Threat actors have discovered a novel phishing technique that abuses the .arpa top-level domain, which is reserved for reverse DNS lookups and not intended to host web content. By acquiring IPv6 address space via free tunnel providers like Hurricane Electric, attackers gain delegated control over corresponding .arpa subdomains. Instead of adding PTR records, they create A records, allowing the reverse DNS domains to resolve to IP addresses hosted on reputable CDNs like Cloudflare. Phishing emails embed these .arpa domains as hidden image hyperlinks, bypassing security tools that rely on domain reputation, registration data, or blocklists. The campaigns also abuse dangling CNAMEs from expired domains and subdomain shadowing to hijack subdomains of government agencies, universities, and major brands. Victims are routed through traffic distribution systems that fingerprint users, preferring mobile devices on residential IPs, before landing on fraudulent pages that steal credit card information. Indicators of compromise and further details are available in the Infoblox Threat Intel GitHub repository.
Table of contents
How .arpa Can Be AbusedThere’s More to the StoryThe Phish ItselfWhy All This MattersSort: