A threat actor has been abusing the internet infrastructure top-level domain (TLD) .arpa to host phishing content on domains that should not resolve to IP addresses, Infoblox reports.
The .arpa TLD is designed to map IP addresses to domains, providing reverse DNS records, and should not host web content, as other TLDs do.
As part of the newly uncovered campaign, however, a threat actor has been abusing DNS record management controls of certain providers to add IP address records for .arpa domains and serve phishing content to victims.
Impersonating major brands, the phishing emails display an image hiding an embedded hyperlink designed to take the victim to the malicious website after a series of redirects.
The links use a reverse DNS string instead of a standard domain name, but the actual domain is hidden from the victim’s view to avoid raising suspicion.
As part of the .arpa phishing campaign, the threat actor has exploited a vulnerability at DNS providers that allowed them to claim ownership of .arpa domains.
“To make this attack work, the threat actor acquires some IPv6 address space, for which they are delegated control of the corresponding .arpa subdomain. Then, instead of adding the expected PTR records, they create A records for the reverse DNS names,” Infoblox explains.
These records were created through Cloudflare and Hurricane Electric, but other DNS providers also allow the configuration.
While .arpa domains are typically trusted and the domain names unlikely to be blocked, the threat actor further made the reverse DNS domains difficult to identify and block by prepending them with randomly generated subdomains, creating unique Fully Qualified Domain Names (FQDNs) that were then used to build phishing email HTMLs.
The identified reverse DNS FQDNs resolved to two IP addresses belonging to Cloudflare’s edge network, essentially hiding the location of the malicious content.
Infoblox also discovered that the threat actor hijacked the Canonical Name (CNAME) records of known education, government, media, retail, and telecommunication entities and abused subdomains of their legitimate domains in their phishing attacks.
“We also saw a few cases of domain shadowing, in which an actor-controlled subdomain is created, typically through credential theft. The lure images are unrelated to the hijacked domains. As with the IPv6 reverse domains, victims are unlikely to ever notice them,” Infoblox notes.
The company observed hijacked CNAMEs being constantly abused in phishing attacks since September 2025, some in more than 100 different email runs per day. Some of the domains have been abused for years, and the toolkit used in this campaign has been used by multiple threat actors since 2017.
Related: Tycoon 2FA Phishing Platform Dismantled in Global Takedown
Related: LastPass Warns of New Phishing Campaign
Related: ‘Stanley’ Malware Toolkit Enables Phishing via Website Spoofing
Related: Complex Routing, Misconfigurations Exploited for Domain Spoofing in Phishing Attacks
