Spain is fashionable, but not in a field that can be presumed. A report published by the cybersecurity company Cofense Point out a drastic increase in phishing that uses websites hosted under the domain. To deceive the victims. This is what is called a higher level domain (TLDfor its acronym in English), in this case corresponding to the websites of Spain, such as .fr Identify the French or .of To the Germans. This supposes that Spain has become a preferential objective of cybercriminals to develop phishing scams.
According to the investigation carried out by Max Gannon and Jacob Malimbanof Cofense’s intelligence team, the use of TLD. It is in Phishing campaigns He has shot between the fourth quarter of 2024 and the first of 2025. Specifically, 19 more times Regarding what was previously registered. This increase led to the domain. Only behind .com (global) and .ru (Russia).
Until May 2025, Cofense identified 447 Phishing Websites Under a domain that, in turn, housed more than 1,373 malicious subdomains. These subdomains usually use randomly generated names with letters and numberswhich are not recognizable or have a semantic sense. This makes phishing detection more difficult by users. For example, AG7SR.FJLABPKGUO.es or gymi8.fwpzza.es.
This increase does not correspond to the activity of a group of specific malicious actors, but it is A generalized trend among cybercriminals. Keep in mind that Phishing campaigns under this domain do not affect Spain only, but are aimed at the Spanish -speaking audience in general.
Of the ten most abused domains in Phishing, only three are geographical tld. They are followed .Net, .dev, .org, .com.br, .App, .O and .me.
These websites that are part of identity supplant campaigns are directed, in a 99 %to the Theft of credentials Making a company that is confidence for the user. He 1 % remaining corresponds to the Malware distribution. According to Cofense, the Remote access Trojans (Remote Access Trojan or Rat, which allow the control of an infected system), such as Connectwise rat, Dark Crystal and Xworm.
The most supplanted company, from afar, is Microsoft. A 95 % of phishing campaigns that use domains. They imitate services such as Microsoft 365, Outlooketc. Other Phishing target companies, although much less frequently, include Adobe, Google and Docusign.
Another striking aspect is that around the 99 % of these domains are housed in Cloudflare infrastructure And often use the captcha Cloudflare Turonstile to give greater appearance of legitimacy. This is an alternative of cloudflare to the traditional captcha that is used to discriminate humans of Bots when they access a website and its use raises doubts about the control that Cloudflare has about its platform.
Cofense warns that organizations must be alert to This new domain abuse pattern and adapt their detection strategies, paying special attention to Subdomain monitoring Already a better detection of brand supplications.