Tailored Subdomains Found in Credential Phishing Campaigns
Cofense Blog – Brad Haas
In 2022, over two-thirds of campaigns reported to the Cofense Phishing Defense Center (PDC) involved URLs with subdomains. In about 5% of campaigns, threat actors chose subdomains tailored specifically to the targeted organization or user. Tailored subdomains may be more convincing than generic phishing URLs, but fortunately they are also likely to be more detectable. In this report we explore credential phishing threat actorsâ use of subdomains in general and tailored subdomains in particular, as well as methods network defenders can use to counteract them.

We found that malicious emails used subdomains frequently: 69% of reported emails throughout the year involved a URL with a subdomain. Many of those campaigns abused legitimate services that use subdomains in their URLs, which raises the overall total. However, even when we removed duplicate domains from our analysis, the number of URLs that involved subdomains was still 34%. The exact subdomain that a threat actor chooses for a campaign depends generally falls into one of three categories:

General deceptive subdomains Randomized subdomains Tailored subdomains
Link: https://cofense.com/blog/tailored-subdomains-found-in-credential-phishing-campaigns/