When a web address is accessed eg. "www.xyz.com", a DNS query is performed across a DNS server with the host name.
The DNS server takes the hostname and resolves it into a numeric IP address
CNAME
CNAME
An alias of domain name to another domain name
In the example below, xyz.company.com is a source domain and xyz.cloudservice.com is a canonical domain name.
Subtakeover_basics
Subdomains map themselves to a specific IP, 3rd party services like Azure, AWS, Heroku, Github, Fastly, Shopify, etc. to serve the contents. These subdomains use a CNAME record to another domain [eg. xyz.company.com CNAME xyz.cloudservice.com]
Now due to whatever reason, the company decides to stop utilizing this service and to save some bucks, the company cancels the subscription of the 3rd party cloud service provider.
But, the company forgets to update or simply remove the CNAME record in the DNS zone file
Since the CNAME record is not deleted from company.com DNS zone, anyone who registers xyz.cloudservice.com has full control over xyz.company.com until the DNS record is present.