Cybersecurity experts have flagged a growing risk from a threat actor known as “Hazy Hawk,” which has been linked to a wave of domain subversion incidents involving outdated cloud configurations.
The campaign, which targets forgotten digital infrastructure, underscores the importance of proactive domain and DNS management – particularly for New Zealand insurers navigating increased cloud adoption and digital exposure.
According to IT company Infoblox, Hazy Hawk’s method involves identifying unused DNS records that point to discontinued cloud services, such as Amazon S3 buckets and Microsoft Azure endpoints. Once these assets are left unmanaged, the group repurposes them to host malicious content, including scam websites and malware delivery systems.
This form of subdomain hijacking is more complex to detect than traditional domain takeover attempts because it relies on gaps in visibility across cloud ecosystems.
According to Infoblox, which has been tracking the group, organisations without end-to-end DNS oversight are especially susceptible.
While the entities directly impacted include overseas agencies and institutions, the attack vectors used are platform-agnostic and relevant to any organisation with a public-facing digital footprint – including those in the insurance industry.
The compromised subdomains have reportedly been used to run phishing schemes, fake promotions, and push-notification fraud targeting global internet users.
The tactics rely on redirecting traffic through legitimate-looking URLs, making it harder for users and systems to detect suspicious activity.
Hazy Hawk is believed to use passive DNS intelligence and redirection chains that obscure the origin of the threat. These campaigns feed into broader fraud ecosystems, generating financial losses that disproportionately affect more vulnerable populations.
The new type of threat comes as research from Rubrik Zero Labs showed that cyberattacks are becoming more frequent and disruptive across industries.
In a study of more than 1,600 security and technology leaders globally, 90% of respondents confirmed experiencing at least one cyberattack in the past year. Nearly one in five encountered over 25 incidents.
The Rubrik report also found that 90% of surveyed organisations operate hybrid cloud environments, with roughly half using cloud platforms as their primary workload infrastructure. However, this shift has created new challenges in managing risk.
Key concerns included:
In total, Rubrik’s internal analysis of 5.8 billion files found that more than a third of sensitive data in cloud or SaaS environments was considered high-risk. Much of this included proprietary materials, customer data, and login credentials such as usernames and API keys.
