If you discover some domain (domain.tld) that is being used by some service inside the scope but the company has lost the ownership of it, you can try to register it (if cheap enough) and let know the company. If this domain is receiving some sensitive information like a sessions cookie via GET parameter or in the Referral header, this is for sure a vulnerability.
A subdomain of the company is pointing to a third-party service with a name not registered. If you can create an account in this third party service and register the name being in use, you can perform the subdomain take over.
There are several tools with dictionaries to check for possible takeovers: