The .arpa top-level domain (TLD) has recently been exploited by cybercriminals in sophisticated phishing schemes, as reported by Infoblox. This TLD, traditionally used for mapping IP addresses to domain names through reverse DNS records, has been manipulated to host malicious content.
Understanding the .arpa Exploit
Commonly, the .arpa TLD is not intended to host web content like other TLDs. However, attackers have found a way to misuse DNS management controls to add IP address records to .arpa domains, effectively turning them into phishing tools. This manipulation allows them to deliver phishing content by impersonating well-known brands.
In these attacks, phishing emails contain images with embedded hyperlinks. These links, when clicked, redirect victims to harmful websites. The URLs use reverse DNS strings to obscure the actual domain name, making it challenging for recipients to detect deception.
Methodology of the Attack
The threat actors exploit vulnerabilities in DNS providers, enabling them to claim control over .arpa domains. By acquiring IPv6 address space, they gain control over corresponding .arpa subdomains. Instead of expected PTR records, they insert A records, facilitating the connection to phishing sites.
This technique has been observed in DNS services like Cloudflare and Hurricane Electric, among others. Attackers further complicate detection by generating random subdomains, resulting in unique Fully Qualified Domain Names (FQDNs) that are incorporated into phishing emails.
Implications and Broader Impact
Infoblox identified that these malicious reverse DNS FQDNs resolve to IP addresses within Cloudflare’s network, masking the true origin of the phishing content. Additionally, attackers have hijacked CNAME records of legitimate organizations across various sectors, including education and telecommunications, to further their phishing campaigns.
Instances of domain shadowing have also been noted, where subdomains are created via credential theft. This tactic ensures that the lure images used in emails do not directly link to the hijacked domains, minimizing suspicion among victims.
Conclusion and Future Outlook
Infoblox’s observations reveal that such phishing tactics have been consistently employed since September 2025, with some domains targeted in over 100 email runs daily. The toolkit behind these campaigns has been circulating among threat actors since 2017, underscoring the persistent challenge of cybersecurity threats.
Staying informed about these methods and strengthening DNS security measures are crucial steps in mitigating potential risks posed by such sophisticated phishing schemes.
