Meet with us
Meet with us
MENU
Secure

No Sandwich, No Security: What This Week’s Lunch Taught Me About DNS Blind Spots

June 11, 2025

Like many shoppers in the UK this week, I found myself staring at half-empty shelves in my local grocery store. In a small but frustrating twist, my usual sandwich, chicken mayo on malted bread, was nowhere to be found. The disruption wasn’t just about lunchtime preferences; it was part of a broader impact from cyberattacks that hit major UK retailers, including Co-op and Marks & Spencer.

At first glance, a missing sandwich and a ransomware incident may seem unrelated. But standing in that aisle, it hit me: this wasn’t just about one vulnerability or one team. It was a breakdown in layered defense, and a reminder that, despite having firewalls, endpoint tools, and SIEMs, many organizations still have critical visibility gaps. One of the most overlooked is DNS.

The Real Entry Point: Social Engineering

According to early reports, the attackers didn’t need to brute-force their way in. Instead, they used social engineering, impersonating employees and manipulating help desks into resetting credentials. It’s a reminder of the human side of cyber risk: a highly effective, low-tech tactic that can bypass even the most advanced tools.

Sure, it’s easy to say “we need more training” after an incident like this, and we do. But the more pressing question is: what happens next, after that first click or password reset?

Once attackers gain a foothold, they need to move, communicate, and exfiltrate data. And in almost every case, they use DNS to do it, because it’s trusted, pervasive, and often under-monitored.

If a comprehensive DNS security solution like Infoblox had been in place and fully operational, the outcome might have been very different. Here’s why:

  • Detection of C2 Traffic: Infoblox identifies suspicious DNS queries to command-and-control domains, including those using fast-flux or newly registered domains—common tactics in ransomware and phishing attacks.
  • DNS Tunneling Prevention: Attackers often exfiltrate data through covert DNS channels. Infoblox detects and blocks these, even when traditional network tools miss them.
  • Lookalike Domain Blocking: Adversaries frequently use typosquatting or spoofed internal domains to trick users. Infoblox spots and prevents access to these before damage occurs.
  • Integrated Threat Intelligence: By combining internal DNS data with global threat intelligence, organizations can detect attacker infrastructure earlier—not just react to known threats.

In the case of these retail breaches, DNS logs could have been the early warning signs—indicating credential abuse, lateral movement, or anomalous data activity. Instead of finding out from a ransom note or media headlines, security teams could’ve seen the threat building and taken action.

Author:
Brett Ayres, CTO, Teneo

Related articles

Read
AI
Secure
Securing AI with AI-SPM: The Next Step in AI Risk Management
June 18, 2025
Read
AI
Secure
Could your Palo Alto firewall do more to protect you against Shadow AI?
June 12, 2025
Read
Secure
No Sandwich, No Security: What This Week’s Lunch Taught Me About DNS Blind Spots
June 11, 2025

Contact us - We’d love to help you





    Teneo collects your personal data when you complete our online forms. We will use this information to provide an accurate response to your questions or requests and we will keep a record of your form completion in our CRM system. By submitting this form, you agree to us contacting you for the purpose of our response. For more information explaining how we use your personal data, please see our Privacy Policy.

    Cookie Policy

    This website uses cookies so we can provide you with the best user experience possible.

    Cookies are small files containing information that enables a website to recognise you. They’re downloaded to the device you use when you visit a website and sent back to that website each time you re-visit, or sent to another website that recognises the same cookie.

    Our cookie policy tells you how and why we use cookies, and how this allows us to improve your online experience. You can read our full Cookie Policy here.

    Strictly Necessary Cookies

    Strictly necessary cookies include session cookies and persistent cookies. Session cookies keep track of your current visit and how you navigate the site. They only last for the duration of your visit and are deleted from your device when you close your Internet browser. Persistent cookies last after you’ve closed your Internet browser and enable our website to recognise you as a repeat visitor and remember your actions and preferences when you return.

    Third Party Cookies

    Third party cookies include performance cookies and targeting cookies. Performance cookies collect information about how you use a website, e.g. which pages you go to most often, and if you get error messages from web pages. These cookies don’t collect information that identifies you personally as a visitor, although they might collect the IP address of the device you use to access the site. Targeting cookies collect information about your browsing habits. They are usually placed by advertising networks such as Google. The cookies remember that you have visited a website and this information is shared with other organisations such as media publishers.

    Keeping these cookies enabled helps us to improve our website and display content that is more relevant to you and your interests across the Google content network.

    Powered by  GDPR Cookie Compliance