Threat Actors Abuse .arpa DNS and IPv6 for Phishing Campaigns

First reported

08.03.2026 16:12

Last updated

1 unique sources, 1 articles

Summary

Hide ▲

Threat actors are exploiting the .arpa domain and IPv6 reverse DNS to evade phishing defenses. They abuse reverse DNS zones to host phishing sites, leveraging reputable DNS providers like Cloudflare and Hurricane Electric. The campaign uses short-lived phishing links and other techniques such as hijacking dangling CNAME records and subdomain shadowing. The attackers reserve IPv6 address space, configure additional DNS records, and use reverse DNS hostnames to redirect victims to phishing sites. The lack of WHOIS data and domain age information in the .arpa domain makes detection harder. Infoblox observed over 100 instances of hijacked CNAMEs from well-known organizations, including government agencies, universities, and retailers.

Timeline

08.03.2026 16:12 1 articles · 23h ago

Threat Actors Abuse .arpa DNS and IPv6 for Phishing Campaigns
Threat actors are exploiting the .arpa domain and IPv6 reverse DNS to evade phishing defenses. They abuse reverse DNS zones to host phishing sites, leveraging reputable DNS providers like Cloudflare and Hurricane Electric. The campaign uses short-lived phishing links and other techniques such as hijacking dangling CNAME records and subdomain shadowing. The attackers reserve IPv6 address space, configure additional DNS records, and use reverse DNS hostnames to redirect victims to phishing sites. The lack of WHOIS data and domain age information in the .arpa domain makes detection harder. Infoblox observed over 100 instances of hijacked CNAMEs from well-known organizations, including government agencies, universities, and retailers.
Show sources

Hackers abuse .arpa DNS and ipv6 to evade phishing defenses — www.bleepingcomputer.com — 08.03.2026 16:12
Open in new tab

Information Snippets

The .arpa domain is a special top-level domain reserved for internet infrastructure, used for reverse DNS lookups.
First reported: 08.03.2026 16:12

1 source, 1 article
Show sources
- Hackers abuse .arpa DNS and ipv6 to evade phishing defenses — www.bleepingcomputer.com — 08.03.2026 16:12
IPv4 reverse lookups use in-addr.arpa, while IPv6 uses ip6.arpa.
First reported: 08.03.2026 16:12

1 source, 1 article
Show sources
- Hackers abuse .arpa DNS and ipv6 to evade phishing defenses — www.bleepingcomputer.com — 08.03.2026 16:12
Attackers reserve IPv6 address space and configure additional DNS records for phishing sites.
First reported: 08.03.2026 16:12

1 source, 1 article
Show sources
- Hackers abuse .arpa DNS and ipv6 to evade phishing defenses — www.bleepingcomputer.com — 08.03.2026 16:12
Phishing emails use images linked to reverse IPv6 DNS records, hiding the phishing infrastructure.
First reported: 08.03.2026 16:12

1 source, 1 article
Show sources
- Hackers abuse .arpa DNS and ipv6 to evade phishing defenses — www.bleepingcomputer.com — 08.03.2026 16:12
Phishing links are short-lived, active for only a few days, to evade analysis.
First reported: 08.03.2026 16:12

1 source, 1 article
Show sources
- Hackers abuse .arpa DNS and ipv6 to evade phishing defenses — www.bleepingcomputer.com — 08.03.2026 16:12
The .arpa domain lacks WHOIS info, domain age, and contact information, making detection harder.
First reported: 08.03.2026 16:12

1 source, 1 article
Show sources
- Hackers abuse .arpa DNS and ipv6 to evade phishing defenses — www.bleepingcomputer.com — 08.03.2026 16:12
Attackers also hijack dangling CNAME records and use subdomain shadowing to push phishing content.
First reported: 08.03.2026 16:12

1 source, 1 article
Show sources
- Hackers abuse .arpa DNS and ipv6 to evade phishing defenses — www.bleepingcomputer.com — 08.03.2026 16:12