Back to All Scenarios
PASSEDsecurity / dns_poisoning
Multi-Tenant DNS Poisoning Attack
An attacker compromises the internal DNS server and injects fraudulent A records for banking and M365 login pages. Users are redirected to phishing pages that harvest credentials. The poisoned cache affects 3 client tenants on the MSP's shared DNS infrastructure.
Pattern
UNKNOWN
Severity
CRITICAL
Confidence
95%
Remediation
Remote Hands
Test Results
| Metric | Expected | Actual | Result |
|---|---|---|---|
| Pattern Recognition | UNKNOWN | UNKNOWN | |
| Severity Assessment | CRITICAL | CRITICAL | |
| Incident Correlation | Yes | 56 linked | |
| Cascade Escalation | Yes | Yes | |
| Remediation | — | Remote Hands — Corax contacts on-site support via call, email, or API |
Scenario Conditions
MSP shared Windows DNS server for 3 client tenants. DNS cache poisoned with fake records for login.microsoftonline.com and bankofamerica.com. No DNSSEC. No DNS query logging enabled. 1,500 users across 3 tenants.
Injected Error Messages (4)
Cache poisoning detected on DNS-01 — serving fraudulent A name entries, login.microsoftonline.com resolving to 185.234.72.18 (expected: 20.190.151.x), bankofamerica.com resolving to 185.234.72.19, cache injection via forged response, DNSSEC not enabled, fifteen hundred users at risk
Tenant-A users redirected to phishing site — name lookup for M365 login returning malicious IP, certificate mismatch warnings suppressed by users, 12 credential harvests detected in proxy logs, lateral phishing emails sent from compromised accounts
Tenant-B banking portal compromised — bankofamerica.com name lookup poisoned, users entering credentials on fake site at 185.234.72.19, browser certificate warning for *.bankofamerica.com, financial data exposure risk across tenant
Tenant-C M365 authentication redirected — cache returning poisoned records, Conditional Access policies bypassed via credential theft, MFA fatigue attack following credential harvest, 3 accounts compromised in last 30 minutes
Neural Engine Root Cause Analysis
DNS server DNS-01 has been compromised through DNS cache poisoning, where an attacker has successfully injected fraudulent DNS responses into the cache. Critical domains like login.microsoftonline.com and bankofamerica.com are resolving to malicious IP addresses (185.234.72.18/19), indicating an active security breach. The lack of DNSSEC validation allowed forged responses to be accepted, and with 1500 users at risk, this represents a severe security incident that could lead to credential theft and financial fraud.
Remediation Plan
1. IMMEDIATE: Isolate DNS-01 from network to prevent further malicious redirections 2. Flush all DNS caches and restart DNS service 3. Analyze logs to identify attack vector and timeline 4. Implement emergency DNS failover to secondary clean DNS servers 5. Enable DNSSEC validation and configure secure forwarders 6. Scan for indicators of compromise on DNS server and network 7. Reset DNS zone files from clean backups 8. Notify security team and affected users about potential credential compromise 9. Monitor network traffic for connections to malicious IPs 10. Implement DNS filtering and monitoring to prevent future attacks
Tested: 2026-03-30Monitors: 4 | Incidents: 4Test ID: cmncjnmjr02z0obqet0pmaq1j