A malicious actor has abused .arpa to host phishing sites.

A threat actor is abusing the .arpa top‑level domain to host phishing sites by adding unauthorized A records. Emails impersonating major brands use hidden hyperlinks that redirect victims through reverse‑DNS‑formatted domains to malicious content. Attackers exploited DNS provider vulnerabilities to claim .arpa subdomains and used Cloudflare and Hurricane Electric to mask true hosting locations. Randomized subdomains and hijacked CNAME records make detection harder, with campaigns observed running frequently since late 2025.

Read more:

https://www.securityweek.com/internet-infrastructure-tld-arpa-abused-in-phishing-attacks/