SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Australia
Tom
#
Network Security
#
Phishing
#
SOCs

New TLDs and phishing risk: What security teams should know

Tue, 21st Apr 2026 (Today)
By Tom Thatcher, VentraIP

ICANN's 2026 new gTLD application window opened this month. For the next several months, organisations, brands, cities, and communities can apply for their own top-level domain extensions - the largest expansion opportunity in over a decade. Most of the coverage around this has focused on the branding and business opportunity side of things. For security teams, there's a different conversation worth having.

New TLDs create legitimate value. They also, consistently and demonstrably, expand the attack surface for phishing. The 2012 expansion proved it. The abuse patterns that emerged from that round never really resolved - they became a fixture of the threat landscape. Now a new wave is coming, and the defenders who are paying attention to the timing will be better positioned than those who aren't.

This isn't a reason to sound the alarm. It's a reason to be deliberate.

What's actually happening

The domain namespace has already grown from a handful of familiar extensions - .com, .net, .org - to over 1,400 valid TLDs. The 2026 round is the first major new expansion since 2012, with applications open through August. What gets approved will be delegated and made available for general registration over the months and years that follow.

From a security standpoint, it's worth distinguishing between two fundamentally different categories of new TLD. Closed brand TLDs - namespaces operated by a single organisation for its own exclusive use - carry relatively low abuse risk. Access is tightly controlled, governance is clear, and accountability sits with a named entity. Open generic TLDs are a different matter. Available to any registrant, often priced at rock-bottom rates with minimal vetting, these are where abuse concentrates. The distinction matters when evaluating risk exposure, and conflating the two leads to imprecise threat modelling.

The operational baseline for the 2026 expansion is the documented experience of the 2012 round - which produced plenty of legitimate new namespace, and also produced a decade of well-researched abuse patterns that haven't gone away.

Why new generic TLDs attract attackers

The mechanism is straightforward: the economics of cheap, low-scrutiny domain registration make open generic TLDs structurally attractive to phishing operators, and the data has consistently borne this out.

The most-abused TLDs are reliably the cheapest ones. Domains in high-risk extensions have been available for as little as a dollar or two, with minimal identity verification at the point of registration. For a legitimate business, that low barrier is a minor convenience. For an attacker running bulk infrastructure, it's operationally significant - it enables large-scale domain deployment at a pace that routinely outstrips enforcement responses.

The numbers that have emerged from research in this space are significant. Over 2.6 million cybercrime-linked domains were found to have been registered in bulk - a more than 100% increase year-on-year in one study period. In one documented instance, over 17,000 malicious domains were registered through a single registrar in under eight hours. That kind of deployment speed is not something manual review processes can match. By the time abuse is confirmed and a takedown is initiated, the infrastructure has often already served its purpose.

At the extreme end, some individual TLDs show malicious and spam email rates above 90% of all traffic processed from that extension. At that concentration, the TLD itself functions as a threat signal - not a definitive one, but a meaningful contextual indicator.

The .zip and .mov extensions, released in 2023, illustrated another dimension of the problem: attackers actively monitor new TLD launches and register offensive infrastructure on or near general availability dates. Within days of those extensions going live, they were being exploited in phishing campaigns - in part because both visually resemble common file extensions, creating additional opportunities for deception. That behaviour is not incidental. It's a repeating pattern across the TLD expansion lifecycle.

Campaigns also increasingly cluster across multiple new TLDs simultaneously. Research has identified single phishing operations spanning over a hundred domains across more than ten different newly released TLDs, all routing traffic through shared backend infrastructure. The fragmentation is intentional - it complicates detection, slows takedown coordination, and exploits the uneven response speed of different registries.

The detection and filtering problem

TLD reputation is a real signal. Integrating it into detection without generating alert fatigue is the challenge, and it's one worth thinking through carefully rather than reaching for blunt solutions.

Blocking entire TLDs at the email gateway or web filter is tempting when abuse rates are high, but it creates false positives that erode analyst trust in the tooling over time. A more useful approach is treating TLD context as an elevation signal rather than a binary block - newly registered domains in low-cost, low-scrutiny extensions warrant closer scrutiny, not automatic rejection.

Certificate transparency logs are an underutilised early-warning layer. Anomalous growth in certificate issuance under a specific TLD can indicate bulk malicious registration activity before those domains appear in threat feeds. Monitoring certificate transparency for your own organisation's domain strings - your brand name, key product names, your executive team's names - gives you visibility into spoofing and squatting campaigns early in their lifecycle rather than after they've reached users.

Subdomain abuse is worth flagging as an adjacent and increasingly common vector. A growing proportion of phishing infrastructure is being deployed not through registered domains at all, but through subdomain providers - legitimate hosting and site-building platforms where attacker accounts host malicious content under a trusted parent domain. This matters because URL filtering tools that evaluate domain-level reputation may miss it, and because takedown requires the platform to act on the account rather than a registrar to act on the domain. If your detection coverage doesn't account for this vector, TLD-focused filtering alone will miss a meaningful portion of the threat.

What the 2026 expansion means operationally

The application window closes in August 2026. Delegation of approved TLDs follows over subsequent months and, in some cases, years. Security teams should treat this as a planning horizon rather than a point-in-time event.

Abuse tends to concentrate early in a new TLD's lifecycle. Attackers monitor launch calendars, watch for general availability dates, and register infrastructure quickly once new extensions open for public registration. The window between general availability and the point at which that TLD's reputation signals propagate through threat intel feeds and gateway filters is exactly the gap they exploit. Knowing when a new TLD goes live is operationally relevant information for defenders, not just domain investors.

ICANN's 2026 registry contracts include meaningfully tougher DNS abuse provisions than their 2012 equivalents - mandatory automated abuse detection, participation in threat intelligence sharing, and defined contractual windows for responding to verified abuse reports. Whether those provisions materially reduce abuse concentration relative to previous rounds remains an open empirical question. The accountability structure has improved. The underlying economics of cheap registration haven't changed, and it's the economics that drive behaviour.

For organisations with any degree of brand exposure, the expansion also creates a defensive registration problem. Cybersquatters and phishing operators watch new TLD launches closely. A brand that isn't monitoring for its own name across newly launched extensions will eventually encounter it registered offensively - as a phishing site, a redirect, or a parked page designed to capture misdirected traffic.

Where your organisation's hosting and email infrastructure sits also matters in this context. Working with a reputable, locally accountable secure hosting provider means your infrastructure operates under clear oversight and defined security standards - relevant when you're evaluating the provenance of your own environment against a backdrop of expanding, and unevenly governed, global namespace.

What to actually do about it

The appropriate response to TLD expansion risk is not a major programme of work. It's a small set of deliberate operational adjustments applied consistently.

Start with your own domain posture. Ensure DMARC is enforced at p=reject, that SPF and DKIM records are correctly configured and regularly reviewed, and that WHOIS registrant contact details are accurate and actively monitored. Under the 2026 registry contracts, registrars are required to act on verified abuse reports within defined timeframes - which cuts both ways. A domain with outdated registrant contacts is a domain with a slower abuse response when you need one.

Add TLD context to threat intel triage. When reviewing phishing indicators, note the TLD alongside registrant age and hosting infrastructure. Newly registered domains in low-cost, low-scrutiny extensions warrant elevated suspicion as a matter of workflow, not just intuition.

Monitor certificate transparency for your own namespace. Set up alerts for unexpected certificate issuance against your brand name and key domain strings. Unexpected issuance under a newly launched TLD is an early indicator of a spoofing or squatting campaign - and catching it early gives you options that aren't available once the infrastructure is active.

Update your security awareness content. Most phishing training focuses on sender name and email content. Adding explicit guidance on unfamiliar domain extensions - particularly ones that resemble generic words, industry terms, or file types - is a low-effort, high-value addition to user-facing guidance.

Watch the launch calendar. Track when newly approved TLDs open for general registration and treat those dates as elevated-risk windows for monitoring. It's a simple operational habit that aligns your attention with the moments when attackers are most active in registering new infrastructure.

The bottom line

The 2026 expansion will create genuine value. It will also, based on everything the security community has documented since 2012, expand the pool of cheap, quickly deployable attack infrastructure available to phishing operators. That's not speculation - it's a pattern with a decade of evidence behind it.

Security teams don't need to treat the expansion as a crisis. They do need to treat it as a planning input. The patterns are well established. The response playbook exists. The question is whether it gets implemented before the first wave of new extensions goes live, or after users start clicking on domains that didn't exist last month.

The timing is now. The preparation is straightforward. That combination doesn't come along that often in security - it's worth taking advantage of it.

Related stories
Tuned Global launches streaming manipulation detection
Anthropic's 'Mythos' signals a new era of AI-driven cyber threats
Sysdig report says cloud security shifts to machine speed
Geotab joins TAPA APAC to strengthen cargo security efforts
New Sydney Catalyst conference backs MSP peer lessons

Top stories

Proofpoint tracks cargo theft gang's post-breach tactics
Commvault expands Flex with Hitachi Vantara & NetApp
Why runtime identity is emerging as the next cybersecurity imperative
Cohesity appoints Nigel Lee to lead APJ technical sales
Australian cyber resilience gap widens as recovery plans lag