Cofense reports a significant increase in malicious activities using Spain’s .es top-level domain for phishing attacks, with a 19-fold surge from Q4 2024 to Q1 2025.
Threat actors are utilizing .es domains to host second-stage phishing pages, primarily impersonating Microsoft services like Outlook alongside other companies like Adobe, Google, and Docusign.
About 99% of the identified malicious .es domains are hosted on Cloudflare's infrastructure, potentially raising concerns about the ease of deploying malicious content using modern tools.
Cofense advises organizations to enhance their detection strategies, focusing on subdomain monitoring and brand spoofing detection, as domain abuse patterns serve as early warning signs for evolving threat activities.