Brian ClarkWhat are Out-of-band Application Security Testing (OAST) domains? Out-of-band application security testing (OAST) is a method for finding exploitable vulnerabilities in a web application by forcing a target to call back to a piece of infrastructure controlled by the tester. OAST domains (sub-domains most often) are often free and hosted by OAST tool providers like interact.sh. What happens when something is free on the Internet? It gets abused.
Let’s make tOAST of the most commonly abused OAST domains! @greynoise has an in-depth writeup on recent campaigns using OAST infrastructure.
OAST Domains/Provider:
All 33 campaigns use Interactsh
5,560 unique callback sub-domains observed
Block these domains to stop these attacks: oast.pro, oast.live, oast.fun, oast.me, oast.site
https://www.labs.greynoise.io/grimoire/2026-02-20-weekly-oast-report/
GreyNoise Labs Weekly OAST (Well-known Out-of-band Interaction Domains) Report • Week Ending 2026-02-20 – GreyNoise Labs
GreyNoise observed 3,882 sessions from 24 unique IPs across 33 Interactsh OAST campaigns targeting the GreyNoise Global Observation Grid between February 14-20, 2026. Unlike previous weeks where multi-IP campaign clusters dominated, this week’s activity consists entirely of single-IP operations, with every campaign mapping to exactly one source IP. Two Censys-confirmed bulletproof hosting providers (Private Layer, RouterHosting/Cloudzy) anchor the high-priority infrastructure, while a commercial VPN exit node (AnchorFree/Hotspot Shield) and a Russian-registered entity operating through French hosting add attribution complexity.