Cybercriminals live by the tenet “If it ain’t broke, don’t fix it.” They’ll use the same tactics repeatedly until they no longer work, then switch things up. That’s why CISOs and their security teams maintain constant vigilance.

Underscoring this, recent analysis of global DNS activity found that new domains continue to be a major tactic for bad actors. In fact, it was the top threat type by query volume during the second quarter of 2025, with malware and phishing closely following.

The modern threat mix: What’s gaining ground

Throughout the quarter, almost 4% of total DNS traffic was blocked, breaking Q1’s record. This doesn’t mean that all blocked traffic is malicious, though. End-users block sites at their own discretion, and this may happen not just for cybersecurity reasons but also to prevent access to inappropriate or time-wasting sites.

The data revealed nearly 12% quarter-over-quarter growth in phishing traffic. Out of the threats on the DNSFilter network, phishing represented double the amount in Q2 compared to Q1. This is likely related to more Phishing-as-a-Service (PhaaS) techniques, such as Tycoon 2FA, in use by threat actors.

However, compared to individual malware or phishing domains, new domains represented a larger share of the pie, even as traffic for malware and phishing increased. A layered defense approach can be useful in blocking new domains, allowing security professionals to identify and flag threat indicators as malware, phishing, or other malicious categories. Blocking new domains can safeguard your organization from zero-day and other emerging threats, as attackers often use new domains in malware and phishing campaigns. It’s worth noting that newly registered malware and phishing domains may belong to two categories, such as “new domains” and “malware.”

Although the new domains category has a higher raw query count than either malware or phishing did in Q1, it’s worth noting that traffic for the latter continues to grow, while traffic for new domains fluctuates.

TLD trends: What domain names are being weaponized

Each quarter, cybercriminals change the top-level domains (TLDs) they use for their campaigns. They tend to pick TLDs and registries that are free or low-cost so that they can leave some domains and quickly register new ones without worrying about losing much money.

Using Country Code Top Level Domains (ccTLDs) is a common tactic. In Q2, the domains most likely to be blocked were .pw (Palau), .fr (France), .eu (European Union), .de (Germany), and .ru (Russia). These domains aren’t automatically malicious; they just happen to be the ones that the members of DNSFilter’s network are most likely to block. Blocking patterns reflect administrator priorities, not necessarily inherent malice.

However, some are intended for nefarious purposes. The most malicious ccTLDs in Q2 came from small, under-resourced domain registries: .fo (Faroe Islands), .li (Liechtenstein), .gd (Grenada), .yt (Mayotte) and .wf (Wallis and Futuna Islands).

This is a standard tactic: bad actors use inexpensive or unfamiliar TLDs that can turn over quickly and that allow them to remain anonymous. What’s common to Q2’s most malicious ccTLDs is that they originate in small countries, territories or islands whose domain registries are likely less strict. And some of these domains are attractive because they resemble popular English brands or words.

What admins are actually blocking - and why

The most-blocked domain categories in Q2 were:

• Advertising and trackers (these carry malvertising and could cause data leaks)
• Social networking and media sharing (for phishing risk and bandwidth)
• Information Technology (to mitigate Shadow IT)

This list reveals IT priorities; they are focused on security, productivity and network control issues. Blocking reflects both risk mitigation and resource management.

Defensive posture: Practical takeaways

This information points to the need for an informed, multi-faceted approach to defeating threats:

• Block new domains proactively to reduce zero-day exposure
• Prioritize domain-based filtering as phishing and malware increasingly leverage DNS vectors
• Monitor and adapt TLD blocking strategies as threat actors shift tactics
• Educate employees about emerging evasion techniques like PhaaS kits, which now include built-in MFA bypass tools, such as Tycoon 2FA, which intercept authentication tokens in real time.

Layered, adaptive defenses are essential to protect users wherever they work. This means:

• Blocking suspicious or high-risk domains at the DNS layer, even before full threat classification is complete
• Blocking new domains—even before they are explicitly classified as malicious—remains a key defensive posture.
• Using content filtering and threat intel enrichment to evaluate risk contextually
• Applying role- and location-based policies, so protections follow the user, not just the device

The increase in threats from new domains and the rise in phishing and malware are not coincidences; they’re connected. As long as new domains are easy to register, difficult to investigate and necessary for current attack delivery, they will be at the center of DNS-based threats.

The art of paying attention

What the data from the report on Q2 activity reveals is that threat growth is structural, not seasonal. These threats are baked into the evolving fabric of the internet and attacker ecosystems, not just the result of a quarterly blip or a few bad actors ramping up temporarily.

The variation and volume of threats seen in Q2 highlight the need for defenders to match the agility of their attackers. Policy controls must be aligned with emerging attacker behaviors. New domains keep driving threat traffic, and blocking them is still a defensive pillar against the risk of emerging domains that can be weaponized quickly. The way cybercriminals currently launch and sustain attacks is another example of why unfiltered access to the internet is a huge risk. For the sake of our security, no one—no matter your role—needs access to the entire internet.