Significant increase in phishing activities using .es domain names
In a recent development, the European Union country-code TLD (ccTLD) .es, representing Spain, has seen a significant increase in malicious activities. According to ICANN, this surge has been an astounding 19-fold from Q4 2024 to Q1 2025, positioning .es as the third most abused TLD for malicious activities between January and May 2025, trailing only .com and .ru domains.
The primary malicious activity observed involves credential phishing, accounting for over 99% of the cases involving .es subdomains, with Microsoft accounts being the most commonly impersonated brands. Threat actors have been exploiting pseudo-dynamically generated subdomains to evade detection, hosting phishing pages or facilitating data theft through phishing campaigns embedded in emails or attachments.
Many of these malicious .es phishing sites are hosted on Cloudflare's infrastructure, which provides content delivery and security services. The use of Cloudflare allows attackers to benefit from its performance and protection features, including CAPTCHA challenges, making it harder for automated tools to detect and block these phishing pages.
While the reasons for the increased abuse of .es domains may not be directly linked to Cloudflare's ease of deployment, the infrastructure can inadvertently facilitate the abuse by threat actors leveraging its robust and reliable network to host and deliver phishing content at scale. This complicates efforts to quickly identify and take down these malicious domains.
It's worth noting that ccTLDs like .es do not support bulk registrations, making them less appealing to those who wish to abuse them en masse. The nature of the phishing campaigns observed over the past six months suggests that dodgy .es websites could be here to stay.
The abuse of .es domains is becoming a common technique among a large group of threat actors rather than a few specialized groups. The malicious content hosted on .es domains is often well-crafted and the domains hosting the malicious content are in most cases randomly generated.
Examples of subdomains hosted on the .es base domains include ag7sr.[fjlabpkgcuo.es], esgymi8.[fwpzza.es], md6h60.[hukqpeny.es], Shmkd.[jlaancyfaw.es].
The malware is distributed either via a C2 node or a malicious email spoofing a well-known brand, with Microsoft being the brand most often spoofed (in 95 percent of cases). Most phishing pages using .es domains utilize Cloudflare's Turnstile CAPTCHA.
As of May, 1,373 subdomains were hosting malicious web pages on 447 .es base domains. The specific preferences of threat actors using .es domains were not observed, indicating a wide variety of threat actors using this TLD.
Despite these concerns, it's important to note that the .es top-level domain is used for websites targeting Spanish-speaking audiences or those based in Spain. ccTLDs like .es often have more restrictions on who can register compared to generic TLDs (gTLDs) like .top and .zip.
In conclusion, the sharp rise in malicious .es domain activity is largely a result of threat actors exploiting the relatively less scrutinized Spanish TLD with sophisticated phishing campaigns heavily focused on Microsoft credential theft, using dynamically generated subdomains. The use of Cloudflare's infrastructure provides these attacks with a resilient platform and anti-automation defenses that enable these attacks to persist and evade detection longer.
- The surge in malicious activities within the .es domain, a popular choice among threat actors, is significantly driven by AI-enabled cybersecurity threats, such as credential phishing, where Microsoft accounts are commonly impersonated brands.
- To escalate their phishing activities undetected, these threat actors often utilize advanced technology, including Cloudflare's infrastructure for hosting and security services, shifting the focus of cybersecurity efforts towards safeguarding cloud-based systems.
- In the face of these increasing cybersecurity challenges, it is crucial to enhance our AI and security measures to protect data, especially in regions with domain extensions like .es, which may have fewer restrictions and less scrutiny compared to generic TLDs.
