In a concerning development for digital security in Spain, the national domain .es has risen to become one of the most commonly used by cybercriminals to launch phishing attacks. A new report from cybersecurity firm Cofense documents a 19-fold increase in malicious campaigns originating from .es domains between January and May 2025.
This surge places the Spanish domain just behind the well-known .com and .ru, traditionally associated with such attacks. Experts see this as a worrying sign that malicious actors are evolving, exploring new avenues to bypass security controls and reach end-users with more legitimate-looking appearances.
More than 1,300 compromised .es subdomains in just five months
According to Cofense’s analysis, 1,373 malicious subdomains operated over 447 base .es domains as of May 2025. In 99% of cases, the goal was credential theft through fake pages impersonating legitimate services, such as Microsoft portals (the most mimicked, present in 95% of campaigns). The rest involved distributing remote access trojans (RATs) like DarkCrystal RAT, XWorm, or ConnectWise RAT.
The method is classic but effective: well-crafted emails with workplace or administrative themes (such as HR requests, fiscal documents, or security alerts), containing links to fraudulent portals requesting login with real credentials. These emails are free of obvious grammatical errors and poorly designed elements, making them harder for users to detect.
Cloudflare infrastructure appears frequently
A notable technical aspect of this wave is the cybercriminals’ reliance on Cloudflare, used by 99% of the detected malicious domains. Attackers utilize both Cloudflare’s content delivery network (CDN) infrastructure and its protection systems, especially Turnstile, adding an extra layer of legitimacy to the fake sites.
According to Cofense, the ease of deployment using tools like pages.dev to quickly set up sites might facilitate abuse. While Cloudflare has publicly committed to fighting misuse of its services, responses to abuse reports are still debated among researchers.
Why choose .es domains?
Until now, country-code top-level domains (ccTLDs) like .es had been relatively shielded from such abuse. Unlike generic TLDs like .top, .zip, or .xyz, ccTLDs generally have more restrictive registration policies and don’t allow bulk purchases, theoretically making them less attractive to cybercriminals.
However, Cofense’s report suggests this perception is shifting. Spain has over 2.2 million active .es domains, according to Red.es, making it one of Europe’s most used ccTLDs. The domain’s visibility and recognition among Spanish speakers could be an additional factor attracting attackers, creating a false sense of trust among users.
Moreover, the proliferation of accredited .es registrars offering quick and cheap registration processes, combined with a lack of stricter technical and legal verification, may have lowered the entry barrier for malicious actors.
Automated attacks and random URLs
The URLs used in these campaigns are typically subdomains randomly generated by automated scripts. They don’t try to mimic legitimate sites (like “micr0s0ft.es”) but instead aim to evade automatic filtering systems. Examples include:
– ag7sr.fjlabpkgcuo.es
– gymi8.fwpzza.es
– md6h60.hukqpeny.es
These URLs are designed to have short lifespans: many are created, used for hours or days, then discarded. This dynamic makes it difficult for security providers and email services to blacklist them effectively.
This isn’t an isolated group; rather, it indicates a widespread trend
A key finding of the report is that activity isn’t confined to a specific cybercriminal group. Multiple actors are using .es domains for their campaigns. Cofense notes that the use of European national TLDs, once considered relatively safe, is becoming normalized as an attack vector in cybercrime.
“That activity does not seem to be part of a coordinated attack from a single specialized group,” Cofense concludes. “The diversity of targets, techniques, and sophistication levels suggests that malicious use of the .es domain is now common among many actors with different motivations.”
What can authorities and users do?
This situation presents a dual challenge: on one side, strengthening verification and monitoring mechanisms for registered .es domains; on the other, raising awareness among citizens and businesses about phishing threats. Cybersecurity experts like Fernando Suárez, president of the General Council of Computer Engineering Colleges in Spain, have long called for reforming the domain registration system with proactive measures to detect fraudulent use.
Institutions like INCIBE and Red.es, responsible for digital security and .es domain management in Spain, have ramped up awareness campaigns and monitoring efforts. Yet, analysts agree that this will be an extended battle requiring public-private cooperation, improvements in automated detection, and a more vigilant, critical citizenry.
What this trend shows is that no domain is immune to being used for deception, even those that have traditionally symbolized trust and closeness. In the digital war, even the .es can serve as a Trojan horse.
via: The Register