In a nutshell: Age-based reputation scoring in mail filters became a critical vulnerability because attackers acquire legitimate, long-clean domains and repurpose them for phishing.
Phishing operators deliberately purchase old, reputable domains and exploit their high reputation with mail filters. Certificate transparency logs reveal the pattern that established security solutions overlook.
The takeover mechanics are conspicuous: phishing-as-a-service operators acquire expired registrations or compromise active domains through credential theft at registrars. The drop-catching market (DropCatch, SnapNames, GoDaddy Auctions) makes this possible – a clean domain with ten years of history costs 50 to 500 US dollars. The business model pays off: Microsoft Defender for Office 365, Proofpoint, Mimecast, and Cisco Talos weight domain age heavily in their classification models. A freshly registered .com is immediately penalized; a domain with years of stable use, consistent certificate issuance, and clean DNS history is considered low-risk.
A documented case illustrates the pattern concretely: digitalscrapbookingfreebies.com. From 2016 to July 2025, the certificate history read like a normal small-business blog – cPanel certificates every 60 to 90 days, Let’s Encrypt R3 for apex and www every 90 days. In April 2025, GoDaddy certificates appear after eight years of unchanged cPanel-plus-Let’s-Encrypt history. The first hard signal for a registrar switch. July 2025: last certificate with legitimate signature. Then silence – six months without renewals. December 2025: new Let’s Encrypt R13 certificates for subdomains the original blog never had (beds, footboard, haushafin, locklear). January 2026: nativems-mfl09093004.digitalscrapbookingfreebies.com for a Sneaky2FA phishing campaign against UK and US authorities, energy companies, and US healthcare SMBs.
The infrastructure behind such domains remains criminal, yet the reputation score remains high. A current Sneaky2FA deployment operated 117 servers in Kansas City over two years – the mail filters did not detect the source. The problem lies in the blind spot of the reputation classifier: the model originates from a time when new domains meant dominant phishing infrastructure and old domains indicated legitimate small businesses. Today, filters overlook the signals in the certificate transparency log – the months-long silence, the sudden switch of the certificate authority, the new subdomains unrelated to the original brand.
Source: www.csoonline.com · Published 11 June 2026
Lumi AI News — AI-assisted curation pursuant to Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.6.5.