Domain Age as a Risk Indicator: Why "New" Often Means "Danger"
Jean-Vincent QUILICHINI
If you walked into a bank that opened yesterday, would you deposit your life savings? Probably not. You trust institutions with a history. The same logic applies to the internet, yet many security systems treat a domain registered 5 minutes ago with the same trust as one registered 15 years ago.
Domain Age is one of the most powerful, yet underutilized, signals in threat intelligence. Here’s why threat actors love "fresh" domains and how you can stop them.
The "Burner" Domain Strategy
Cybercriminals operate on a churn-and-burn model. They register thousands of domains for:
- Phishing campaigns: Mimicking legitimate brands (e.g.,
support-google-auth-update.com). - Command & Control (C2): Hosting malware callbacks.
- Spam: Sending millions of emails before the domain gets blacklisted.
Once a domain is flagged, they discard it and move to the next one. This means that a domain that is less than 30 days old has a statistically higher probability of being malicious than an established one.
The "Baby Domain" Policy
Many mature security organizations implement a Newly Registered Domain (NRD) policy. This involves:
- Blocking: Automatically blocking access to any domain registered in the last 24-72 hours.
- Flagging: Treating traffic to domains < 30 days old as "suspicious" and subjecting it to deeper inspection.
- Quarantine: routing emails from NRDs to a sandbox or spam folder automatically.
False Positives vs. Risk Reduction
Critics argue that blocking new domains hurts legitimate businesses launching new products. While true, the ratio of malicious to legitimate NRDs is overwhelmingly skewed towards malice.
The solution is context. Don't just block based on age. Combine age with:
- Entropy: Is the domain name random characters?
- Registrar: Is it a cheap/free registrar often used by spammers?
- Hosting: Is it hosted on a bulletproof hosting provider?
How isMalicious Helps
isMalicious enriches domain data with registration dates and reputation scores. This allows you to build granular policies. For example: "Block if Age < 7 days AND Threat Score > 50."
Conclusion
In the race against cyber threats, time is a critical dimension. By factoring domain age into your security logic, you cut off a massive avenue of attack before it even begins. Treat new domains with skepticism until they earn their trust.
Related articles
Dec 12, 2024Detecting malicious domain names: a guide to safer browsingExplore the world of domain name maliciousness and learn how to identify, assess, and protect against harmful domains. Discover tools and techniques to safeguard your online presence.
Dec 12, 2024Harnessing Public Sources for IP and Domain Maliciousness DetectionLearn how public sources like IP sets and blocklists can enhance your cybersecurity defenses by providing actionable insights into IP and domain maliciousness. Discover how to integrate these resources into WAF solutions like Fortinet and Imperva.
Dec 5, 2025Proactive Threat Defense: Monitoring Malicious IP and Domain ReputationShift from reactive to proactive cybersecurity. Learn how monitoring malicious IP and domain reputation helps identifying threats early and stopping phishing attacks before they succeed.
Protect Your Infrastructure
Check any IP or domain against our threat intelligence database with 500M+ records.
Try the IP / Domain Checker