A new report out today from phishing defense company Cofense Inc. reveals a dramatic rise in malicious activity leveraging Spain’s .es top-level domain, marking a shift in tactics among phishing operators targeting enterprise users.
According to the research from Max Gannon and Jacob Malimban from Cofense’s Intelligence Team, the use of the .es TLD in credential phishing campaigns surged by a whopping 19 times from the fourth quarter of 2024 through to the end of the first quarter of this year. The surge in the use of .es saw the TLD enter the top three most abused domains for phishing, behind only .com and .ru.
The .es domain is officially intended for Spanish-speaking audiences, but threat actors seemingly don’t care and are increasingly using it to disguise malicious content. The researchers note that the abuse isn’t isolated to a specific group either, as a broad cross-section of phishing campaigns has adopted .es domains to host second-stage phishing pages — sites users are redirected to after clicking on email links.
The sites are often used to harvest login credentials or distribute remote access tools such as XWorm and Dark Crystal RAT. A RAT is a type of malware that allows attackers to secretly control a victim’s computer or network remotely.
Though the surging use of .es TLDs is perhaps surprising, what isn’t is the company the threat actors are impersonating: Microsoft Corp. and its various services. Some 95% of the phishing campaigns using the .es TLD are impersonating Microsoft services such as Outlook. Bringing up the rear, other companies being impersonated include Adobe Inc., Google LLC, and Docusign Inc., though at much lower rates. The campaigns often feature highly polished emails and convincing login pages hosted on pseudo-randomly generated subdomains under .es domains.
In an interesting twist, the researchers also claim that nearly all of these malicious .es domains — about 99% — are hosted on Cloudflare Inc.’s infrastructure, often using Cloudflare Turnstile CAPTCHA for added legitimacy. That raises questions about how easily threat actors are leveraging modern deployment tools such as Cloudflare Pages to spin up malicious content quickly.
“While Cloudflare has recently made deploying a web page quick and easy via command line with pages hosted on [.]pages[.]dev it is unclear whether their recent move to making domains hosted by them easy to deploy has attracted threat actors to their hosting services across different platforms or if there are other reasons, such as how strict or lenient Cloudflare is with abuse complaints,” the researchers write.
The report emphasizes that the use of dynamically generated subdomains that are typically random strings rather than human-readable names is a common trait of these campaigns. Examples include domains like gymi8.fwpzza.es, making them harder for casual users to identify as suspicious.
Cofense warns that organizations should be alert to this shift in TLD abuse and adapt their detection strategies accordingly, particularly focusing on subdomain monitoring and more nuanced brand spoofing detection. As phishing tactics evolve, domain abuse patterns continue to be an early warning signal for threat activity.
Image: SiliconANGLE/Reve
Support our open free content by sharing and engaging with our content and community.
Join theCUBE Alumni Trust Network
Where Technology Leaders Connect, Share Intelligence & Create Opportunities
11.4k+
CUBE Alumni Network
C-level and Technical
Domain Experts
Connect with 11,413+ industry leaders from our network of tech and business leaders forming a unique trusted network effect.
SiliconANGLE Media is a recognized leader in digital media innovation serving innovative audiences and brands, bringing together cutting-edge technology, influential content, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — such as those established in Silicon Valley and the New York Stock Exchange (NYSE) — SiliconANGLE Media operates at the intersection of media, technology, and AI. .
Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a powerful ecosystem of industry-leading digital media brands, with a reach of 15+ million elite tech professionals. The company’s new, proprietary theCUBE AI Video cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.