DNS Hijacking.

DNS hijacking covers a family of techniques that subvert the DNS path between a user and the intended service. It can take place on the endpoint (malware changing DNS settings or the hosts file), at the home or enterprise router (compromised CPE), at the recursive resolver (poisoned cache or man-in-the-middle), or at the authoritative DNS provider (compromised account, credential theft, or registrar abuse). Once DNS is hijacked, attackers can intercept email, issue TLS certificates for the hijacked names, run phishing against the legitimate domain, or facilitate other intrusions — as seen in notable campaigns like the DNSpionage and Sea Turtle operations. Mitigations include DNSSEC, registry/registrar locks, CAA records, monitoring DNS records and certificate transparency logs, MFA on DNS provider accounts, and using trusted, validated recursive resolvers (DoH/DoT).