Cybersecurity experts at Infoblox Threat Intel have identified a sophisticated phishing operation that manipulates core internet infrastructure to slip past enterprise security mechanisms.
The campaign introduces an unusual evasion strategy: attackers are exploiting the .arpa top-level domain (TLD) while leveraging IPv6 tunnel services to host phishing pages. This method allows malicious actors to sidestep traditional domain reputation systems, posing a growing challenge for security teams.
Unlike public-facing domains such as .com or .net, the .arpa TLD is reserved strictly for internal internet functions. It primarily supports reverse DNS lookups, translating IP addresses into domain names, and was never intended to serve public web content.
Researchers found that attackers are capitalizing on weaknesses within DNS record management systems. By using free IPv6 tunnel providers, threat actors obtain control over certain IPv6 address ranges. Rather than configuring reverse DNS pointer (PTR) records as expected, they create standard A records under .arpa subdomains. This results in fully qualified domain names that appear to be legitimate infrastructure addresses—entities that security tools generally consider trustworthy and therefore seldom inspect closely.
Attack Chain and CNAME Hijacking
According to Infoblox, the campaign often starts with malspam emails impersonating well-known consumer brands. The emails feature a single clickable image that either advertises a prize or warns about a disrupted subscription.
Once clicked, victims are routed through a sophisticated Traffic Distribution System (TDS). The TDS analyzes the incoming traffic, specifically filtering for mobile users on residential IP networks, before ultimately delivering the malicious content.
In addition to abusing the .arpa namespace, the attackers are also exploiting dangling CNAME records. They have taken control of outdated subdomains belonging to respected government bodies, media outlets, and academic institutions. By registering expired domains that abandoned CNAME records still reference, they effectively inherit the reputation of trusted organizations, allowing malicious traffic to blend in seamlessly.
Dr. Renée Burton, Vice President at Infoblox Threat Intel, emphasized the severity of this tactic, noting that "weaponizing the .arpa namespace effectively turns the core of the internet into a phishing delivery mechanism."
Because reverse DNS domains inherently carry a clean reputation and lack conventional registration details, security systems that depend on URL analysis and blocklists often fail to identify the threat.
Experts recommend that organizations begin viewing foundational DNS infrastructure as a potential attack surface. Proactive monitoring, particularly for unusual record creation within the .arpa namespace, along with specialized filtering controls, will be critical to defending against this evolving threat.
