[zakki]

I read 2 examples of the links provided in the archive.today. Is this attack possible because the sub domain is provided by a CDN/S3 (or public cloud in general)? What if it doesn't use any CDN? just plain web server serving the site but no longer available or the web server is down.

[toast0]

Without a shared service like this one, you can also have this happen if you CNAME or NS to a different domain and that domain becomes controlled by someone else (for example, if it expires and is registered by a new person).

Also possible with A/AAAA records, if the IP becomes controlled by someone else, that's less likely if you're self hosted with IPs you were assigned directly by an IP registry, than if you're borrowing IPs from a service provider.