Phishing attacks are evolving, and researchers have uncovered a new method that breaks from traditional patterns. According to Infoblox Threat Intel, cybercriminals are now abusing a core part of internet infrastructure to bypass security controls and deliver malicious campaigns via spam.

Historically, phishing attacks have followed recognizable tactics and trends. However, this latest research reveals an anomaly. Threat actors are exploiting a little-known section of the domain name space reserved for internet infrastructure. Specifically, they are leveraging the .arpa top-level domain to host fraudulent content.

Unlike common domains such as .com and .net, which are designed for web content, .arpa serves a technical purpose within the Domain Name System (DNS). It is primarily used for reverse DNS records that map IP addresses to domain names. It was never intended to host websites.

Nevertheless, attackers have discovered a loophole. Some DNS providers allow users to add IP address records for .arpa domains through record-management controls. As a result, threat actors can host malicious content behind this infrastructure. Because .arpa is associated with reverse DNS rather than websites, many security tools do not monitor it as a potential threat surface.

In addition, the attackers acquire free IPv6 tunnels. These tunnels provide them with a large number of IP addresses to use in their campaigns. IPv6 tunnels are designed to help internet traffic pass through networks that still rely on legacy IPv4 equipment. However, in this case, they are being misused to scale phishing operations.

“When we see attackers abusing .arpa, they’re weaponizing the very core of the internet,” said Renee Burton, VP of Infoblox Threat Intel. She added that reverse DNS space was never designed to host web content, which means most defenses do not treat it as a likely threat vector. Consequently, by turning .arpa into a phishing delivery mechanism, attackers can sidestep traditional controls that depend on domain reputation or URL structure.

Furthermore, she emphasized that defenders must begin treating DNS infrastructure as high-value real estate for attackers. Visibility into all parts of DNS, including reverse DNS space, is therefore essential to detect and prevent abuse.

The phishing emails observed in these campaigns impersonate major brands and promote “free gifts” or prizes. The messages typically contain a single image. That image hides an embedded hyperlink, which directs victims through traffic distribution systems before landing on fraudulent websites. Meanwhile, the visible URL does not reveal the unusual .arpa-based reverse DNS strings operating in the background.

Overall, the findings highlight how phishing attacks are increasingly targeting overlooked components of internet infrastructure. As threat actors continue to innovate, security teams must expand monitoring beyond traditional domains to defend against these advanced phishing attacks.

Related post

View all