The use of the.es country code top-level domain (ccTLD) for credential phishing attempts has dramatically increased in early 2025, according to recent analysis from Cofense Intelligence, indicating a worrying change in cybercrime techniques.
Traditionally, TLDs such as .com and .ru have consistently ranked as the most abused domains for hosting malicious sites, serving both first-stage (embedded in email or attachments) and second-stage (landing) URLs in phishing operations.
However, the .es TLD, historically reserved for Spanish entities, has now emerged as a prime target for threat actors, experiencing a 19-fold increase in abuse from Q4 2024 to Q1 2025, propelling it into the third position among the top ten most exploited TLDs.
Credential Phishing Campaigns
The .es TLD, originally designated for Spanish-speaking audiences and subject to significant usage restrictions until 2005, lacks the extensive ecosystem of long-standing legitimate domains seen with global TLDs like .com.

This has not prevented cybercriminals from leveraging .es to launch sophisticated credential phishing campaigns, particularly targeting multinational brands such as Microsoft.
Analysis of phishing activity between January and May 2025 found that 95% of .es-based phishing emails spoofed Microsoft, a figure approximately 10% higher than campaigns leveraging other TLDs.
Incidents of Adobe, Google, Docusign, and Social Security Administration brand abuse were also documented, albeit at far lower rates.
This indiscriminate brand targeting suggests that the exploitation of .es is a widespread trend among numerous threat actors, rather than the work of a specialized few.
A distinct feature of these .es-based campaigns is the prevalent use of dynamically generated subdomains.
In over 1,370 observed subdomains across 447 unique .es domains, the overwhelming majority hosted credential phishing content.

Unlike more targeted subdomain attacks that mimic legitimate URLs through recognizable words or corporate themes, the .es subdomains frequently consist of random strings, presumably generated algorithmically. This approach complicates detection by both users and automated security solutions.
Microsoft Spoofing
Another noteworthy observation is the substantial reliance on Cloudflare infrastructure for hosting these phishing sites.
Approximately 99% of malicious .es domains in credential phishing campaigns were protected by Cloudflare services, and a significant number implemented Cloudflare’s Turnstile CAPTCHA, potentially impeding automated threat detection solutions and extending the lifespan of malicious sites.
While this pattern may be influenced by the ease with which Cloudflare allows rapid deployment of new domains and hosting, questions remain about the platform’s response to abuse reports and the broader implications for web security.
The phishing emails accompanying these attacks exhibit higher sophistication, often presenting full-featured content and well-constructed narratives instead of simplistic messages.
Common lures included documents purportedly requiring urgent review or action, vendor updates, voicemail notifications, and document packages subjects designed to trigger prompt, unguarded responses from recipients.
The campaigns’ technical execution, particularly the use of random subdomains and advanced hosting solutions, underscores a methodical evolution in attackers’ methodologies.
According to Cofense Intelligence Report, this surge in .es TLD abuse represents a significant and evolving threat landscape, reflecting both the adaptability of cybercriminals and the ongoing challenges faced by domain registries, web infrastructure providers, and security teams worldwide.
As threat actors diversify their use of TLDs and capitalize on gaps in domain oversight, organizations must remain vigilant, regularly update threat intelligence, and ensure robust multi-layered defenses against credential phishing schemes.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates