SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Australia
International Women’s Day
392 opinions Read now

Guides

#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware

Search

Dr. ren%c3%a9e burton infoblox 1
#
Firewalls
#
Network Security
#
Phishing

Phishing campaigns exploit .arpa DNS to evade filters

Fri, 27th Feb 2026
Author image
By Joseph Gabriel Lagonsin, News Editor

Infoblox Threat Intel has identified phishing campaigns that misuse parts of the Domain Name System (DNS) that typically sit outside the focus of web security tools, including reverse DNS records under the .arpa top-level domain.

The activity uses infrastructure many organisations do not treat as a web hosting environment. That gap can let attackers route victims to fraudulent pages while sidestepping checks tuned to conventional web domains and familiar URL patterns.

How .arpa works

The .arpa top-level domain serves a specific purpose in DNS. It is primarily used for internet infrastructure functions, including reverse DNS lookups that map IP addresses back to domain names. It is not typically used for hosting websites, and many security controls do not treat it as a common source of user-facing web content.

According to Infoblox, attackers are exploiting record-management options offered by some DNS providers. These features can allow the creation of IP address records associated with .arpa domains, with malicious content then placed behind that DNS infrastructure.

The actors also use free IPv6 tunnelling services, which can provide access to large pools of IPv6 addresses. Infoblox described the tunnels as a way to scale the operation and cycle through campaign addresses.

IPv6 tunnels are commonly used to carry IPv6 traffic across parts of the internet that still rely on older IPv4-only equipment. Infoblox said the campaigns repurpose that approach as part of the phishing delivery chain.

Bypassing controls

Security products and organisational policies often rely on reputation scoring, domain categorisation, URL analysis, and historical patterns tied to mainstream top-level domains such as .com and .net. Infrastructure namespaces such as .arpa can receive less scrutiny, particularly when controls are tuned to typical web browsing behaviour and known phishing patterns.

Infoblox linked the .arpa misuse to phishing delivered via spam emails. Victims are routed through traffic distribution systems that can vary the destination based on geography, device type, or other signals collected when the link is clicked. This can complicate analysis and takedown efforts by showing different content to different observers.

Infoblox researchers said the visible URL shown to users does not clearly reveal the unusual .arpa reverse DNS strings used in the infrastructure. That can reduce the chance a user notices an unfamiliar domain structure before clicking, and it may also affect filtering and logging practices that focus on surface-level indicators.

The emails impersonate well-known brands and use prize or giveaway themes. Many consist of a single image with an embedded hyperlink, which can limit the text available for content-inspection rules and shift the decision point to the link and the web request that follows.

"When we see attackers abusing .arpa, they're weaponising the very core of the internet," said Dr. Renée Burton, VP, Infoblox Threat Intel.

"Reverse DNS space was never designed to host web content, so most defences don't even look at it as a potential threat surface. By turning .arpa into a delivery mechanism for phishing, these actors effectively step around traditional controls that depend on domain reputation or URL structure. Defenders need to start treating DNS infrastructure itself as high value real estate for attackers, and they need the visibility to see abuse in any type of location," Burton said.

Operational implications

The findings show attackers continuing to probe areas of internet infrastructure that security teams may treat as background plumbing rather than active risk zones. Reverse DNS is widely used for network operations, troubleshooting, and some forms of authentication and policy enforcement, which can make it difficult to block large sections of related traffic without collateral impact.

For defenders, the case reinforces the need for monitoring that looks beyond conventional domain categories. It also raises questions for DNS service providers about how record-management features are exposed and governed, especially where tools make it possible to associate unexpected record types with infrastructure-oriented namespaces.

Infoblox Threat Intel said the activity it observed is a new method that has not been previously reported. It plans to continue tracking abuse of DNS infrastructure and related tunnelling services as attackers look for alternative routes around standard filtering and reputation systems.

Related stories
Cisco, UTS open digital innovation hub for AI in Sydney
Critical MediaTek flaw lets attackers steal phone crypto
GTIA launches PeerTrust Circles for security-led IT peers
Tetrate unveils Built on Envoy open source extension hub
DataBahn deepens Microsoft Sentinel tie-up to cut SIEM costs

Top stories

CyberCX becomes official cyber partner to AFL, AFLW
Rescue dog teams join Victorian network for safer searches
Attackers abuse Deno runtime to deploy fileless malware
Gartner tips AI to upend work tools, hiring & data
Anthropic to open Sydney office in Australia, New Zealand