The fight against phishing and online fraud has long relied on a reactive approach: detecting malicious domains after they are already active, verifying abuse, and requesting their takedown as quickly as possible. Netcraft aims to shift this boundary a bit earlier. The company announced Preemptive Domain Disruption, a new capability designed to identify and deactivate attacker-controlled domains before they are used in phishing campaigns or Business Email Compromise (BEC) scams, meaning impersonations related to corporate email.
This is no small feat. According to the company itself, many attackers register domains days, weeks, or even months before launching their campaigns. That time window, which until now has largely been outside the operational focus of many defenses, is what Netcraft intends to leverage with this new feature: acting during the period from domain registration to activation.
Beyond the commercial announcement, this move reflects a significant shift in cybersecurity. The problem is no longer just detecting malicious infrastructure once it hosts a fraudulent website or sends emails, but rather dismantling it before it goes into production. At a time when automation and AI are helping attackers craft faster, more scalable campaigns, getting a head start by hours or days can make the difference between containing a threat and arriving too late.
From Reactive Takedowns to Preventive Disruption
Netcraft claims that its new system relies on clusters of data, verified attack indicators, and correlation of shared fingerprints across campaigns. Instead of analyzing isolated signals, it cross-references elements such as shared infrastructure, registration patterns, technical configurations, and other traces associated with fraud and impersonation campaigns. When enough evidence is gathered, the company says it works directly with internet infrastructure providers to deactivate these domains and simultaneously distribute high-risk signals to DNS operators, email reputation systems, and other anti-fraud platforms.
Put simply, the approach is to not wait until a domain hosts visible malicious content to begin action. The company presents this leap as a move “further upstream” in the attack chain—a common term in security referring to intervening before the risk reaches the end user. Practically, this means the tool’s value isn’t just traditional detection, but its ability to turn preparatory patterns into disruption actions before victims are affected.
Netcraft accompanies the announcement with figures that should be viewed as data provided by the company itself, not as publicly audited metrics. It states that, in initial results with clients, approximately 90% of malicious domains were removed in less than 24 hours, and that one enterprise deployment achieved over 21,000 removals in three months. These are striking numbers, though they currently lack a detailed public methodology to assess which types of campaigns were involved, the certainty thresholds, or the possible false positive rates.
Why This Announcement Matters Now
This announcement comes amid a context where the defensive ecosystem is trying to adapt to increasingly swift attackers. Netcraft itself has long warned that AI is changing the landscape of online fraud, not just by enabling convincing content generation, but also by accelerating processes like domain creation, brand impersonation, and campaign setup. In a 2025 analysis, the company noted that language models were even beginning to recommend phishing sites for certain queries—an indicator that the problem extends beyond email or traditional websites into new layers of the digital ecosystem.
From this perspective, Netcraft’s approach makes sense. As fraud becomes more industrialized, the response must also be more automated and earlier. Quick reaction alone isn’t sufficient; it’s necessary to detect preparations, identify patterns, and cut infrastructure before the attack becomes visible. This aligns the initiative with the concept of digital risk protection, a category that in recent years has sought to move beyond simple monitoring and instead act directly against domains, fake apps, social impersonations, or channels used in deceptive campaigns.
Moreover, Netcraft already operates in this space. The company reports that it takes down about one-third of the world’s phishing sites and has expanded its offerings to include disruption of telephone scams, along with its guides and services for protection against phishing, fraud, and brand abuse. That track record lends context to this new step, though its success will ultimately depend on whether preventive capacity translates into a tangible and sustained advantage over other providers.
Public support from the Anti-Phishing Working Group (APWG) also underscores the initiative’s significance. In the announcement, Peter Cassidy, co-founder of APWG, states that Netcraft will contribute data from this new capability to a subcategory of pre-deployed domains within the eCrime eXchange. This is notable because it suggests that discussions around malicious domains now extend beyond those already active to include those still in preparation but showing clear signs of impending abuse.
In any case, cautious optimism is warranted. In cybersecurity, proactive threat detection is always a desirable goal, but it requires high precision. If the system performs well, it can considerably reduce exposure to phishing and BEC. If it errs, it faces the delicate challenge of requiring solid evidence, coordination with providers, and a fine balance between speed and reliability. This will likely be the true test of this new phase’s success.
Frequently Asked Questions
What is Netcraft’s Preemptive Domain Disruption?
It’s a new capability announced by Netcraft to identify and deactivate attacker-controlled domains before they can be used in phishing or BEC campaigns.
What problem does this technology aim to solve?
It seeks to capitalize on the window between malicious domain registration and actual campaign launch, intending to dismantle that infrastructure before victims are affected.
What does BEC stand for in this context?
It stands for Business Email Compromise, a scam involving impersonation or manipulation of corporate email communications.
Has Netcraft provided data on the effectiveness of this feature?
Yes, but these figures are provided by the company itself: approximately 90% of malicious domains were removed within 24 hours, and more than 21,000 domains were taken down over three months in a corporate deployment.
via: Netcraft