A recent intelligence report by Cofense highlights the exploitation of government (.gov) domains by phishing threat actors between November 2022 and November 2024.
These domains, while typically trusted by default, have been manipulated to host credential phishing content, redirect users to malicious pages, or act as command-and-control servers for malware.
Although .gov domains are less frequently abused compared to other top-level domains, their misuse showcases significant vulnerabilities.
The most common technique observed involves open redirects.
According to the MITRE definition, an open redirect occurs when a web application accepts a user-controlled input, leading to an external site without proper validation.
Threat actors abuse such redirects in government domains to bypass secure email gateways (SEGs). Users generally trust .gov domains, making them more likely to click on malicious links embedded in phishing emails.
Many of these redirects exploited the “noSuchEntryRedirect” path structure, a vulnerability linked to CVE-2024-25608 in the Liferay digital platform used by governmental organizations.
Exploit Patterns and Regional Impact
Cofense’s analysis identified trends across more than 20 countries. However, the majority of abused domains belonged to seven key nations, with Brazil featuring prominently.
In the United States, while only 9% of the abused .gov domains were identified, they were exclusively used for open redirects, most commonly exploiting the CVE-2024-25608 vulnerability.
Campaigns targeting U.S. government domains frequently used Microsoft-themed phishing emails, tricking users into entering credentials by mimicking legitimate communication channels.
These emails often bypassed major SEGs such as Proofpoint, Cisco IronPort, and Microsoft ATP.
Globally, the data suggests that only a small subset of domains within each country account for the bulk of the abuse.
For example, in Brazil, 65% of the abused .gov.br domains were concentrated among just three domains.
Similarly, Vietnam and the Philippines showed regional deviations, with Vietnam displaying repeated abuse of a few domains and the Philippines presenting broader, unique domain compromises.
Malicious Use of Government Email Systems
In addition to open redirects, a small number of compromised government email addresses have been utilized as command-and-control (C2) servers for malware like Agent Tesla Keylogger and StormKitty.
While only two email accounts (located in Bangladesh and Pakistan) were identified for C2 activities, this limited exposure highlights the relative success of some governments in securing their systems.
The widespread abuse of .gov domains for phishing campaigns underscores the importance of maintaining robust security practices by government entities.
Open redirects remain a common entry point for threat actors, emphasizing the necessity of regular vulnerability assessments, prompt patching of software like Liferay, and strict user-input validation protocols.
This trend also reinforces the need for increased awareness among users.
Given the high trust placed in government domains, phishing campaigns leveraging these legitimate domains are more likely to succeed.
Addressing these vulnerabilities requires a coordinated approach involving software vendors, cybersecurity firms, and government organizations worldwide.
As attackers continue to refine their methods, proactive defenses will be crucial in mitigating these risks.