216.73.217.80

Abusing .arpa: The TLD That Isn't Supposed to Host Anything

· Published 27/02/2026 09:28 · Modified 27/02/2026 10:00

Export JSON

Essential information

Published
27/02/2026 09:28
Modified
27/02/2026 10:00
Tags
2026-02-27 arpa tld cname hijacking dns abuse ipv6 phishing reverse dns subdomain shadowing
Related entities
4 techniques (mitre), 13 others

Description

Threat actors have discovered a novel method to bypass security controls by abusing the .arpa top-level domain (TLD) in conjunction with tunnels. They are exploiting a feature in DNS record management of certain providers to add IP address records for .arpa domains, allowing them to host content on domains that should not resolve to an IP address. The campaigns use spam emails impersonating major brands, with hyperlinked images leading to malicious websites through traffic distribution systems. This technique weaponizes trusted infrastructure essential for network operations, making it challenging for security tools to detect suspicious domains based on reputation, registration information, or policy blocklists.

External references