Phishing Internet Infrastructure TLD .arpa Abused in Phishing Attacks Abusing DNS record management controls, the threat actor hides the location of malicious content via Cloudflare. By Ionut Arghire | March 9, 2026 (8:06 AM ET) Flipboard Reddit Whatsapp Whatsapp Email A threat actor has been abusing the internet infrastructure top-level domain (TLD) .arpa to host phishing content on domains that should not resolve to IP addresses, Infoblox reports. The .arpa TLD is designed to map IP addresses to domains, providing reverse DNS records, and should not host web content, as other TLDs do. As part of the newly uncovered campaign, however, a threat actor has been abusing DNS record management controls of certain providers to add IP address records for .arpa domains and serve phishing content to victims. Impersonating major brands, the phishing emails display an image hiding an embedded hyperlink designed to take the victim to the malicious website after a series of redirects. The links use a reverse DNS string instead of a standard domain name, but the actual domain is hidden from the victim’s view to avoid raising suspicion. As part of the .arpa phishing campaign , the threat actor has exploited a vulnerability at DNS providers that allowed them to claim ownership of .arpa domains. Advertisement. Scroll to continue reading. “To make this attack work, the threat actor acquires some IPv6 address space, for which they are delegated control of the corresponding .arpa subdomain. Then, instead of adding the expected PTR records, they create A records for the reverse DNS names,” Infoblox explains. These records were created through Cloudflare and Hurricane Electric, but other DNS providers also allow the configuration. While .arpa domains are typically trusted and the domain names unlikely to be blocked, the threat actor further made the reverse DNS domains difficult to identify and block by prepending them with randomly generated subdomains, creating unique Fully Qualified Domain Names (FQDNs) that were then used to build phishing email HTMLs. The identified reverse DNS FQDNs resolved to two IP addresses belonging to Cloudflare’s edge network, essentially hiding the location of the malicious content. Infoblox also discovered that the threat actor hijacked the Canonical Name (CNAME) records of known education, government, media, retail, and telecommunication entities and abused subdomains of their legitimate domains in their phishing attacks. “We also saw a few cases of domain shadowing, in which an actor-controlled subdomain is created, typically through credential theft. The lure images are unrelated to the hijacked domains. As with the IPv6 reverse domains, victims are unlikely to ever notice them,” Infoblox notes. The company observed hijacked CNAMEs being constantly abused in phishing attacks since September 2025, some in more than 100 different email runs per day. Some of the domains have been abused for years, and the toolkit used in this campaign has been used by multiple threat actors since 2017. Related: Tycoon 2FA Phishing Platform Dismantled in Global Takedown Related: LastPass Warns of New Phishing Campaign Related: ‘Stanley’ Malware Toolkit Enables Phishing via Website Spoofing Related: Complex Routing, Misconfigurations Exploited for Domain Spoofing in Phishing Attacks Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. More from Ionut Arghire CISA Adds iOS Flaws From Coruna Exploit Kit to KEV List Iranian APT Hacked US Airport, Bank, Software Company Reclaim Security Raises $20 Million to Accelerate Remediation Cisco Patches Critical Vulnerabilities in Enterprise Networking Products AI Security Firm JetStream Launches With $34 Million in Seed Funding Google Plans Two-Week Release Schedule for Chrome Global Coalition Publishes 6G Security and Resilience Principles Critical FreeScout Vulnerability Leads to Full Server Compromise Latest News Cloned AI Tool Sites Distribute Malware in ‘InstallFix’ Campaign Recent Cisco Catalyst SD-WAN Vulnerability Now Widely Exploited US Cyber Strategy Targets Adversaries, Critical Infrastructure, and Emerging Technologies Over 100 GitHub Repositories Distributing BoryptGrab Stealer Pentagon’s Chief Tech Officer Says He Clashed With AI Company Anthropic Over Autonomous Warfare FBI Investigating ‘Suspicious’ Cyber Activity on System Holding Sensitive Surveillance Information ArmorCode Raises $16 Million for Exposure Management Platform In Other News: FBI Hacked, US Security Pro Killed in Iran War, Hijacked Cameras Used in Khamenei Strike Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Securing Fragile OT in an Exposed World March 10, 2026 Get a candid look at the current OT threat landscape as we move past "doom and gloom" to discuss the mechanics of modern OT exposure. Register Virtual Event: Supply Chain Security and Third-Party Risk Summit March 18, 2026 Join the event where top security experts unpack the biggest software supply chain risks. Register People on the Move ArmorCode has named Phil Venables to its Board of Directors. James ‘Aaron’ Bishop has been appointed as new Pentagon CISO. Sonalee Parekh has joined SentinelOne as Chief Financial Officer. More People On The Move Expert Insights Four Risks Boards Cannot Treat as Background Noise The goal isn’t about preventing every attack but about keeping the business running when attacks succeed. (Steve Durbin) How to Eliminate the Technical Debt of Insecure AI-Assisted Software Development Developers must view AI as a collaborator to be closely monitored, rather than an autonomous entity to be unleashed. Without such a mindset, crippling tech debt is inevitable. (Matias Madou) Security in the Dark: Recognizing the Signs of Hidden Information Security failures don’t always start with attackers, sometimes they start with missing truth. (Joshua Goldfarb) Living off the AI: The Next Evolution of Attacker Tradecraft Living off the AI isn’t a hypothetical but a natural continuation of the tradecraft we’ve all been defending against, now mapped onto assistants, agents, and MCP. (Etay Maor) Why We Can’t Let AI Take the Wheel of Cyber Defense The fastest way to squander the promise of AI is to mistake automation for assurance, and novelty for resilience. (Steve Durbin) Flipboard Reddit Whatsapp Whatsapp Email