It all began with a lookalike domain. The domain was crafted to look like a Slack hosting resource, but it was hosted in Russia. Simple phishing? Maybe. Except there was also a curious redirect chain. A long-registered CBS Interactive domain was being used to redirect potential victims to a fake Slack portal.1 Could the TV network really have dropped the domain? Nope, it was still registered with Mark Monitor. However, reviewing the DNS resolution history, it was clear that after being idle for some time, the domain began resolving in Russia. It must have been hijacked. Back in January 2024, hijacking a high-value domain like clickerm ediacorp[.]com was assumed to be a sign of credential theft. We reported the hijacking to both the registrar and the DNS provider and moved on.