Security News Hackers abuse .arpa DNS and ipv6 to evade phishing defenses

[Divergent]

Content source

https://www.bleepingcomputer.com/news/security/hackers-abuse-arpa-dns-and-ipv6-to-evade-phishing-defenses/

Threat actors are abusing the special-use ".arpa" domain and IPv6 reverse DNS in phishing campaigns that more easily evade domain reputation checks and email security gateways.

The .arpa domain is a special top-level domain reserved for internet infrastructure rather than normal websites. It is used for reverse DNS lookups, which allow systems to map an IP address back to a hostname.

IPv4 reverse lookups use the in-addr.arpa domain, while IPv6 uses ip6.arpa. In these lookups, DNS queries a hostname derived from the IP address, written in reverse order and appended to one of these domains.

Hackers abuse .arpa DNS and ipv6 to evade phishing defenses

Threat actors are abusing the special-use ".arpa" domain and IPv6 reverse DNS in phishing campaigns that more easily evade domain reputation checks and email security gateways.

www.bleepingcomputer.com

 

[Divergent]

Executive Summary

Confirmed Facts
Threat actors are actively utilizing the special-use .arpa top-level domain, specifically ip6.arpa, to embed phishing URLs in emails, successfully bypassing domain reputation checks and email security gateways.

Assessment
By acquiring IPv6 address blocks and manipulating their associated reverse DNS zones to host A records instead of standard PTR records, attackers have weaponized trusted internet infrastructure to cloak malicious traffic routing

Technical Analysis & Remediation

MITRE ATT&CK Mapping

T1566.002
Phishing: Spearphishing Link

T1583.008
Acquire Infrastructure: Malicious DNS Server

T1568.002
Dynamic Resolution: Domain Generation Algorithms

T1090.001
Connection Proxy

CVE Profile
N/A [Protocol Abuse]
[CISA KEV Status: Inactive]

Telemetry

Reverse IPv6 DNS Record
"d.d.e.0.6.3.0.0.0.7.4.0.1.0.0.2.ip6.arpa".

IPv4 Reference IP
"192.178.50[.]36"

IPv6 Reference IP
"2607:f8b0:4008:802@[::]2004"

Constraint
The exact backend payloads are unknown as they exist behind a Traffic Distribution System (TDS); however, the routing infrastructure suggests credential harvesting operations.

Remediation - THE ENTERPRISE TRACK (NIST SP 800-61r3 / CSF 2.0)

GOVERN (GV) – Crisis Management & Oversight

Command
Update email security policies and acceptable use guidelines to account for the weaponization of infrastructure-level Top Level Domains (TLDs).

DETECT (DE) – Monitoring & Analysis

Command
Implement SIEM alerting for outbound HTTP/HTTPS connections attempting to resolve to *.ip6.arpa or *.in-addr.arpa hostnames, as these domains should strictly handle PTR reverse lookups, not web traffic.

Command
Configure email gateways to flag or quarantine inbound emails containing hyperlinks with .arpa suffixes.

RESPOND (RS) – Mitigation & Containment

Command
Block known malicious .arpa subdomains and associated rogue IPv6 blocks at the perimeter firewall and via DNS sinkholing.

RECOVER (RC) – Restoration & Trust

Command
Validate that no internal hosts have successfully established connections to identified TDS infrastructure or submitted credentials to associated portals.

IDENTIFY & PROTECT (ID/PR) – The Feedback Loop

Command
Audit external DNS management platforms to ensure organizational IP blocks are not vulnerable to dangling CNAME hijacking or subdomain shadowing, which were also observed in this campaign.

Remediation - THE HOME USER TRACK (Safety Focus)

Priority 1: Safety

Command
Do not interact with or click on unexpected images or links in emails, particularly those claiming you have won a prize or account notifications.

Command
"Do not log into banking/email until verified clean." (If a suspicious .arpa link was clicked).

Priority 2: Identity

Command
Reset passwords and cycle MFA tokens using a known clean device (e.g., phone on 5G) if credentials were submitted to an unfamiliar portal.

Priority 3: Persistence

Command
Check Scheduled Tasks, Startup Folders, and Browser Extensions. (Standard post-incident precaution, though this specific vector functions primarily as a phishing gateway).

Hardening & References

Baseline
CIS Benchmarks for DNS Server Security and Email Gateway Configuration.

Framework
NIST CSF 2.0 / SP 800-61r3.

Protocol References
Refer to RFC 3152 (Delegation of IP6.ARPA) and RFC 1034 (Domain Names - Concepts and Facilities) regarding proper PTR record deployment and expected reverse zone behavior.

Sources

Infoblox Threat Intel

BleepingComputer