
A recent Cofense Intelligence report has uncovered a troubling trend: threat actors are increasingly abusing .gov top-level domains (TLDs) for phishing campaigns. Over the past two years (November 2022 – November 2024), attackers have exploited vulnerabilities in government websites across multiple countries to host malicious content, serve as command-and-control (C2) servers, and redirect users to credential phishing sites.
While .gov domains are often trusted by default, this trust is now being weaponized. According to the report, attackers are taking advantage of open redirect vulnerabilities, particularly through CVE-2024-25608, which affects the Liferay digital experience platform. Exploiting these flaws allows threat actors to bypass secure email gateways (SEGs) and trick victims into clicking malicious links.
One of the primary methods used by attackers is open redirect abuse. MITRE defines an open redirect as a vulnerability where a web application accepts user-controlled input to specify an external site and then redirects users to it. The Cofense report states: “Threat actors regularly take advantage of open redirects such as Google AMP and TikTok to bypass secure email gateways (SEGs), and .gov domains are similarly abused.”
Threat actors embed .gov URLs in phishing emails, leveraging the trust in government domains to trick users into clicking links. The emails often lead to credential phishing pages disguised as Microsoft login portals.
“The campaigns abusing United States-based .gov domains for open redirects were all Microsoft-themed with the credential phishing page typically including Microsoft logos and indicators.”
Although .gov domains linked to the United States accounted for only 9% of the abused domains, they were still the third-most exploited worldwide. Every instance of U.S. government domain abuse in the observed campaigns involved open redirects. The report notes that: “Over 77% of the open redirects used made use of ‘noSuchEntryRedirect,’ making it likely that the United States-based government websites also fell prey to CVE-2024-25608.”
Globally, Brazil was the most targeted country, with its .gov.br domains making up more than the next three highest-ranking countries combined. However, the report suggests that this could be due to a few highly targeted domains being reused multiple times, rather than widespread exploitation of all Brazilian government websites.
The ability of .gov domains to bypass SEGs is particularly alarming. Major email security solutions—including Microsoft ATP, Proofpoint, Cisco IronPort, Symantec MessageLabs, and Mimecast—failed to filter out phishing emails exploiting government open redirects. “This is a good indicator of how successful .gov domains are at bypassing SEGs.”
Attackers frequently craft phishing emails with subjects related to document signing or other legitimate-sounding business requests. Since many users inherently trust government websites, they often do not scrutinize the full URL, making them easy targets for redirection-based phishing.
While most .gov domain abuses involved phishing, Cofense Intelligence also discovered instances where government email addresses were compromised and used as C2 servers for malware operations. In mid-2023 and early 2024, cybercriminals leveraged compromised government emails to act as C2s for Agent Tesla Keylogger and StormKitty malware.
The report notes that only two government email addresses were found to be exploited in this manner, suggesting that email security across government sectors is relatively strong—but still not immune to attacks.
Related Posts:
- Malicious Emails Bypass Secure Email Gateways, Delivering FormBook Malware
- CVE-2024-9043 (CVSS 9.8): Cellopoint Secure Email Gateway Flaw Puts Sensitive Data at Risk
- Facebook Launches Data Abuse Bounty Program
- Virtual Hard Drives: The New Bypass for Secure Email Gateways and Antivirus Scanners