title: Domain Fronting (T1090.004)
id: df00tech-t1090-004
status: experimental
description: "Adversaries may take advantage of routing schemes in Content Delivery Networks (CDNs) and other services which host multiple domains to obfuscate the intended destination of HTTPS traffic or traffic tunneled through HTTPS. Domain fronting involves using different domain names in the SNI field of the TLS header and the Host field of the HTTP header. If both domains are served from the same CDN, the CDN may route to the address specified in the HTTP header after unwrapping the TLS header. A variation, 'domainless' fronting, utilizes a blank SNI field. Real-world actors including APT29 and tools like Cobalt Strike, Mythic, and SMOKEDHAM have leveraged domain fronting to hide C2 traffic behind legitimate CDN infrastructure."
references:
  - https://attack.mitre.org/techniques/T1090/004/
  - https://df00tech.com/detections/T1090.004
author: df00tech
date: 2026/04/13
tags:
  - attack.t1090.004
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: network_connection
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Legitimate CDN-hosted applications that use different front-end domains for load balancing or A/B testing where SNI and Host headers intentionally differ
  - Corporate split-tunneling VPN configurations where internal proxy rewrites Host headers for SSL inspection purposes
  - "Web application frameworks or reverse proxies (nginx, HAProxy) that modify Host headers for internal routing, appearing as mismatches in proxy logs"
  - Content delivery architectures using shared CDN certificates where the certificate domain differs from the requested content domain by design
level: high