Phishing Campaigns Target .arpa TLD and IPv6 Tunnels to Evade Security Measures
.arpa top-level domain (TLD) and IPv6 tunnels to bypass traditional security controls. By hosting malicious links on domains strictly designed for internet infrastructure, threat actors are weaponizing trusted reverse DNS spaces to deliver fraudulent content without triggering domain reputation blocklists.
The .arpa TLD operates differently from standard consumer-facing domains like .com or .net.
It is primarily used for reverse DNS lookups, which map IP addresses back to domain names, and is never intended to host web content.
To execute this attack, threat actors acquire free IPv6 address space and gain administrative control of the corresponding .arpa subdomain.
Instead of adding expected PTR records, they exploit a feature in the DNS record management of certain providers to create ‘A’ records for reverse DNS names.
This allows attackers to use complex reverse DNS strings (e.g., d.d.e...ip6.arpa) as functioning domain names in phishing emails.
Because .arpa is critical for global internet operations, security tools rarely block or scrutinize these infrastructure domains.
According to Infoblox, the phishing campaigns typically begin with spam emails that impersonate well-known brands, promising a “free gift” or warning users of expired cloud storage limits.
These messages consist of a single image containing a hidden hyperlink, ensuring victims do not see the unusual .arpa domain string before clicking.
Once a victim clicks the lure, they are not immediately taken to the phishing page. Instead, they are routed through a Traffic Distribution System (TDS) that fingerprints their device and connection type.
If the user meets specific criteria, such as using a mobile device on a residential IP network, they are redirected through a chain of domains to the malicious landing page.
If they do not meet the criteria, the TDS redirects them to a benign site or displays an error message.
Alongside .arpa abuse, attackers are hijacking dangling CNAME records to bypass email security filters.
When legitimate organizations fail to update DNS records after a domain expires, threat actors purchase the abandoned domain to gain control over subdomains belonging to highly reputable entities.
For example, the expiration of domains like publicnoticessites[.]com and hobsonsms[.]com allowed attackers to instantly hijack multiple trusted subdomains connected to government agencies, universities, and global corporations.
Organizations should monitor network traffic for unusual .arpa queries and review DNS configurations.
Below is a selection of indicators associated with these phishing campaigns.
Follow us on Google News, LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google
The post Phishing Campaigns Target .arpa TLD and IPv6 Tunnels to Evade Security Measures appeared first on Cyber Security News.
In December 2025, Check Point Research disclosed one of the most carefully engineered cloud-native malware…
A three-person development team in Mexico is facing bankruptcy after a stolen Google Cloud API…
A dangerous new chapter in Middle Eastern geopolitics has unfolded following the outbreak of open…
The cybersecurity landscape has taken a sharp and dangerous turn. Ransomware operators, long associated with…
CISA has warned that a memory corruption flaw in Qualcomm chipsets is being exploited in attacks,…
A highly organized phishing campaign has been discovered, one that abuses Google Cloud Storage (GCS)…
This website uses cookies.