The most common scenario when taking over a sub-domain is when the domain is available. In this case, malicious users just need to register the domain; pointing to it will be available while the CNAME register works.

To identify these available domains, you can use common register services such as GoDaddy however, we recommend using RiskIQ (https://www.riskiq.com/), which is a passive DNS tool that provides more information – including changes – on registers.

Manually accessing a domain using a web browser, or doing more exploration in RiskIQ, is essential. This is because when a domain expires, the registrant marks it as available even if it navigates to an internal website. RiskIQ helps in these cases because it can show you a domain's historic changes, as shown in the following screenshot: