Security researchers have discovered a novel phishing technique where threat actors abuse the .arpa top-level domain, which is normally reserved for reverse DNS lookups, to host malicious content. Attackers exploit DNS management features to register IP address records for .arpa domains, allowing them to bypass security controls and host phishing sites. The campaigns use embedded image links with reverse DNS strings that redirect victims through traffic distribution systems to malicious websites.
Background
The .arpa TLD is a special-purpose domain used primarily for reverse DNS lookups, where IP addresses are mapped back to domain names via PTR records. Unlike regular TLDs like .com, .arpa domains are not intended to host web content or serve as forward-facing websites.
- Source
- Lobsters
- Published
- Mar 9, 2026 at 11:28 PM
- Score
- 7.0 / 10