On a slight side note he may not necessarily need to control the domain entirely, just have access to a privileged email address [1]
However, now it seems you won't even need access to an email address. What would stop someone creating a cert for the real citibank.com and using it for a MITM attack? How many people actually check the green bar?
In the live.fi example, it sounds like Microsoft may have failed to prevent a random user from registering administrator@live.fi as a personal account. Citibank probably won't allow a customer to get that e-mail address!
On a slight side note he may not necessarily need to control the domain entirely, just have access to a privileged email address [1]
However, now it seems you won't even need access to an email address. What would stop someone creating a cert for the real citibank.com and using it for a MITM attack? How many people actually check the green bar?
[1] http://arstechnica.com/security/2015/03/bogus-ssl-certificat...