The domain in the phishing link reads like a string of digits and dots: d.d.e.0.6.3.0.0.0.7.4.0.1.0.0.2.ip6.arpa. Most recipients never see it. It’s embedded inside an image. And most email security systems don’t know what to do with it.
That’s the point.
A phishing campaign documented by Infoblox exploits a corner of the internet’s infrastructure that almost nobody watches — the .arpa top-level domain, which exists not for websites but for reverse DNS lookups. When a system wants to know which hostname belongs to a given IP address, it queries in-addr.arpa for IPv4 addresses, or ip6.arpa for IPv6. The answers come back as PTR records. That’s the entire intended purpose of the system.
Attackers found a gap. Some DNS management platforms allow operators of an IPv6 address block to configure not just PTR records in their reverse DNS zone, but other record types entirely — including A records that point to arbitrary infrastructure. By first obtaining a block of IPv6 addresses through tunneling services, threat actors gain administrative control over the corresponding reverse DNS zone. From there, according to the report, they create A records that resolve to phishing servers, generating subdomains from the IPv6 range that are randomized and difficult to block at scale.
Why Security Tools Miss It
Domain reputation systems are built around conventional hostnames. A newly registered domain for a phishing site raises flags. An ip6.arpa reverse DNS record does not — because the .arpa namespace carries the implicit trust of internet infrastructure itself. The attackers exploit that trust directly.
Infoblox confirmed that threat actors abused both Hurricane Electric and Cloudflare to create these records, specifically because those providers carry strong reputations that email security gateways are unlikely to flag. “Both of which have good reputations that actors leverage,” the company states. Other DNS providers were also found to allow the same configurations, though testing was not exhaustive. The affected providers were notified.
More Read
The phishing emails themselves use familiar social engineering: prize notifications, survey rewards, account alerts. The malicious link is not displayed as text but embedded inside an image, so the ip6.arpa hostname remains invisible to the recipient. They see a banner. They click. The underlying URL resolves through the abused reverse DNS zone to a phishing site.
The Infrastructure Chain
The setup requires several deliberate steps. Attackers acquire IPv6 address space through tunneling services. They establish control of the corresponding DNS zone. They configure non-standard record types within that zone — a capability that should not exist in normal reverse DNS operation but that some platforms permit. They generate randomized subdomains across the IPv6 range to make pattern-based blocking impractical. Then they build the lure emails around those records.
Each layer of that chain relies on something legitimate: real address space, real DNS providers, a real top-level domain reserved for internet plumbing. The result is a phishing infrastructure that, by design, looks nothing like a phishing infrastructure to the tools scanning for one.
This article is a curated summary based on third-party sources. Source: Read the original article
