Rampant Use of .COM Domain for Hosting Credential Phishing Sites by Cybercriminals

Cybercriminals have long abused common Top-Level Domains (TLDs) such as .com and .ru to launch widespread credential phishing campaigns.

However, recent threat intelligence from Cofense Intelligence reveals an alarming and persistent pattern: the .com TLD remains the most abused domain for hosting phishing content, with an exponential growth in malicious activity across both primary (links in emails) and secondary (post-click) web stages.

This news comes amid the meteoric rise of the .es TLD, but .com’s global reach and reputation for legitimacy continue to make it the go-to choice for threat actors.

Technical Tactics: Phishing Evolution on .COM Domains

Phishing campaigns leveraging .com domains continue to dominate the threat landscape due to the TLD’s ubiquity and the abundance of available domains.

Cybercriminals are increasingly employing sophisticated technical strategies, primarily using dynamically generated subdomains to evade detection and enhance the perceived legitimacy of their attacks.

For example, campaigns in early 2025 have consistently utilized subdomains resembling authentic corporate services (e.g., webmail, invoices, or account security) to deceive users.

These subdomains often host advanced phishing kits that can mimic login portals for Microsoft, Adobe, and other popular services.

According to recent Cofense data, over 95% of phishing emails incorporating .com domain links spoofed Microsoft credentials, with attackers customizing emails to match real-world communication styles.

Common phishing subject lines include “Employee Handbook Update,” “Vendor Update Required,” and notifications for scanned documents or voicemails all designed to induce a sense of urgency and prompt action.

Cloud-based solutions, such as Cloudflare, have further enabled threat actors. Over 99% of analysis phishing pages were hosted through services like Cloudflare, often integrating the Turnstile CAPTCHA to give a veneer of authenticity and delay automated web scanners.

While Cloudflare’s ease of deployment is a boon for legitimate users, it is also being weaponized by attackers for rapid and scalable campaign launches.

Global Impact and Security Implications

The persistent abuse of the .com TLD highlights ongoing challenges for cybersecurity teams. Unlike country-specific TLDs, .com domains are less likely to raise suspicion among global users, making them ideal vehicles for credential theft.

The dynamic generation of subdomains, rapid domain registration, and abuse of modern hosting platforms all contribute to a constantly evolving phishing landscape.

Organizations must remain vigilant, employing advanced threat intelligence and robust email filtering to counteract these campaigns.

Regular employee training, real-time monitoring for brand impersonation, and swift takedown of malicious domains are critical strategies in disrupting the rampant use of .com domains by cybercriminals.

As phishing tactics grow increasingly sophisticated, the centrality of the .com TLD to cybercrime underscores the urgent need for collective defense and awareness across the digital ecosystem.