SicuraNext

68% of all phishing infrastructure tracked operates on Cloudflare as of the current year.

Almost 60% of the observed indicators of compromise (IOCs) are linked with Phishing-as-a-Service (PhaaS).

The mean DNS resolution rate for phishing operators was 96.16%, indicating high availability and minimal downtime.

51.54% of the phishing infrastructure is directly hosted, while 48.46% is protected by CDN/proxy services.

Over the past four months, 20 distinct phishing clusters were identified based on shared infrastructure fingerprints.

In the last quarter, over 42,000 validated URLs and domains were identified as actively serving phishing kits, command-and-control infrastructure, or payload delivery.

11,324 phishing domains used the .com top-level domain, making it the most common among attackers.

72% of phishing domains in the dataset utilized obfuscation via legitimate services.

Meta was mentioned 10,267 times, accounting for 42% of all brand impersonation tracked.