Internet Infrastructure TLD .arpa Abused in Phishing Attacks

“To make this attack work, the threat actor acquires some IPv6 address space, for which they are delegated control of the corresponding .arpa subdomain. Then, instead of adding the expected PTR records, they create A records for the reverse DNS names,” Infoblox explains.These records were created through Cloudflare and Hurricane Electric, but other DNS providers also allow the configuration.While .arpa domains are typically trusted and the domain names unlikely to be blocked, the threat actor further made the reverse DNS domains difficult to identify and block by prepending them with randomly generated subdomains, creating unique Fully Qualified Domain Names (FQDNs) that were then used to build phishing email HTMLs.The identified reverse DNS FQDNs resolved to two IP addresses belonging to Cloudflare’s edge network, essentially hiding the location of the malicious content.Infoblox also discovered that the threat actor hijacked the Canonical Name (CNAME) records of known education, government, media, retail, and telecommunication entities and abused subdomains of their legitimate domains in their phishing attacks.“We also saw a few cases of domain shadowing, in which an actor-controlled subdomain is created, typically through credential theft. The lure images are unrelated to the hijacked domains. As with the IPv6 reverse domains, victims are unlikely to ever notice them,” Infoblox notes.The company observed hijacked CNAMEs being constantly abused in phishing attacks since September 2025, some in more than 100 different email runs per day. Some of the domains have been abused for years, and the toolkit used in this campaign has been used by multiple threat actors since 2017.Related:Tycoon 2FA Phishing Platform Dismantled in Global TakedownRelated:LastPass Warns of New Phishing CampaignRelated:‘Stanley’ Malware Toolkit Enables Phishing via Website SpoofingRelated:Complex Routing, Misconfigurations Exploited for Domain Spoofing in Phishing Attacks

These records were created through Cloudflare and Hurricane Electric, but other DNS providers also allow the configuration.While .arpa domains are typically trusted and the domain names unlikely to be blocked, the threat actor further made the reverse DNS domains difficult to identify and block by prepending them with randomly generated subdomains, creating unique Fully Qualified Domain Names (FQDNs) that were then used to build phishing email HTMLs.The identified reverse DNS FQDNs resolved to two IP addresses belonging to Cloudflare’s edge network, essentially hiding the location of the malicious content.Infoblox also discovered that the threat actor hijacked the Canonical Name (CNAME) records of known education, government, media, retail, and telecommunication entities and abused subdomains of their legitimate domains in their phishing attacks.“We also saw a few cases of domain shadowing, in which an actor-controlled subdomain is created, typically through credential theft. The lure images are unrelated to the hijacked domains. As with the IPv6 reverse domains, victims are unlikely to ever notice them,” Infoblox notes.The company observed hijacked CNAMEs being constantly abused in phishing attacks since September 2025, some in more than 100 different email runs per day. Some of the domains have been abused for years, and the toolkit used in this campaign has been used by multiple threat actors since 2017.Related:Tycoon 2FA Phishing Platform Dismantled in Global TakedownRelated:LastPass Warns of New Phishing CampaignRelated:‘Stanley’ Malware Toolkit Enables Phishing via Website SpoofingRelated:Complex Routing, Misconfigurations Exploited for Domain Spoofing in Phishing Attacks

While .arpa domains are typically trusted and the domain names unlikely to be blocked, the threat actor further made the reverse DNS domains difficult to identify and block by prepending them with randomly generated subdomains, creating unique Fully Qualified Domain Names (FQDNs) that were then used to build phishing email HTMLs.The identified reverse DNS FQDNs resolved to two IP addresses belonging to Cloudflare’s edge network, essentially hiding the location of the malicious content.Infoblox also discovered that the threat actor hijacked the Canonical Name (CNAME) records of known education, government, media, retail, and telecommunication entities and abused subdomains of their legitimate domains in their phishing attacks.“We also saw a few cases of domain shadowing, in which an actor-controlled subdomain is created, typically through credential theft. The lure images are unrelated to the hijacked domains. As with the IPv6 reverse domains, victims are unlikely to ever notice them,” Infoblox notes.The company observed hijacked CNAMEs being constantly abused in phishing attacks since September 2025, some in more than 100 different email runs per day. Some of the domains have been abused for years, and the toolkit used in this campaign has been used by multiple threat actors since 2017.Related:Tycoon 2FA Phishing Platform Dismantled in Global TakedownRelated:LastPass Warns of New Phishing CampaignRelated:‘Stanley’ Malware Toolkit Enables Phishing via Website SpoofingRelated:Complex Routing, Misconfigurations Exploited for Domain Spoofing in Phishing Attacks

The identified reverse DNS FQDNs resolved to two IP addresses belonging to Cloudflare’s edge network, essentially hiding the location of the malicious content.Infoblox also discovered that the threat actor hijacked the Canonical Name (CNAME) records of known education, government, media, retail, and telecommunication entities and abused subdomains of their legitimate domains in their phishing attacks.“We also saw a few cases of domain shadowing, in which an actor-controlled subdomain is created, typically through credential theft. The lure images are unrelated to the hijacked domains. As with the IPv6 reverse domains, victims are unlikely to ever notice them,” Infoblox notes.The company observed hijacked CNAMEs being constantly abused in phishing attacks since September 2025, some in more than 100 different email runs per day. Some of the domains have been abused for years, and the toolkit used in this campaign has been used by multiple threat actors since 2017.Related:Tycoon 2FA Phishing Platform Dismantled in Global TakedownRelated:LastPass Warns of New Phishing CampaignRelated:‘Stanley’ Malware Toolkit Enables Phishing via Website SpoofingRelated:Complex Routing, Misconfigurations Exploited for Domain Spoofing in Phishing Attacks

Infoblox also discovered that the threat actor hijacked the Canonical Name (CNAME) records of known education, government, media, retail, and telecommunication entities and abused subdomains of their legitimate domains in their phishing attacks.“We also saw a few cases of domain shadowing, in which an actor-controlled subdomain is created, typically through credential theft. The lure images are unrelated to the hijacked domains. As with the IPv6 reverse domains, victims are unlikely to ever notice them,” Infoblox notes.The company observed hijacked CNAMEs being constantly abused in phishing attacks since September 2025, some in more than 100 different email runs per day. Some of the domains have been abused for years, and the toolkit used in this campaign has been used by multiple threat actors since 2017.Related:Tycoon 2FA Phishing Platform Dismantled in Global TakedownRelated:LastPass Warns of New Phishing CampaignRelated:‘Stanley’ Malware Toolkit Enables Phishing via Website SpoofingRelated:Complex Routing, Misconfigurations Exploited for Domain Spoofing in Phishing Attacks

“We also saw a few cases of domain shadowing, in which an actor-controlled subdomain is created, typically through credential theft. The lure images are unrelated to the hijacked domains. As with the IPv6 reverse domains, victims are unlikely to ever notice them,” Infoblox notes.The company observed hijacked CNAMEs being constantly abused in phishing attacks since September 2025, some in more than 100 different email runs per day. Some of the domains have been abused for years, and the toolkit used in this campaign has been used by multiple threat actors since 2017.Related:Tycoon 2FA Phishing Platform Dismantled in Global TakedownRelated:LastPass Warns of New Phishing CampaignRelated:‘Stanley’ Malware Toolkit Enables Phishing via Website SpoofingRelated:Complex Routing, Misconfigurations Exploited for Domain Spoofing in Phishing Attacks

The company observed hijacked CNAMEs being constantly abused in phishing attacks since September 2025, some in more than 100 different email runs per day. Some of the domains have been abused for years, and the toolkit used in this campaign has been used by multiple threat actors since 2017.Related:Tycoon 2FA Phishing Platform Dismantled in Global TakedownRelated:LastPass Warns of New Phishing CampaignRelated:‘Stanley’ Malware Toolkit Enables Phishing via Website SpoofingRelated:Complex Routing, Misconfigurations Exploited for Domain Spoofing in Phishing Attacks

Related:Tycoon 2FA Phishing Platform Dismantled in Global TakedownRelated:LastPass Warns of New Phishing CampaignRelated:‘Stanley’ Malware Toolkit Enables Phishing via Website SpoofingRelated:Complex Routing, Misconfigurations Exploited for Domain Spoofing in Phishing Attacks

Related:LastPass Warns of New Phishing CampaignRelated:‘Stanley’ Malware Toolkit Enables Phishing via Website SpoofingRelated:Complex Routing, Misconfigurations Exploited for Domain Spoofing in Phishing Attacks

Related:‘Stanley’ Malware Toolkit Enables Phishing via Website SpoofingRelated:Complex Routing, Misconfigurations Exploited for Domain Spoofing in Phishing Attacks

Source: SecurityWeek