There are proxies that can dynamically generate certs based on requested domains so the only mitigating controls would be to either cache fingerprints of certs and alert someone if they are different than what other probe nodes are seeing from the rest of the internet or to pin certificates and hardly anyone does this any more. This is currently a manual process so most people would have no idea until it is too late. These would just be missing entries in the crt.sh logs.
