- Hackers are abusing .arpa domains to effectively hide phishing attacks
- Phishing emails mimic trusted brands to trick users into revealing credentials
- IPv6 address ranges give attackers control over malicious .arpa subdomains
A new type of phishing attack has been seen exploiting the .arpa domain, a part of the internet normally used for essential network functions rather than websites.
Unlike more familiar domains such as .com or .net, .arpa helps computers match IP addresses to domain names, a process called reverse DNS.
But new research from Infoblox Threat Intel claims attackers now use this space to host phishing pages while avoiding standard security checks.
Why abusing .arpa is a serious threat
“When we see attackers abusing .arpa, they’re weaponizing the very core of the internet,” said Dr. Renée Burton, VP of Infoblox Threat Intel.
She explained .arpa was never meant to host websites, so many security systems do not monitor it closely, and by using it to deliver malicious pages, attackers can bypass defenses that rely on known domain names or typical URL patterns.
The attack works with IPv6, the newest type of internet address. Cybercriminals gain control of a range of addresses and then configure them to point to servers hosting phishing pages.
In some cases, these addresses are managed through services such as Cloudflare, which hide the true location of the malicious content.
Some DNS providers even allow users to manage .arpa domains in ways never intended for web hosting.
This allows attackers to attach harmful content to entries that normally would not lead to a website.
The abuse also involves free IPv6 tunnels, which provide administrative access to large address ranges even if the tunnels themselves are not used for data transit.
The malicious content is delivered through phishing emails, which often mimic well-known brands and promise rewards such as “free gifts” or prizes to make the messages appear legitimate.
When a user clicks the image or link in the email, the user is redirected to a fake website that captures login details or other sensitive information.
The emails serve as bait, the unusual .arpa addresses remain hidden in the background, so the visible URL appears normal.
Because .arpa is essential to DNS operations, its domains are less likely to be blocked automatically.
Attackers also create unique, hard-to-detect addresses by adding random subdomains, making it difficult for security systems to identify them.
This attack method shows that cybercriminals do not need to exploit software flaws to succeed.
By creatively repurposing existing internet mechanisms, they can trick users into giving away credentials through seemingly legitimate channels.
Burton warns that defenders need to treat DNS infrastructure as “high-value real estate for attackers” and monitor all possible points of abuse.
Organizations can reduce risk by tightening firewall rules, enforcing identity protection policies, and ensuring quick malware removal if attacks succeed.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.