Among the numerous cyber threats that enterprises must contend with, domain-based attacks hold a prominent position. These are attacks that target or exploit domain names or DNS infrastructure. They’re hardly new, but the threat is growing and mutating rapidly.
One study found that in 2024, one in every 174 DNS requests was malicious, compared with one in 1,000 the previous year. Attackers only need to succeed once to cause a company costly downtime, a significant data breach and/or loss of trust for the company.
What are domain-based attacks?
Domain-based attacks are highly varied, although many methods share similarities and can be used in conjunction with one another. For example, domain spoofing and website spoofing often occur in tandem. Domain hijacking and domain shadowing both exploit DNS settings; however, hijacking takes advantage of a decommissioned or unclaimed domain, whereas shadowing involves compromising the settings of an active domain.
Common domain-based attacks include:
Website spoofing, where pseudo-sites are designed to trick visitors into believing they are on the real site.
Domain spoofing, when the URL mimics the URL of the real site.
Email domain phishing, which involves messages sent from legit-looking email domains to trick people into clicking on dangerous links or open malicious attachments.
DNS hijacking redirects traffic from legitimate sites to malicious sites.
Domain and subdomain hijacking attacks, to gain control of a legitimate domain or an unused or forgotten subdomain.
Domain shadowing, where attackers create malicious subdomains within a trusted domain that has been compromised.
Search engine poisoning, where malicious domains rank in search via AI-generated content.
Cybercriminals often employ multiple tactics to enhance the credibility of their attacks. For example, a phishing email with a fake domain name may include a link to a spoof website, which is used to harvest the victim’s login credentials.
AI makes domain-based attacks more serious
There are several reasons why domain-based attacks are becoming a greater challenge for security teams.
As cybersecurity has improved with EDR solutions, next-generation firewalls and advanced cloud protections, cybercriminals have shifted their focus to softer targets. Domains and DNS infrastructure often lie outside the organization’s perceived security perimeter, and many attacks exploit human error, such as phishing emails and spoof sites.
But the main factor in the rise of domain-based attacks is AI. Research by Darktrace found that AI-powered cyber threats are having a significant impact on 78% of surveyed organizations, with AI-powered phishing being the top threat.
Because of AI:
Phishing, domain hijacking and spoofing attacks are more sophisticated, personalized and convincing.
Shadow AI is growing, raising the risk of leaks that criminals can exploit in domain-based attacks.
Cybercriminals can launch attacks so frequently that security teams struggle to keep up.
Attacks are more complex and harder to spot, combining multiple techniques like ransomware deployed through social engineering and a lookalike domain.
Unsuspecting users are directed to fake URLs because an AI chatbot was tricked into suggesting them.
Let’s take a detailed look at some specific trends in domain-based attacks, why they’re worthy of the full attention of cybersecurity teams and how to go about addressing them.
Website spoofing reaches new levels
Website spoofing has become more sophisticated and convincing. Where you used to see misspellings, mistakes and poor grammar, now there’s just a clean and polished site that looks very much like the original.
We’re seeing:
AI-generated spoof sites, often including realistic, dynamic phishing pages on fake domains and deepfake content like AI-generated voice or video impersonations.
Fake support sites hosting AI chatbots that hold conversations with visitors to harvest their personal information.
Fake-to-real website redirects, where users are misled into visiting fake sites and subsequently redirected to the genuine site.
“Reverse redirects are particularly dangerous, ….[as they] send users from phishing sites back to legitimate ones to minimize the victim’s exposure time on the impersonated website and avoid arousing suspicion,” warns Gideon Hazam, COO of Memcyco, “The longer victims don’t realize they’re being scammed, the less likely they are to report the incident and the less visibility the legitimate business has to intervene effectively.”
Addressing the issue requires a preemptive approach, scouring the web for content that bears a semantic resemblance to a legitimate domain and blocking any redirects to or from the real site. Today, it’s possible to scalably compare suspected sites with legitimate sites, identifying errors in language tone, design elements and structural layout, as well as cloaking techniques and mismatched domain registrations.
Email domain spoofing gives phishing a boost.
Human error remains the primary cause of data breaches, and traditional email phishing remains highly effective in compromising sensitive information. According to a report from Cisco Talos, phishing attacks spiked from 25% of all attacks in 2024 to 50% in Q1 2025 and 33% in Q2 2025.
Part of what makes attacks so effective is the use of email domain spoofing. This occurs when attackers manipulate the email header so that the “from” address appears to be a trusted domain, e.g., realperson@electriccompany.com. The Cisco Talos report found that when it comes to phishing, the most commonly spoofed brands include Apple, Shein, American Express, LinkedIn and Amazon.
AI has made this tactic even more convincing and realistic. AI-generated phishing emails can include deepfake content, like audio or video clips. CrowdStrike found that vishing attacks increased 442% between the first and second half of 2024.
Emails are more sophisticated, with higher volumes of text that deceive more victims. Sometimes, these attacks set into motion multistage processes, such as ClickFix, which tricks victims into believing they are verifying their human identities, whereas in reality, they’re unwittingly injecting malicious code into their systems.
There are tools available to protect against phishing emails, including DKIM and DMARC email authentication protocols. But these aren’t always effective – an estimated 70% of phishing emails pass DMARC checks, and 55% pass other email security measures. This underscores the importance of training employees to recognize phishing attempts, as only an updated and aware human firewall can recognize spoofed emails and stop social engineering trickery.
Domain and DNS hijacking are evolving
Redirecting domain traffic using compromised DNS records or hijacking legit domains are established tactics that are gaining new power.
Today’s advanced techniques include:
Cache poisoning involves inserting malicious data into a cache, causing users to receive fake or harmful information.
Traffic distribution system (TDS) attacks involve routing victims through a complex maze of domain names (the TDS) to deceive investigators. TDS has evolved under the radar, as the security industry overlooked it for years. In H1 2025, Infoblox Threat Intel found that 82% of all customer environments queried domains that were part of a TDS.
DNS tunnelling weaponizes DNS to bypass detection and transmit data packets to and from end users’ systems.
Subdomain hijacking, when malicious actors subvert a legitimate, disused subdomain by exploiting DNS records to point people’s browsers to malicious content.
DNS traffic is a relatively easy way for attackers to bypass perimeter controls because of its trusted nature, making it a favored way to distribute malware. Most websites, apps, services and protocols rely heavily on DNS, providing cybercriminals with numerous avenues for attack. It doesn’t help that security vendors tend to wait for details about new threats before offering upgraded protections.
Domain and DNS hijacking are used systematically by many threat actors on a massive scale, and are difficult for security teams to detect. An initiative by Infoblox reported that 70,000 out of 800,000 monitored domains had been hijacked, and an additional 1 million are vulnerable to this type of attack.
The reality is that cybercriminals will compromise any domain left unsecured. Companies need to employ a layered approach combining firewalls and IDS/IPS, endpoint security and security assessments.
Domain spoofing is not taken seriously
Domain spoofing is a subset of website spoofing. It includes several sub-tactics, such as fake domains that mimic legitimate ones (e.g., micros0ft.com), so people feel safe clicking on a link when they shouldn’t. Homograph attacks utilise lookalike characters from other alphabets (e.g., аррle.com, which uses a Cyrillic letter that resembles an ‘a’ but isn’t), yielding similar results. With typosquatting, people might misspell a domain name (e.g., gooogle.com) and end up looking at a malicious forgery.
AI is inadvertently exacerbating the threat. Netcraft research found that AI chatbots returned the wrong URL for well-known brands almost as often as they returned the correct one. Out of 131 naturally-worded questions about web addresses, only 64 (66%) were answered with the brand’s verified site.
This is particularly worrying because people trust AI-generated answers, making them more likely to click through and trust the fake site that follows. URLs suggested by AI engines also often appear without context, like search snippets or verified domain badges, which can help people spot spoof sites before they arrive.
But there are methods for combating domain spoofing, and they aren’t utilized sufficiently. Registry Lock is a cost-effective way to protect domain names against accidental or unauthorized changes, but a study by CSC found that global adoption is only 24%.
Companies also frequently fail to register similar domain names or allow registration to lapse. CSC reported that 80% of registered web domains similar to those of global 2000 brands are owned by third parties, and 42% of these have MX records used to send phishing emails or intercept emails.
Auto-created domains present a new headache
Today’s attackers utilise domain generation algorithms (DGAs) to automatically create domains for a range of attacks, including phishing, spamming, malvertising, data exfiltration and fast-flux attacks. CISA reports that many networks have a gap in defenses around fast flux attacks, which use IP address rotation and quickly-changing DNS name servers to escape detection.
DGAs are powered by AI and move too fast for security teams to keep up. They can register thousands of new domains in a day, whereas it takes investigators months to analyze and mitigate them.
“When domains are new, they have not yet had time to appear on block lists, which gives bad actors time for exploitation,” explains TK Keanini, CTO at DNSFilter. “Attacks can sometimes occur mere minutes after a website is launched, and about one-third of phishing sites disappear just hours after initial detection. It’s almost impossible to notice, evaluate and block new malicious activity in such a short time span.”
Infoblox found that over 25% of the 101 million newly observed domains in the past year were malicious or suspicious, and nearly 55% of domains used for malicious purposes were generated by machine algorithms. DGAs are now the most frequently encountered threat category, surpassing phishing and malware.
CISA recommends that companies implement DNS and IP blocklists, firewall rules and/or non-routable DNS responses to block access to fast flux domains and IP addresses. Blocking new domains also helps reduce the number of alerts that SOC teams receive, allowing them more time to address other threats.
Domain-based attacks need more attention
Companies are not prepared to cope with these attacks, and it’s only partly because of their scale and complexity. Attitude plays a significant role. Domain and DNS protection isn’t seen as essential to security, so it isn’t taken as seriously as it should. The individual responsible for managing digital assets isn’t always a senior security figure, so they don’t necessarily know about or prioritize security.
A recent study by CSC reported that 68% of all Global 2000 companies have implemented fewer than half of the recommended security measures, and 5% have not adopted any of them. This includes simple steps like Registry Lock, which has a global adoption rate of only 24%; DNS security extensions (DNSSEC), with an 8.5% adoption rate; and DNS redundancy, which actually decreased from 19% in 2020 to 17% in 2025. The only exception is the DMARC email authentication protocol, which is expected to reach 70% adoption by 2025.
Largely due to the increased adoption of AI, domain-based attacks are gaining volume, speed and sophistication at an alarming rate. The threat they pose is real and serious, yet effective methods to combat them are going unused. It’s beyond time for companies to activate all their available defenses, because the risks are only going to increase.
This article is published as part of the Foundry Expert Contributor Network.
Want to join?
No Responses