A newly documented phishing campaign analyzed by Infoblox demonstrates how attackers can weaponize the technical .arpa domain and reverse DNS for IPv6 to slip past email gateways and web filters. Instead of exploiting protocol-level vulnerabilities, the operators take advantage of gaps in DNS configuration policies and weaknesses in domain reputation checks.
What is the .arpa Domain and Why It Is Difficult to Filter
The .arpa top-level domain is reserved for core Internet infrastructure tasks, not for hosting regular websites. One of its primary roles is reverse DNS resolution — mapping an IP address back to a hostname using PTR (Pointer) records. For IPv4 this is done under in-addr.arpa, and for IPv6 under ip6.arpa.
In standard configurations, in-addr.arpa and ip6.arpa zones contain only PTR records, and no web content is directly served from them. In addition, the .arpa namespace does not expose familiar WHOIS information such as registrant, registration date, or domain age. Many email and web security products rely heavily on these reputation signals. Their absence makes .arpa-based hostnames hard to score and therefore less likely to be automatically blocked.
How Attackers Abuse ip6.arpa and Reverse DNS
According to Infoblox, the attackers obtain or rent IPv6 address blocks from providers. Along with these addresses, they receive delegated control over the corresponding reverse DNS zones in ip6.arpa. This delegation allows them to manage DNS records for those reverse zones without restrictions.
Instead of populating ip6.arpa with the expected PTR records, the adversaries create A records that point directly to IP addresses of their phishing infrastructure. While unusual, this configuration is not forbidden by the DNS protocol, and many DNS hosting providers do not enforce record-type restrictions in reverse zones. Infoblox notes that such configurations were observed among customers using providers including Cloudflare and Hurricane Electric, though other DNS providers may be similarly exposed.
Phishing Delivery via Random Subdomains and TDS Filtering
To complicate detection and blacklisting, the threat actors automatically generate large numbers of random subdomains under ip6.arpa. These fully qualified domain names often encode elements of the IPv6 address and appear as long, obscure strings, for example: d.d.e.0.6.3.0.0.0.7.4.0.1.0.0.2.ip6.arpa.
Links to these hostnames are embedded into phishing emails as clickable buttons or images. Typical lures include fictitious rewards, survey bonuses, or urgent security notifications about user accounts. Most recipients focus on the visual call to action and do not scrutinize the unusual hostname format, reducing the likelihood that the attack will be recognized manually.
When a victim clicks the link, the request is routed through a Traffic Distribution System (TDS). This system evaluates multiple parameters — such as device type, IP address, geolocation, referrer, and signs of sandboxes or automated analysis — to decide whether the visitor is a worthwhile target. Only users who pass these filters are redirected to the real phishing site; others are sent to benign content, which significantly hampers incident investigation and automated crawling.
Why Conventional Filters Fail Against .arpa-Based Phishing
The core advantage for the attackers is that domain reputation checks are largely ineffective for .arpa. The absence of WHOIS records, domain age, and registrant data removes key signals that spam filters, secure email gateways, and web proxies routinely use to flag malicious domains.
In addition, the campaign is characterized by a short lifespan of ip6.arpa hostnames. Infoblox reports that these hostnames typically remain active for only a few days before being decommissioned or replaced. This rapid rotation dramatically reduces the usefulness of static blocklists and signature-based detection, and it complicates retrospective threat hunting.
Additional Evasion Techniques: Dangling CNAMEs and Domain Shadowing
Beyond abusing .arpa, the same threat actors employ advanced DNS-based evasion techniques. One of them is the exploitation of dangling CNAME records — CNAMEs that still point to an external service or hostname that is no longer legitimately controlled. By taking over the referenced host, attackers can serve phishing content under a seemingly legitimate original domain, while the CNAME record continues to function as configured.
The campaign also uses domain shadowing, where attackers silently create malicious subdomains within the DNS zones of legitimate organizations. Infoblox observed compromised DNS records in hundreds of organizations, including government bodies, universities, telecom operators, media outlets, and retailers. Some of these subdomains were reportedly leveraged in more than one hundred phishing messages per day, making domain-level blocking difficult without disrupting normal business communication.
Infoblox assesses that this malicious activity has been ongoing since at least September 2025 and is increasing in complexity, underscoring a broader shift toward abusing gray areas of Internet standards and operational policies rather than exploiting pure software vulnerabilities.
The campaign illustrates that modern phishing defense must extend beyond traditional URL and domain reputation checks. Organizations should tighten DNS governance by restricting record types in reverse zones, monitoring for anomalous configurations in ip6.arpa, and actively searching for dangling CNAMEs and unauthorized subdomains. Security teams should also enhance email link inspection to include infrastructure domains like .arpa and invest in DNS telemetry, behavioral analytics, and user awareness training focused on recognizing unusual URLs and suspicious interaction patterns. Strengthening these controls can significantly reduce the attack surface for emerging DNS-abuse techniques in phishing campaigns.
