136/69 Tuesday, March 10, 2026
Security experts from Infoblox have discovered a sophisticated phishing campaign in which attackers abuse the “.arpa” top-level domain (TLD)-a domain normally reserved for internet infrastructure-to host malicious links. The .arpa domain is typically used for infrastructure functions such as Reverse DNS lookups, where IP addresses are mapped back to hostnames. By leveraging .arpa domains and IPv6 addressing, attackers are able to bypass email security gateways and domain reputation filters. Many security systems implicitly trust infrastructure-related domains, and unlike typical domains, .arpa records often lack WHOIS information such as registration dates or ownership details, making malicious activity significantly harder to detect.
The attackers’ method begins by registering for IPv6 tunneling services from providers such as Hurricane Electric. They then link Cloudflare nameservers to DNS zones under their control, generate SSL certificates, and create complex randomized subdomains designed to appear less suspicious-for example: d.d.e.0.6.3.0.0.0.7.4.0.1.0.0.2.ip6.arpa. Instead of typical phishing domains, these unusual IPv6-based domains help disguise the attack infrastructure. Attackers then distribute phishing emails containing enticing content-such as fake security alerts from Norton, promotional rewards from Bath & Body Works, or cookware giveaways from Macy’s-with malicious links embedded in images. When victims click the link, they are first routed through a Traffic Distribution System (TDS) that evaluates device characteristics and IP address data. If the visitor matches the attacker’s targeting criteria, they are redirected to a phishing page designed to harvest sensitive information; otherwise, the user is redirected to a legitimate website to conceal the attack.
In addition, attackers have employed advanced techniques such as CNAME record hijacking, targeting DNS records belonging to government agencies, universities, and major telecommunications companies to increase the credibility of phishing links. These malicious links are typically short-lived-often active for only a few days-to evade detection and investigation. The campaign demonstrates a shift in attacker tactics: instead of relying on newly registered suspicious domains, they are increasingly weaponizing trusted internet infrastructure features themselves. Security experts therefore advise users to avoid clicking links in unsolicited emails-even if the messages appear legitimate-and to access services directly through official websites or trusted applications whenever possible.