Abusing .arpa: The TLD That Isn’t Supposed to Host Anything

This report examines active phishing campaigns that use a novel technique: creating A records for IPv6 reverse DNS (ip6.arpa) names after acquiring delegated IPv6 space—enabling malicious, reputation-free links embedded in email images that redirect users through traffic distribution systems to fraudulent landing pages. The actors also leverage hijacked dangling CNAMEs and domain shadowing across reputable services (e.g., Cloudflare, Hurricane Electric) to increase deliverability and evade detection; the report includes example indicators, abused domains, and notes on detection challenges and mitigation implications.