Threat Actors Exploit .COM TLD to Host Widespread Credential Phishing Sites

Threat actors have dramatically increased their exploitation of the cybersecurity sector, which is a disturbing development. Spain’s country code TLD, ES, is used to plan credential phishing attacks.

According to recent findings from Cofense Intelligence, the abuse of .ES TLD domains surged by an astonishing 19-fold from Q4 2024 to Q1 2025, propelling it to the third most abused TLD for malicious activities between January and May 2025.

This dramatic increase has displaced other commonly abused TLDs in the top 10 rankings, with .ES domains now appearing twice as frequently as .DEV in malicious campaigns.

Meteoric Rise of .ES TLD Abuse in 2025

The trend primarily manifests in both first-stage URLs embedded in phishing emails or attachments and second-stage URLs, which host phishing pages or facilitate data exfiltration, with the latter showing the most significant uptick.

Delving ...