New research from Infoblox Threat Intel shows how criminals twist a core part of the internet to slip past many of today’s standard security checks.
DUBAI, UAE, February, 2026 – Phishing attacks are everywhere, but historically, their tactics follow clear patterns and trends. Research by Infoblox Threat Intel uncovers an anomaly – a new method utilized by cybercriminals to target victims. The malicious campaigns use a novel, previously unreported method to bypass security controls: abusing a part of the domain name space reserved for internet infrastructure to deliver phishing via spam. The actors are creating IPv6 tunnels and then using reverse DNS records to host the fraudulent sites. It’s a confusing, but equally effective attack vector, as these DNS records, hosted in the .arpa top-level-domain, are unlikely to be noticed by security products.
Unlike familiar TLDs such as .com and .net, which are used for web content, .arpa plays a special role in the Domain Name System (DNS). It is primarily used to map IP addresses to domains, providing reverse DNS records – not to host websites. Threat actors have discovered a feature in some DNS providers’ record-management controls that let them add IP address records for .arpa domains and then freely host malicious content behind that infrastructure. Then they acquire a free IPv6 tunnel to get a large number of IP addresses to use in the campaigns. IPv6 tunnels aren’t meant for this purpose either! They are intended to help transit the internet where only legacy IPv4 equipment exists.
“When we see attackers abusing .arpa, they’re weaponizing the very core of the internet,” said Dr. Renée Burton, VP, Infoblox Threat Intel. “Reverse DNS space was never designed to host web content, so most defenses don’t even look at it as a potential threat surface. By turning .arpa into a delivery mechanism for phishing, these actors effectively step around traditional controls that depend on domain reputation or URL structure. Defenders need to start treating DNS infrastructure itself as high value real estate for attackers, and they need the visibility to see abuse in any type of location.”
The phishing emails observed in these campaigns impersonate major brands and promise “free gifts” or prizes. The messages consist of a single image that hides an embedded hyperlink, sending victims through traffic distribution systems (TDSs) to fraudulent websites. All the while, the visible URL never reveals the strange .arpa-based reverse DNS strings that attackers are pulling.
Attachments:
- Infographic: An overview of the process used to abuse the .arpa TLD in phishing emails
- Photograph: Dr. Renée Burton, VP, Infoblox Threat Intel
About Infoblox Threat Intel:
Infoblox Threat Intel is the leading creator of original DNS threat intelligence, distinguishing itself in a sea of aggregators. What sets us apart? Two things: mad DNS skills and unparalleled visibility. DNS is notoriously tricky to interpret and hunt from, but our deep understanding and unique access to the internet’s inner workings allows us to track down threat actors that others can’t see. We’re proactive, not just defensive, using our insights to disrupt cybercrime where it begins. We also believe in sharing knowledge to support the broader security community by publishing detailed research and releasing indicators on GitHub. In addition, our intel is seamlessly integrated into our Infoblox DNS Detection and Response solutions, so customers automatically get its benefits, along with ridiculously low false positive rates.
About Infoblox:
Infoblox unites networking, security and cloud to form a platform for operations that’s as resilient as it is agile. Trusted by over 6,000 customers, including 92 of the Fortune 100, we seamlessly integrate, secure and automate critical network services so businesses can move fast without compromise.
