Standard security guidance treats newly registered domains as a primary risk signal. The data tells a different story.
Security teams have spent years building detection around a reasonable-sounding assumption: attackers register domains, then use them quickly. The logic follows that monitoring for newly registered domains containing brand terms should catch threats early, ideally before the first victim clicks. This assumption has shaped how email gateways score incoming messages and how security teams prioritize their monitoring efforts.
But when we examined domains used in active brand impersonation campaigns, we found the opposite pattern. Only 7% were registered within 30 days. More than 90% were older than 90 days, and 41% had been registered for more than five years. Analysis for our annual threat research revealed an age distribution that traditional detection models simply aren’t built to catch.
This isn’t a minor calibration issue. It suggests that organizations relying primarily on new-domain detection may be seeing less than 10% of the active attack surface.
Why attackers moved beyond new domains
The shift away from newly registered domains reflects adaptation, not accident. Attackers have learned that domain age functions as a trust signal across the security ecosystem, and they’ve developed three distinct approaches to exploit that trust.
The first is the secondary market. Domain aftermarkets now function as infrastructure suppliers for fraud operations. A domain registered in 2018, parked for years with no malicious history, carries a clean domain reputation that fresh registrations cannot match. These pre-aged domains pass reputation checks that would flag a domain registered yesterday. The economics work because even a modest price premium for an aged domain pays for itself when the alternative is immediate detection and takedown.
The second approach bypasses registration entirely. Compromised legitimate websites provide attack infrastructure without any domain acquisition at all. When attackers inject credential harvesting pages into a trusted site’s subdirectory, they inherit that site’s age, reputation, and often its SSL certificate. The infrastructure scale of these operations has grown substantially, with some campaigns relying almost exclusively on compromised sites rather than attacker-controlled domains.
The third is deliberate aging. Sophisticated operations register domains months or years before activation, allowing them to accumulate the history and reputation signals that security tools trust. Some maintain minimal legitimate-looking content during the waiting period. By the time the domain is weaponized, it has aged past every threshold that detection systems use to identify suspicious registrations.
The signal-to-noise problem in domain monitoring
Even when security teams do monitor new registrations, the signal-to-noise ratio has become unworkable. Thousands of domains containing brand fragments are registered every day across the global namespace. Some are typosquatting attempts. Others are lookalike domains registered by competitors or resellers. Many are speculative cybersquatting with no immediate malicious intent. Distinguishing genuine threats from noise requires resources most security teams don’t have, which means monitoring new registrations produces either alert fatigue or missed detections.
Meanwhile, attackers have moved to infrastructure that generates no registration signal at all. Trusted platform abuse, where phishing pages are hosted on legitimate services like cloud providers, collaboration platforms, and content delivery networks, accounts for a growing share of brand impersonation. These attacks inherit the platform’s domain reputation entirely, appearing under domains that have been trusted for a decade or more.
Rethinking domain-based phishing detection
Domain age was never a perfect signal, but it was useful when attackers optimized for speed over stealth. That tradeoff has shifted. The infrastructure supporting modern phishing campaigns is designed from the ground up to evade age-based detection, which means security strategies built around that signal are worth reassessing.
This doesn’t mean abandoning domain monitoring. New registrations still matter, particularly for catching less sophisticated actors and for identifying registration patterns that reveal larger campaigns. But treating new-domain detection as a primary defense, or as a proxy for comprehensive brand protection, leaves most of the attack surface unmonitored.
The Bottom Line
Effective detection requires visibility into the full spectrum of infrastructure attackers actually use: aged domains acquired through secondary markets, compromised legitimate sites, trusted platforms hosting malicious content, and the registration patterns that precede activation rather than just the activation itself. The 7% of attacks that new-domain monitoring catches are worth catching. Understanding where the other 93% originates is what separates comprehensive phishing detection from partial coverage.
Key Takeaways
Only 7% of attack domains were registered within 30 days. More than 90% were older than 90 days, and 41% had been registered for more than five years. New-domain detection sees a small fraction of the active threat landscape.
Domain age functions as a trust signal across security tools. Attackers exploit this through secondary market purchases of pre-aged domains, compromising legitimate websites, and deliberately aging domains before use.
Compromised sites provide attack infrastructure without any domain registration. Attackers inherit the site’s age, reputation, and SSL certificate, bypassing detection entirely.
No. New registrations still catch less sophisticated actors and can reveal campaign patterns. But treating it as a primary defense leaves most of the attack surface unmonitored.
Effective detection requires visibility across aged domains, compromised sites, trusted platform abuse, and pre-activation registration patterns. Domain age is one signal among many, not a foundation.
