.edu Subdomain Hijacking: Hazy Hawk Hit 34 Universities

Last month, visiting a subdomain of berkeley.edu or columbia.edu didn't bring up research papers or campus resources. It served pornography. The Hazy Hawk threat group weaponized subdomain hijacking — a DNS security gap that costs nothing to exploit and everything to ignore: universities forget to delete their DNS records when they retire old web services, and attackers have learned to claim what's left behind.

By registering the abandoned endpoints those records pointed to, Hazy Hawk inherited official .edu traffic and redirected it to malware and explicit content — all under the trusted banner of accredited academic domains. 34 universities were confirmed affected, with hundreds of hijacked subdomains still under investigation as of late April 2026.

DNS Subdomain Hijacking: No Hacking Required

A CNAME record (a type of internet address bookmark — it tells browsers "go to this external service when someone visits this subdomain") is how universities connect custom web addresses to third-party platforms. careers.university.edu might point to a hosted applicant tracking system. events.university.edu might route to a ticketing platform. Both are wired up via CNAME entries stored in the university's DNS configuration.

When a university retires that ticketing platform or job board, the CNAME record rarely gets cleaned up. It becomes what security researchers call a dangling CNAME (an orphaned address pointer still publicly visible in DNS lookups, pointing to a destination nobody owns anymore). Hazy Hawk's operation wasn't sophisticated — it was methodical. They scanned public DNS records for dangling pointers, registered the unclaimed destinations, and instantly inherited all traffic flowing to official university subdomains.

No malware was needed inside the university's systems. No stolen credentials were required. Just patience, a DNS scanner, and standard domain registration fees — less than $20 per claimed domain.

34 Universities Confirmed: Why .edu Subdomain Hijacking Hits Hardest

Ars Technica's investigation confirmed three major institutions by name:

• berkeley.edu — University of California, Berkeley, with over 45,000 students and staff
• columbia.edu — Columbia University, one of the oldest research institutions in the US
• washu.edu — Washington University in St. Louis, a top-20 research university

The full list spans 34+ universities with hundreds of compromised subdomains. The .edu namespace creates compounding risk beyond a typical domain breach:

• Antivirus and firewall bypass: Corporate security tools frequently whitelist .edu domains by default — malware served from a hijacked berkeley.edu subdomain may never trigger an alert on a corporate laptop
• Email spam filter bypass: Links from .edu addresses skip filters that would catch identical payloads from .xyz or .click domains
• Implicit human trust: Students, parents, grant agencies, and employers treat .edu URLs as inherently safe — nobody second-guesses a Columbia subdomain
• Restricted namespace credibility: The .edu registry is reserved for accredited US institutions, creating a false assurance that any .edu domain reflects institutional oversight

That inherited trust is precisely what Hazy Hawk weaponized. A credential-harvesting page at forms.columbia.edu (a hijacked subdomain) faces far less scrutiny — from both security tools and human users — than the same page hosted on an unfamiliar domain.

Malware and Explicit Content: What the Hijacked .edu Subdomains Delivered

The hijacked subdomains delivered two distinct categories of harmful content, confirmed by Ars Technica's reporting:

• Explicit pornography: Adult content served under official .edu domains, potentially exposing minors, violating COPPA and FERPA compliance requirements (federal laws protecting minors and student records), and creating regulatory liability for affected institutions
• Malware and phishing: Drive-by malware downloads, credential harvesting forms, and phishing lures styled to match university branding — all delivered through subdomains users had no reason to question

The dual-payload approach suggests Hazy Hawk is monetizing hijacked domains in at least two ways simultaneously: advertising revenue from adult content traffic, and credential theft from visitors who entered login details into convincing-looking university pages.

How to Fix Subdomain Hijacking: A Free DNS Audit in One Afternoon

The most damaging aspect of this story isn't the attack technique — it's how long the warning existed. Subdomain takeover (the class of attack where an organization loses control of an official subdomain because an upstream dependency was decommissioned without removing the DNS pointer) has been documented since at least 2016. Microsoft Azure, Amazon S3, GitHub Pages, Heroku, and Fastly have all published subdomain takeover advisories. The technique is covered in standard security training. Universities simply never applied the lesson.

Remediation for any IT team managing institutional DNS is straightforward:

• Export every CNAME record from your DNS provider's management panel
• For each record, verify the destination service is still active and under your organization's control
• Delete any CNAME records pointing to decommissioned, expired, or unrecognized external services — immediately
• Add DNS record cleanup as a mandatory step in every service decommission runbook
• Schedule quarterly DNS audits; large institutions accumulate hundreds of records over decades of web presence

A single terminal command starts the audit process:

# Check where a subdomain is actually pointing:
dig CNAME subdomain.youruniversity.edu

# If the CNAME target is a domain you don't own or recognize,
# delete that DNS record from your zone file immediately.

Free tools like dnschecker.org or MXToolbox let any IT team audit DNS records without installing software. Ars Technica's report frames the root cause as "shoddy housekeeping" — an organizational failure, not a technical flaw requiring patching or budget approval. For teams exploring AI automation to monitor DNS health continuously, our AI automation setup guide covers integrating security scanning into DevOps workflows.

Who Is Hazy Hawk?

Hazy Hawk is not a nation-state actor or APT group (advanced persistent threat — the term for well-resourced, state-sponsored attackers who maintain long-term stealth access to targeted networks). They operate opportunistically, scanning institutional DNS records at scale for housekeeping failures.

Universities are unusually attractive targets for this attack class for several structural reasons:

• Large research universities may have accumulated thousands of DNS records across 30+ years of web presence
• High IT staff turnover means records from retired services are rarely tracked back to their original owners
• Decentralized IT governance means DNS records are often managed across dozens of departments with no central audit trail
• Academic IT teams are typically under-resourced relative to the size and complexity of their infrastructure

The same CNAME takeover technique has previously hit Azure Blob Storage endpoints, GitHub Pages deployments, AWS S3 buckets, and Heroku apps at thousands of commercial organizations. Universities simply haven't implemented the cleanup discipline that cloud-native companies developed after earlier incidents. Hazy Hawk found the gap and moved faster than institutional bureaucracy could respond.

Before You Trust Another .edu Link

Ars Technica reports that affected universities have been notified and are working to remediate. With hundreds of subdomains to audit and clean across 34 institutions, full resolution will take weeks — and some hijacked subdomains may remain active longer than official timelines suggest.

If you study, work, or have family at a major university, watch for these red flags when following .edu subdomains:

• Page design doesn't match the university's main site — mismatched fonts, colors, or layout
• The SSL certificate (the padlock in your browser's address bar) is issued to an unexpected or generic company name
• The subdomain leads to content completely unrelated to academic or campus activity
• Your browser shows a redirect chain or unusual warning before loading the page

If you suspect a subdomain at your institution has been hijacked, report it to the university's security team — most maintain a security@[university].edu or abuse@[university].edu address. You can verify any subdomain's current status using a public DNS lookup tool and checking whether the CNAME destination is a domain the university actually controls.

For more on how supply chain and DNS attacks affect everyday users — and how AI tools are being used to detect them faster — visit our AI automation security guides.

Related Content — Get Started | Guides | More News