Cyber criminals are the kings of recycling. Once they’ve found a tactic that works well, they’ll keep doing it as long as they can get away with it. That’s why it’s so important for research teams to keep a close eye on what’s happening behind the scenes with web traffic. Case in point? Our team at DNSFilter recently analyzed global DNS activity from the first quarter of 2025 and identified several notable trends. Chief among these is that bad actors continue to rely heavily on new domains to try to trick unsuspecting users into clicking on phishing links and other scams.

In our recent Q1 security report, we identified a surge in new domains. While not all new domains are necessarily malicious, it is certainly a trend worth investigating.

What’s new in new domains

New domains are proliferating. In fact, this category surpassed phishing and malware to become the most trafficked threat category on our network. In the first quarter of 2025, we found that new domains were up 140% compared to the last quarter of 2024; of those, 19% were still potentially malicious as of early April.

What does this data reveal? Well, it’s not so much that the first quarter had more active new domains than usual, but rather, that they were leveraged more often. Sometimes new domains are suspicious and potentially malicious, and sometimes they are just new. Because new domains are frequently used in phishing and malware campaigns, blocking them can protect your organization from emerging threats and domains that could become malicious.

Why (and how) bad actors use new domains

Malicious actors are registering new domains more often lately because they can take advantage of trends with catchy domain names and customize their threat campaigns. When domains are new, they have not yet had time to appear on block lists, which gives bad actors time for exploitation. Attacks can sometimes occur mere minutes after a website is launched, and about one-third of phishing sites disappear just hours after initial detection. It’s almost impossible to notice, evaluate, and block new malicious activity in such a short time span.

Fast flux attacks

New domains can be used in “fast flux” attacks in which attackers quickly cycle domains to escape detection. Fast flux is a DNS technique that state-sponsored threat actors and ransomware gangs use to evade detection and maintain the resilient infrastructure used for command and control (C2), malware delivery, and phishing. An attacker using the fast flux technique rapidly changes DNS records, making it difficult for IT security teams to identify and block the source of malicious activity. (It’s kind of like if bad actors opened a pop-up store, committed as much fraud as possible quickly, and then shut it down before the police arrived. )

Attackers use either a single flux or a double flux technique. For single flux, one domain name is linked to numerous IP addresses that are rotated frequently in DNS responses. Double flux also uses IP address rotation, and it adds quickly changing DNS name servers. This is an additional smokescreen that makes it even harder to take them down. CISA has found that many networks have a gap in their defenses for detecting and blocking fast flux. One of CISA’s mitigation recommendations is to use DNS and IP blocklists and firewall rules or non-routable DNS responses to block access to fast flux domains and IP addresses.

Additional takeaways for Q1

The most blocked top-level domain (TLD) on our network in Q1 was .pw. This TLD (used in place of .com in a URL) has gained traction with threat actors, leading users to block the root domain.

Of additional note, while malware and phishing incidents dropped in prevalence compared to new domains, they still represented a solid 46% of all threats in Q1. They may not have taken the top spot this past quarter, but these remain significant threats.

Using blocking as a strategic advantage

Given what we have seen so far this year, we expect bad actors to continue using new domains as a primary tactic.

The good news? Strategic filtering and blocking by category (i.e. new domains) can help immensely. This action can help remove hundreds or even thousands of daily security alerts from your SOC or Managed Defense Service team’s plate. It can help your organization substantially lower the amount of storage that your Security Event and Incident Management (SEIM) platform requires. Blocking new domains can also lower corporate risk, storage space needs, alert fatigue, investigation time, and lost productivity. These changes can, in turn, lead to cost savings and a substantial return on investment.