larger providers, Fastly stands out as a model for mitigation. Fastly practices "bucketizing," a term coined by Redekop, where domains are intentionally grouped by reputation. For example, The New York Times and The Guardian are placed in one bucket, while new, untrusted domains are placed in another. This reduces the likelihood that a trusted brand and a malicious server share the same IP, effectively removing the incentive for attackers to exploit the technique. Fastly's approach, though slow to arrive, is considered the most effective among large CDNs.
For organizations seeking to protect themselves, the researchers recommend using CDN providers that implement reputation-based domain grouping or that offer dedicated IP addresses for high-value domains. Additionally, website owners can monitor their CDN configurations and ensure that their domains are not grouped with untrusted tenants. As Underminr demonstrates, the security of the Internet's infrastructure depends not only on individual patches but on the architectural decisions made by the platforms that underpin the web.