The DNS changed. Nobody noticed for three weeks.

The scenario:

The client’s website was working fine. Email was flowing. Everything looked normal. 

Except the MX records had been changed three weeks ago. A small subset of inbound email was being copied to an external server before delivery. The attacker was reading every message. Contracts, proposals, financials. The client had no idea because their email still arrived. 

The attack:

STAGE 1: REGISTRAR COMPROMISE

Attacker social-engineers the domain registrar’s support team.

Uses publicly available information (WHOIS, LinkedIn) to pass identity verification.

Gains access to the registrar account and DNS management panel.

-

STAGE 2: DNS MODIFICATION

Adds a secondary MX record with higher priority than the legitimate one.

Points the new MX record to an attacker-controlled mail server.

Leaves the original MX record intact (email still works normally).

Reduces TTL to allow quick changes if detected.

-

STAGE 3: EMAIL INTERCEPTION

Attacker’s mail server receives a copy of all inbound email.

Forwards email to the legitimate server after copying (no delivery disruption).

Monitors for high-value conversations (invoices, contracts, credentials).

Harvests attachments containing financial data and client information.

-

STAGE 4: EXPLOITATION

Uses intercepted information to craft targeted BEC attacks.

Modifies intercepted invoices with changed bank details before forwarding.

Maintains access for 23 days before an external security audit detects the rogue MX record.

What stopped it:

An external security assessment included DNS record verification as part of the audit scope. The secondary MX record was identified as unrecognised and traced to an attacker-controlled server.