Risk actors are abusing the special-use “.arpa” area and IPv6 reverse DNS in phishing campaigns that extra simply evade area popularity checks and electronic mail safety gateways.
The .arpa area is a particular top-level area reserved for web infrastructure quite than regular web sites. It’s used for reverse DNS lookups, which permit methods to map an IP handle again to a hostname.
IPv4 reverse lookups use the in-addr.arpa area, whereas IPv6 makes use of ip6.arpa. In these lookups, DNS queries a hostname derived from the IP handle, written in reverse order and appended to one in all these domains.
For instance, www.google.com has the IP addresses 192.178.50.36 (IPv4) and 2607:f8b0:4008:802::2004 (IPv6). Querying Google’s IP of 192.178.50.36 through the dig software resolves to an in-addr.arpa hostname and finally an everyday hostname:
; <<>> DiG 9.18.39-0ubuntu0.24.04.2-Ubuntu <<>> -x 192.178.50.36
;; world choices: +cmd
;; Received reply:
;; ->>HEADER<<- opcode: QUERY, standing: NOERROR, id: 59754
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: model: 0, flags:; udp: 4096
;; QUESTION SECTION:
;36.50.178.192.in-addr.arpa. IN PTR
;; ANSWER SECTION:
36.50.178.192.in-addr.arpa. 1386 IN PTR lcmiaa-aa-in-f4.1e100.internet.
;; Question time: 7 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Fri Mar 06 13:57:31 EST 2026
;; MSG SIZE rcvd: 94Querying Google’s IPv6 handle of 2607:f8b0:4008:802::2004 reveals that it first resolves to an IPv6.arpa hostname after which a hostname, as proven under.
; <<>> DiG 9.18.39-0ubuntu0.24.04.2-Ubuntu <<>> -x 2607:f8b0:4008:802::2004
;; world choices: +cmd
;; Received reply:
;; ->>HEADER<<- opcode: QUERY, standing: NOERROR, id: 31116
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: model: 0, flags:; udp: 4096
;; QUESTION SECTION:
;4.0.0.2.0.0.0.0.0.0.0.0.0.0.0.0.2.0.8.0.8.0.0.4.0.b.8.f.7.0.6.2.ip6.arpa. IN PTR
;; ANSWER SECTION:
4.0.0.2.0.0.0.0.0.0.0.0.0.0.0.0.2.0.8.0.8.0.0.4.0.b.8.f.7.0.6.2.ip6.arpa. 78544 IN PTR tzmiaa-af-in-x04.1e100.internet.
4.0.0.2.0.0.0.0.0.0.0.0.0.0.0.0.2.0.8.0.8.0.0.4.0.b.8.f.7.0.6.2.ip6.arpa. 78544 IN PTR mia07s48-in-x04.1e100.internet.
;; Question time: 10 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Fri Mar 06 13:58:43 EST 2026
;; MSG SIZE rcvd: 171Phishing marketing campaign abuses in .arpa domains
A phishing marketing campaign noticed by Infoblox makes use of the ip6.arpa reverse DNS TLD, which usually maps IPv6 addresses again to hostnames utilizing PTR data.
Nonetheless, attackers discovered that in the event that they reserve their very own IPv6 handle area, they will abuse the reverse DNS zone for the IP vary by configuring further DNS data for phishing websites.
In regular DNS performance, reverse DNS domains are used for PTR data, which permit methods to find out the hostname related to a queried IP handle.
Nonetheless, attackers found that after they gained management over the DNS zone for an IPv6 vary, some DNS administration platforms allowed them to configure different document sorts that may be abused for phishing assaults.
“We have seen threat actors abuse Hurricane Electric and Cloudflare to create these records—both of which have good reputations that actors leverage—and we confirmed that some other DNS providers also allow these configurations,” explains Infoblox.
“Our tests were not exhaustive, but we notified the providers where we discovered a gap. Figure 2 depicts the process the threat actor used to create the domain used in the phishing emails.”
To arrange the infrastructure, the attackers first obtained a block of IPv6 addresses through IPv6 tunneling providers.
Supply: Infoblox
After gaining management of the handle area, the attackers then generate reverse DNS hostnames from the IPv6 handle vary utilizing randomly generated subdomains which might be tough to detect or block.
As an alternative of configuring PTR data as anticipated, the attackers create A data that time these reverse DNS domains to infrastructure internet hosting phishing websites.
The phishing emails on this marketing campaign use lures that promise a prize, a survey reward, or an account notification. The lures are embedded within the emails as photographs linked to a reverse IPv6 DNS document, equivalent to “d.d.e.0.6.3.0.0.0.7.4.0.1.0.0.2.ip6.arpa,” quite than an everyday hostname, so the goal would not see a wierd arpa hostname.
Supply: Infoblox
When a sufferer clicks the phishing electronic mail picture, the gadget resolves the attacker-controlled reverse DNS title servers through a DNS supplier.
Supply: Infoblox
In some instances, the authoritative title servers have been hosted by Cloudflare, and the reverse DNS domains resolved to Cloudflare IP addresses, hiding the situation of the backend phishing infrastructure.
After clicking the picture, victims are redirected by a site visitors distribution system (TDS) that determines whether or not they’re a legitimate goal, generally based mostly on gadget kind, IP handle, internet referers, and different standards. If the customer passes validation, they’re redirected to a phishing web site. In any other case, they’re despatched to a official web site.
Infoblox says the phishing hyperlinks are short-lived, solely energetic for a number of days. After the hyperlinks expire, they redirect customers to area errors or different official websites.
The researchers imagine that is executed to make it tougher for safety researchers to investigate and examine the phishing marketing campaign.
Moreover, because the ‘.arpa’ area is reserved for web infrastructure, it doesn’t embrace information usually present in registered domains, equivalent to WHOIS data, area age, or contact info. This makes it tougher for electronic mail gateways and safety instruments to detect malicious domains.
The researchers additionally noticed the phishing marketing campaign utilizing different methods, equivalent to hijacking dangling CNAME data and subdomain shadowing, permitting the attackers to push phishing content material by subdomains linked to official organizations.
“We found over 100 instances where the threat actor used hijacked CNAMEs of well-known government agencies, universities, telecommunication companies, media organizations, and retailers,” defined Infoblox.
By weaponizing trusted reverse DNS options utilized by safety instruments, attackers can generate phishing URLs that bypass conventional detection strategies.
As all the time, one of the best ways to keep away from phishing assaults like these is to keep away from clicking on surprising hyperlinks in emails and as a substitute go to providers immediately by their official web sites.
Malware is getting smarter. The Purple Report 2026 reveals how new threats use math to detect sandboxes and conceal in plain sight.
Obtain our evaluation of 1.1 million malicious samples to uncover the highest 10 methods and see in case your safety stack is blinded.
