Risks of wildcard whitelisting in public cloud services

In addition to the existing document on cloudfront.net, this section outlines other base domains used by cloud providers that allow the dynamic creation of subdomains by millions of users.

Broad whitelisting of these suffixes (e.g., *.s3.amazonaws.com or *.windows.net) means allowing traffic to unverified content, including active malware, phishing, and command-and-control (C2) distribution campaigns.

Warning

High-risk base domains (should not be wildcard-whitelisted)

Common suffixes in cloud services

Suffix

Provider or service

cloudfront.net

Amazon CloudFront (CDN)

s3.amazonaws.com

Amazon S3 (object storage)

s3-<region>.amazonaws.com

Amazon S3 with regional location

storage.googleapis.com

Google Cloud Storage

firebaseio.com

Google Firebase Realtime DB / Hosting

appspot.com

Google App Engine apps

blob.core.windows.net

Microsoft Azure Blob Storage

web.core.windows.net

Azure Static Website Hosting

azureedge.net

Azure CDN

digitaloceanspaces.com

DigitalOcean Spaces

cdn.digitaloceanspaces.com

DigitalOcean CDN endpoint

github.io

GitHub Pages

netlify.app

Netlify apps

vercel.app

Vercel apps

Real-world abuse examples in DigitalOcean Spaces

Malicious subdomains in DigitalOcean Spaces detected by VirusTotal

Subdomain

VirusTotal analysis link

Family / threat

ben-advanced.fra1.digitaloceanspaces.com

https://www.virustotal.com/gui/url/05a1932e23262fa3d2f692491f81ab23067358b731bdda3cd71c717e9327acb2

malware

filekg-download-01.fra1.cdn.digitaloceanspaces.com

https://www.virustotal.com/gui/url/c091d0cb5d78862ee3dc94d04cf21d57b7abfa3d341296a8881ca62b4ec6a39f

SmokeLoader

downcheck.nyc3.cdn.digitaloceanspaces.com

https://www.virustotal.com/gui/url/2c40ac5b67be2e48b23f62da2f2f52684d973b64b3e4c57d04dd0534564030b6

Lumma Stealer
Algunos subdominios pueden albergar contenido malicioso temporalmente y luego volver a un estado “limpio”. Esto puede deberse a:

  • Removal of malicious content after a takedown request

  • Resource rotation by malicious actors

  • Reuse of public buckets by different users

The presence of false negatives or later ‘clean’ analyses does not invalidate the evidence of malicious use. Justifying a wildcard on domains like *.digitaloceanspaces.com because it is ‘no longer on VirusTotal’ is equivalent to trusting an attacker who simply erased their tracks after completing the campaign.

Recommendations

  • Never apply wildcard whitelisting (*) on any of the listed suffixes.

  • Individually analyze each subdomain that needs to be excluded from RPZ.

  • Automate validations using tools like VirusTotal, URLhaus, or Threat Intelligence feeds.

  • Log the date and evidence of each exception for future audits.