Threat actors have dramatically increased their exploitation of the cybersecurity sector, which is a disturbing development. Spain’s country code TLD, ES, is used to plan credential phishing attacks.
According to recent findings from Cofense Intelligence, the abuse of .ES TLD domains surged by an astonishing 19-fold from Q4 2024 to Q1 2025, propelling it to the third most abused TLD for malicious activities between January and May 2025.
This dramatic increase has displaced other commonly abused TLDs in the top 10 rankings, with .ES domains now appearing twice as frequently as .DEV in malicious campaigns.
Meteoric Rise of .ES TLD Abuse in 2025
The trend primarily manifests in both first-stage URLs embedded in phishing emails or attachments and second-stage URLs, which host phishing pages or facilitate data exfiltration, with the latter showing the most significant uptick.
Delving deeper into the technical nuances, the surge in .ES TLD abuse is largely attributed to the strategic use of subdomains, often appearing as pseudo-dynamically generated strings rather than human-crafted names.
Of the 1,373 subdomains analyzed by Cofense across 447 .ES base domains from January to May 2025, over 99% were linked to credential phishing, predominantly spoofing Microsoft, which accounted for 95% of the impersonated brands a rate 10% higher than in campaigns using other TLDs.
Other brands like Adobe and Google appeared in smaller fractions, suggesting that the .ES TLD abuse is not the work of a singular threat actor group with specific preferences but rather a widespread tactic adopted across diverse cybercriminal communities.
Shift in Tactics
The phishing pages hosted on these subdomains are often sophisticated, featuring well-designed emails and fully featured content, frequently protected by Cloudflare Turnstile CAPTCHAs.
Notably, about 99% of these malicious .ES domains were hosted on Cloudflare infrastructure, raising questions about the ease of deployment and the platform’s response to abuse complaints.
Historically, .ES TLD abuse was more associated with malware Command and Control (C2) operations, with families like FormBook leveraging the domain to blend malicious traffic with legitimate sites.
However, 2025 marks a pivot towards credential phishing, with subdomains becoming a preferred vector for hosting deceptive content.
Unlike earlier patterns where base domains were directly used, the current wave sees unreachable base domains paired with seemingly random subdomain strings like “ag7sr.fjlabpkgcuo.es,” designed to evade detection while maintaining a veneer of legitimacy.
Campaigns observed in March 2025 showcased varied themes but consistently targeted Microsoft users with convincing phishing pages, often embedded within emails carrying subjects like “Vendor Update, Action Required” or “Confirm receipt: Voicemail from EXT 0972.”
This indicates a level of social engineering sophistication aimed at maximizing victim engagement.
As .ES continues to rise in the threat landscape lacking the extensive legitimate domain history of TLDs like .COM due to past registration restrictions cybersecurity professionals must adapt detection mechanisms to address this evolving threat vector, emphasizing the monitoring of subdomain activity and reinforcing defenses against Cloudflare-hosted phishing infrastructure.
Exclusive Webinar Alert: Harnessing Intel® Processor Innovations for Advanced API Security – Register for Free
