Domain Age as a Risk Indicator: Why "New" Often Means "Danger"

Jean-Vincent QUILICHINIJean-Vincent QUILICHINI
Cover Image for Domain Age as a Risk Indicator: Why "New" Often Means "Danger"

If you walked into a bank that opened yesterday, would you deposit your life savings? Probably not. You trust institutions with a history. The same logic applies to the internet, yet many security systems treat a domain registered 5 minutes ago with the same trust as one registered 15 years ago.

Domain Age is one of the most powerful, yet underutilized, signals in threat intelligence. Here’s why threat actors love "fresh" domains and how you can stop them.

The "Burner" Domain Strategy

Cybercriminals operate on a churn-and-burn model. They register thousands of domains for:

  • Phishing campaigns: Mimicking legitimate brands (e.g., support-google-auth-update.com).
  • Command & Control (C2): Hosting malware callbacks.
  • Spam: Sending millions of emails before the domain gets blacklisted.

Once a domain is flagged, they discard it and move to the next one. This means that a domain that is less than 30 days old has a statistically higher probability of being malicious than an established one.

The "Baby Domain" Policy

Many mature security organizations implement a Newly Registered Domain (NRD) policy. This involves:

  1. Blocking: Automatically blocking access to any domain registered in the last 24-72 hours.
  2. Flagging: Treating traffic to domains < 30 days old as "suspicious" and subjecting it to deeper inspection.
  3. Quarantine: routing emails from NRDs to a sandbox or spam folder automatically.

False Positives vs. Risk Reduction

Critics argue that blocking new domains hurts legitimate businesses launching new products. While true, the ratio of malicious to legitimate NRDs is overwhelmingly skewed towards malice.

The solution is context. Don't just block based on age. Combine age with:

  • Entropy: Is the domain name random characters?
  • Registrar: Is it a cheap/free registrar often used by spammers?
  • Hosting: Is it hosted on a bulletproof hosting provider?

How isMalicious Helps

isMalicious enriches domain data with registration dates and reputation scores. This allows you to build granular policies. For example: "Block if Age < 7 days AND Threat Score > 50."

Conclusion

In the race against cyber threats, time is a critical dimension. By factoring domain age into your security logic, you cut off a massive avenue of attack before it even begins. Treat new domains with skepticism until they earn their trust.

Protect Your Infrastructure

Check any IP or domain against our threat intelligence database with 500M+ records.

Try the IP / Domain Checker