Aged-domain acquisition: The tradecraft phishing operators are using to bypass your mail filter’s reputation score
Summary
Phishing-as-a-service operators are increasingly acquiring aged, legitimate domains and redeploying them for credential theft campaigns. This tactic bypasses email filters that heavily rely on domain age for reputation scoring, as these domains have a long history of stable use and clean DNS records. Certificate transparency logs reveal a pattern of a domain's legitimate certificate history followed by a gap and then the issuance of new certificates for unrelated subdomains, which misleads security defenses.
IFF Assessment
This article details a sophisticated tradecraft used by phishing operators to bypass security controls, representing an escalation in threat actor capabilities.
Defender Context
Defenders need to be aware that traditional domain reputation scoring based on age can be a blind spot for sophisticated phishing attacks. Organizations should consider supplementing email gateway defenses with additional checks, such as analyzing certificate issuance patterns and looking for domain inconsistencies that indicate hijacking. This trend highlights the evolving nature of phishing infrastructure and the need for adaptive security strategies.