Alarming Increase in Phishing Attacks Using the .es Domain in Spain

In a chilling development for digital security in Spain, the national domain .es has made a troubling entry into the list of domains most exploited by cybercriminals for phishing attacks. This fact is revealed in a new report from the cybersecurity firm Cofense, which documents a 19-fold increase in malicious campaigns launched from .es domains between January and May 2025.

This surge places the Spanish domain second only to the already notorious .com and .ru, traditionally associated with such attacks. Experts consider this a worrying sign that malicious actors are evolving, seeking new avenues to bypass security measures and reach end users with an appearance of legitimacy.

Over 1,300 Compromised .es Subdomains in Just Five Months

According to data analyzed by Cofense, 1,373 malicious subdomains were operating on 447 base .es domains by the end of May 2025. In 99% of cases, the goal was credential theft through fake pages that impersonated legitimate services such as Microsoft portals (the most imitated, present in 95% of the campaigns). The remaining focus shifted to distributing remote access trojans (RATs) like DarkCrystal RAT, XWorm, or ConnectWise RAT.

The modus operandi is classic but effective: well-crafted emails with work or administrative themes (such as HR requests, tax documents, or security alerts) that contain links to fraudulent portals where users are asked to log in with real credentials. These emails do not exhibit obvious grammatical errors or careless designs, making them harder for users to detect.

Cloudflare: A Common Infrastructure

One notable technical aspect of this wave of attacks is the dependence of cybercriminals on the Cloudflare platform, utilized by 99% of the detected malicious domains. Attackers leverage both Cloudflare’s content delivery network (CDN) and its protection systems and CAPTCHA, particularly Turnstile, which adds a layer of legitimacy to fraudulent portals.

According to Cofense, this ease of deployment and the option to use tools like [pages.dev] for quick site creation may be facilitating the abuse. Although Cloudflare has publicly expressed its commitment to combating the misuse of its services, its responsiveness to abuse reports remains a point of debate among researchers.

Why the .es Domain?

Until now, country-code top-level domains (ccTLDs) like .es had been relatively safe from such abuses. Unlike generic domains like .top, .zip, or .xyz, ccTLDs typically have more restrictive registration policies and do not permit bulk purchases, theoretically making them less attractive to cybercriminals.

However, Cofense’s report suggests that this perception is changing. Spain has over 2.2 million active .es domains, according to data from Red.es, making it one of the most widely used ccTLDs in Europe. The visibility and familiarity of this domain among Spanish speakers may serve as an additional draw for attackers, generating a false sense of trust among users.

Furthermore, the proliferation of accredited .es domain registrars offering quick and cost-effective buying processes, combined with a lack of stricter technical and legal verification, may have lowered the entry barrier for malicious actors.

Automated Attacks, Random URLs

The URLs used in these campaigns are generally randomly generated subdomains created by automated scripts. They do not aim to resemble legitimate sites (like “micr0s0ft.es”) but seek to evade detection by automated filtering systems. Examples analyzed include:

• ag7sr[.]fjlabpkgcuo[.]es
• gymi8[.]fwpzza[.]es
• md6h60[.]hukqpeny[.]es

These URLs are designed to have a short lifespan: many are created, used for a few hours or days, and then discarded. This dynamic complicates their inclusion on blacklists by security and email providers.

Not an Isolated Group: A Widespread Trend

One of the most important findings of the report is that activity is not limited to a specific group of cybercriminals; rather, multiple actors are utilizing the .es domain to launch their campaigns. This, according to Cofense, indicates that the use of European national TLDs, which have traditionally been considered safe, is becoming normalized as an attack vector within the cybercrime industry.

“We do not observe attack patterns suggesting a coordinated campaign by a specialized group. The diversity of targets, techniques, and levels of sophistication indicates that the malicious use of the .es domain has spread among many actors with different motivations,” concludes Cofense.

What Can Authorities and Users Do?

The situation presents a double challenge: on one hand, strengthening verification and oversight mechanisms over registered .es domains; on the other, increasing public and business awareness about phishing threats. Cybersecurity experts like Fernando Suárez, president of the General Council of Computer Engineering Colleges of Spain, have long been advocating for reform of the domain registration system, with proactive mechanisms to detect fraudulent use.

From entities like INCIBE and Red.es, responsible for digital security and management of the .es domain in Spain, awareness and monitoring campaigns have been reinforced. However, analysts agree that the battle will be long and will require public-private cooperation, improvements in automatic detection, and a more critical and vigilant citizenry.

Because if this trend teaches us anything, it’s that no domain is free from being used for deceit, even those that historically symbolized closeness and reliability. In the digital battlefield, even .es can be a Trojan Horse.