Short-Lived Domains in Phishing Attacks

One of the most striking aspects of phishing campaigns is how ephemeral attacker infrastructure tends to be.

Phishing operations typically revolve around newly registered or short-lived domains that:

• Avoid blocklisting: Brand new domains have no reputation history, allowing them to bypass traditional blocklists.
• Enable rotation at scale: Once a domain is flagged, attackers can discard it and quickly register a replacement.
• Reduce attribution risk: Frequent domain churn makes it harder to link activity back to a persistent actor.

These domains often have a very limited lifespan — registered, used for hours or days, and then taken down — only to be replaced by new ones following the same pattern.

This lifecycle complicates detection. Defences that rely heavily on historical reputation or manual reporting often lag behind attacker activity, missing campaigns while they are still active.

Lookalike URLs and Brand Impersonation

The most common vector for phishing is the URL, and here attackers are experts in deception.

Rather than choosing random domain names, attackers deliberately craft lookalike URLs that closely resemble legitimate brands. Common techniques include:

• Typosquatting: Domains like micros0ft-secure.com, exploiting small visual differences.
• Homograph attacks: Using Unicode characters that resemble standard letters (for example, replacing o with the Greek ο).
• Subdomain abuse: Putting the malicious infrastructure under subdomains, such as login.paypal.com.verify-secure.net

The figure below provides a side-by-side comparison of legitimate and phishing domains, showing how attackers exploit small visual differences to deceive users.

To an untrained user, these domains can appear legitimate at a glance, especially on mobile devices or in email previews where the full address is truncated.

The goal is not technical complexity, but psychological plausibility and reassurance.

Subdomain Abuse in Phishing Campaigns

Subdomains further extend the illusion of legitimacy. Instead of registering an obviously suspicious domain, attackers host phishing pages on subdomains such as:

The effectiveness of subdomain abuse becomes clearer when examining the structure of a phishing domain. Figure 3 illustrates how attackers use misleading subdomains to impersonate trusted brands, while the actual domain remains attacker controlled.

This approach works because:

• The second-level domain (verification-check.net) is unfamiliar to most users.
• The subdomain (signin.bankname) mimics the trusted brand.
• Many users, and even some security tools, mistakenly associate the subdomain text with legitimacy.

In phishing, trust is a perception, and subdomain misuse is one of the most effective ways to manufacture it.

Reused Attacker Infrastructure

More advanced phishing campaigns do not just reuse domains, they frequently reuse hosting environments, TLS certificates, email infrastructure, and phishing kits across multiple operations.

Common reuse patterns include:

• Shared hosting IPs serving hundreds of malicious websites.
• Wildcard TLS certificates enabling HTTPS across many phishing domains.
• Phishing kits, combining ready-made page logic and email templates, traded in underground markets.
• Redirect and payload infrastructure designed to evade analysis and detection.

This infrastructure reuse creates patterns that can be identified and exploited by defenders, but only if the focus is on the right signals.

Why ThreatChase Focuses on Domains & URLs

At ThreatChase, we treat domains and URLs not just as attack vectors, but as foundational signals of phishing infrastructure. These elements sit at the intersection between attacker intent, technical execution, and user interaction, making them uniquely valuable within the domain- and URL-based detection approach developed by ThreatChase.

By analysing how domains are registered, how URLs are built, and how both are reused across campaigns, ThreatChase captures signals that appear before campaigns are widely reported or blocked. This focus naturally translates into four complementary detection perspectives.

1. Domains reflect intent

Suspicious domain registrations often appear before phishing emails are sent or campaigns go live. Identifying these domains early provides defenders with valuable lead time and insight into attacker preparation activities.

2. URLs are where humans interact

Users don't click IP addresses, they click URLs. Phishing success depends on URL plausibility, making URL structure, token placement, and brand impersonation cues critical detection signals.

3. Infrastructure patterns reveal campaigns

Phishing domains rarely exist in isolation. They are typically embedded within broader attacker infrastructure, where domains share hosting environments, registration timing, or naming conventions. By analysing these relationships, ThreatChase identifies coordinated campaign clusters, not just single malicious URLs.

4. Blocklists & traditional models lag behind

Blocklists and reputation-based models struggle with short-lived, fast-rotating infrastructure. ThreatChase's signal-driven approach helps close this gap by detecting phishing activity in near real time, rather than reacting after damage has occurred.

How ThreatChase Uses Domain and URL Signals to Detect Phishing

ThreatChase approaches phishing detection by analysing domains and URLs as infrastructure signals, rather than treating them as isolated indicators. Instead of simply asking whether a URL is already known to be malicious, ThreatChase evaluates how and why that URL exists, and how it relates to other elements of attacker infrastructure.

Phishing campaigns leave structural traces long before they are reported or blocked. These traces emerge at the level of domain registration, URL construction, hosting configuration, and infrastructure reuse, often well before phishing emails are delivered at scale.

To capture these early signals, ThreatChase continuously ingests and analyses domains and URLs from multiple sources and enriches them with contextual information. As illustrated in Figure 4, this process combines data collection, enrichment, and analysis into a unified detection pipeline.

ThreatChase evaluates multiple classes of signals, including:

• Domain lifecycle characteristics, such as registration age, churn rate, and reuse across campaigns.
• Lexical and structural URL properties, including brand impersonation patterns, token placement, and deceptive subdomain usage.
• Infrastructure relationships, such as shared hosting environments, TLS certificate reuse, and correlated registration timing.

Rather than scoring these signals independently, ThreatChase correlates them to uncover patterns of coordination. Domains that appear together in time, infrastructure, or naming structure are evaluated as part of a broader campaign, rather than as individual, disconnected threats.

This correlation-driven approach allows ThreatChase to surface campaign-level intelligence, flagging newly observed domains based on their similarity to known malicious infrastructure — even before they are used in active phishing attacks. By focusing on infrastructure signals and their relationships, ThreatChase enables earlier detection and more effective response to fast-moving phishing campaigns.

Conclusion

Phishing isn't random, it's engineered. To counter it effectively, defenders must move beyond reactive blocking and adopt proactive, signal-based detection.

By understanding how phishing campaigns are built, from disposable domains to deceptive URLs and reused infrastructure, organisations can detect threats earlier and reduce user exposure.

At ThreatChase, domains and URLs are not the end of detection, they are the beginning.

Explore more insights in the ThreatChase project blog and stay tuned!