VERY IMPORTANT

Threat actors have discovered a novel method to bypass security controls by abusing the .arpa top-level domain (TLD) in conjunction with IPv6 tunnels. They are exploiting a feature in DNS record management of certain providers to add IP address records for .arpa domains, allowing them to host phishing content on domains that should not resolve to an IP address. The phishing campaigns use spam emails impersonating major brands, with hyperlinked images leading to malicious websites through traffic distribution systems. This technique weaponizes trusted infrastructure essential for network operations, making it challenging for security tools to detect suspicious domains based on reputation, registration information, or policy blocklists.