Your entire security stack, from firewalls to secure email gateways, is likely built on a single, fundamental assumption. That you can trust domain reputation scores.
For years, this model worked. Security vendors assigned trust scores to domains, IPs, and ASNs based on their history. Your tools used those scores to permit or deny access. Many analysts relied on the reputation scores and rarely felt the need to investigate more deeply. It was a logical way to manage risk.
But threat actors have figured out how to weaponize that trust against you. They stopped trying to break down the door and instead forge the badges that let them walk right in.
Today’s adversaries view domains as strategic assets. They use a multi-stage lifecycle to ‘launder’ these domains. They manipulate their history and traffic until they appear trustworthy.
Then, the attack begins.
Here are the four main methods attackers use to manufacture trust and bypass your reputation-based defenses.
1. Domain Warming: The Con
This is a classic con. Threat actors meticulously ‘warm up’ new domains to build a credible, fake history.
A new domain with no history is an immediate red flag to security crawlers (the automated programs that browse the internet to find and index web pages). To counter this, attackers buy low-cost ads, place banners on popular sites, or embed links in pirate streaming networks to generate thousands of referral hits.
Web crawlers see this traffic as legitimate referrals from trusted sites. Search engines index the domain, and its domain reputation score climbs.
Take the recent example of envivolibre[.]com. Its Tranco rank (a research-oriented ranking of internet websites, designed against manipulation) jumped from 4 million to 500,000 in just two weeks.
A standard filter sees a popular, high-traffic site. The reality is that the domain was new, had no content, and its traffic was completely inorganic.
The attacker waits until the domain gains enough trust. Then, they flip the switch. The trusted asset is repurposed for malware distribution. Your gateways see it as safe, and the attack sails right through.
2. Domain Generation Algorithms: The Flood
Some attackers build one good reputation. Others rely on quantity.
A Domain Generation Algorithm (DGA) is designed to overwhelm reputation-based defenses by creating a flood of new domains each day.
This technique is one of the basic strengths of botnet infrastructure. It is designed to evade takedowns and blacklist-based defenses.
The malware and the C2 server share the same algorithm. They use a daily seed, like the date or a cryptocurrency price to generate identical lists of domains. The malware on an infected machine tries to contact the attacker using these domains. The attacker only needs to register one of these domains to open the C2 channel.
It is a magician using slight of hand to fool the eye. By the time a reputation engine identifies and blacklists one domain, the malware has already moved on to the next one in the daily list.
Detections of DGAs on Lumu
Previously DGAs were random, gibberish alphanumeric strings (as you can see in the above image) and easy to spot. Modern DGAs are subtler, combining dictionary words that look legitimate. For example, cityjulydish[.]net would be much harder to distinguish from normal web traffic without deep behavioral inspection.
3. Domain Aging: The Waiting Game
Patience is a weapon. Attackers know that security tools flag new domains. So, they wait.
In strategic domain aging, an attacker registers a domain and lets it sit dormant for months or years. It hosts no malware, sends no spam. It just exists.
It graduates from the high-risk Newly Registered Domain (NRD) category and establishes a clean history.
The most infamous example of this is the SolarWinds attack. Threat actors registered avsvmcloud[.]com in February 2018. In early 2020, it was activated as the primary C2 server for the Sunburst malware hidden in the SolarWinds update. This patient, two-year aging period made its C2 traffic appear as legitimate communication. Standard filters had no reason to block it.
4. Expired or Abandoned Domains: The Identity Theft
Why spend months building a domain reputation when you can steal one?
Attackers actively monitor expiring domains and buy them the moment they lapse.
This is a strategic shortcut. The domain keeps its history, inbound links, and high domain reputation score. Attackers inherit this trust instantly.
Attackers then use these domains for malicious purposes. They intercept sensitive emails being sent to the old address. They distribute malware to users of outdated software. They host phishing pages that take advantage of the domain’s former legitimacy.
We saw this with polyfill[.]io, a trusted JavaScript service used by over 100,000 websites. When the original owners let the domain expire in early 2024, a malicious actor snapped it up. Overnight, they didn’t just get a domain, they got recognized. They were able to inject malicious JavaScript to redirect users, steal credit card data, and install malware. All from a ‘trusted’ domain.
Defending Against Manufactured Trust
The adversary’s playbook has evolved. If your security stack relies on ‘known bad’ indicators, it will stay one step behind these reputation-laundering techniques.
You must shift from static defense to continuous assessment. This means analyzing behavior of network traffic in real-time, not just reputation.
Effective defense against these four tactics requires new capabilities.
Predictive Analysis: Preempting Warming & Aging
Don’t just check a domain’s current status, but predict future intent. Lumu’s Emerging Threats algorithm identifies the behavioral patterns of a domain being prepared for an attack. It alerts you before the attack begins.
Internal Context: Unmasking DGAs
An external domain flood must be tracked internally. Don’t just ask, “Is this domain bad?” Ask, “Why is this endpoint contacting 100 new domains?” Lumu records each request. It identifies the endpoint. It then assigns a trust score based on your network’s context.
Continuous Monitoring: Catching Expired Domain Abuse
Trust must be re-earned every day. You need a system that monitors network metadata 24/7. It detects the moment a ‘trusted’ site begins behaving anomalously. This is the core of Lumu’s Continuous Compromise Assessment®.
In an era of manufactured trust, you must assume that reputation badges can be forged. The only thing attackers cannot forge is their intent. That intent always shows up in the network behavior, if you are looking for it.
To see for yourself how Lumu can help you protect your organization from domain reputation abuse, register for a live demo today.