98% Spike in Phishing Campaigns Leveraging Russian (.ru) Domains

A KnowBe4 Threat Lab publication
Authors: Martin Kraemer, Jeewan Singh Jalal, Anand Bodke, and James Dyer

EXECUTIVE SUMMARY: We observed a 98% rise in phishing campaigns hosted on Russian (.ru) top-level domains (TLDs) from December 2024 to January 2025, primarily used for credential harvesting.

These Russian .ru domains are run by so-called “bullet-proof” hosting providers, that are known to keep malicious domains running and ignore abuse reports which is ideal for cybercriminals. 

Many of the phishing emails that we identified and investigated had passed through one or more security products including Exchange Online Protection, Barracuda Email Security Gateway, Mimecast and Cisco Ironport.

KEY FINDINGS 

• 98% increase in phishing sites using .ru TLDs from December 2024 to January 2025
• 1,500 unique .ru domains identified as part of the campaign
• 377 new domains registered with “bulletproof” registrar R01-RU
• More than 13,000 malicious emails with the domain were reported
• 2.2% of observed emails from .ru domains were phishing emails 
• 7.4 days average age of a .ru domain

.Ru Phishing Attack Example: 

The main goal of the attackers appears to be credential harvesting as they use QR codes, auto redirects and multi-level embedded attachments to direct potential victims to phishing websites. 

In the example below you can see the attacker leverages social engineering tactics, such as suggesting the email is from Accounting in reference to remittance details, to entice the recipient to click on the link within the attachment. Embedding the malicious link within the attachment makes it harder for legacy technologies (such as SEGs that rely heavily on signature-based detection) to identify the malicious link within the attachment.

Screenshot of phishing email that includes a malicious link embedded within an attachment 

If the recipient were to click on the link, they are directed to a spoofed Microsoft landing page used for credential harvesting. You can see in the URL that this is hosted on a Russian TLD, which is explained in further detail below.

Screenshot of a credential harvesting page hosted on a .ru domain

We observed the increased use of .ru domains across multiple industries, with attackers mainly targeted these five: Business and Economy  (36.09%), Financial Services  (12.44%), News & Media (8.27%), Health and Medicine (5.6%), and Government (4.51%). We expect this trend to continue through Q1 2025, with possible escalation in both sophistication and volume of attacks. 

“BULLET-PROOF” HOSTING ON RUSSIAN DOMAINS

In this campaign, cybercriminals have used “bullet-proof” hosting providers – a term used to describe services that deliberately ignore abuse reports, operate in jurisdictions with little-to-no international law enforcement cooperation, and provide a high level of anonymity to users. Cybercrime laws are typically weak, enforcement is lacking, or political barriers prevent takedown operations in these regions. This allows attackers to execute large-scale campaigns with minimal risk.

A notable trend we have recently observed was the shift to Russia-based Top Level Domains (ru, .su, .рф) which offer these qualities. Many Russian domain registrars have lax registration policies, allowing attackers to use fake identities or proxy registration services to hide ownership details. The domains are often used in combination with fast-flux DNS techniques, which evade detection by blocking mechanisms through frequent IP address changes.

These emails have successfully evaded detection by native and legacy email security tools using various techniques, including:

• Embedding redirect links that exploit the reputation of legitimate websites
• Using QR codes within attachments to bypass secure email gateways (SEGs)
• Employing multi-layered HTML attachments with embedded redirects
• Leveraging polymorphic URLs, which are difficult for rule-based systems to detect
• Utilizing dynamically generated URLs that constantly change, making detection even more challenging

MITIGATION RECOMMENDATIONS:

Organizational Measures:

• Increase user awareness about .ru domain-based phishing through personalized training for highly targeted users (identified via threat trends and risk scores). 
• Leverage intelligent anti-phishing technology that is able to detect advanced threats.
• Review and update incident response procedures.
• Implement additional verification for high-risk transactions.

Manual Security Policies:

• Consider blocking all .ru TLD access unless business-critical
• Implement strict DMARC/SPF/DKIM policies
• Enhanced monitoring of .ru domain interactions
• Implement enhanced email filtering for .ru domains
• Update blocklists to include newly identified malicious domains

Technology Requirements: 

• Contextual analysis (the example above is blank with an attachment and originating from an external domain, so we know this could be suspicious)
• Linguistic analysis for attacks containing text to detect linguistic identifiers of phishing.
• Time of click analysis on the link for post-delivery weaponization.
• Metadata inspecting - identifying the sender email address is different from the display name
• Holistically "putting all this together" to identify an advanced phishing email

About the Threat Lab
KnowBe4 Threat Labs specializes in researching and mitigating email threats and phishing attacks, utilizing a combination of expert analysis and crowdsourced intelligence. The team of seasoned cybersecurity professionals investigates the latest phishing techniques and develops strategies to preemptively combat these threats.

By harnessing insights from a global network of participating customers, KnowBe4 Threat Labs delivers comprehensive recommendations and timely updates, empowering organizations to protect against and respond to sophisticated email-based attacks. The Threat Labs are KnowBe4’s commitment to innovation and expertise, ensuring robust defenses against the ever-evolving landscape of cyber threats.