Tactic or Technique: Free subdomain host

Attackers often use free subdomain hosting platforms—like *.web.app, *.netlify.app, or *.github.io—to create phishing sites that look more trustworthy than they are. These services let anyone spin up a website under a well-known domain, which helps malicious pages inherit the reputation of the larger platform.
When you get a phishing email with a link to one of these subdomains, the parent domain may look familiar and safe. But the subdomain itself often hosts fake login pages or malware downloads, making it hard to tell what’s real and what’s not.
Because these hosting providers are widely used for legitimate purposes, blocking them outright isn’t practical for most organizations. That makes this tactic especially tricky—it hides malicious content behind domains people trust, and it forces defenders to find more precise ways to detect threats without disrupting day-to-day business.
Rule Name & Severity
Last Updated
Author
Types, Tactics & Capabilities
Spoofable internal domain with suspicious signals
17h ago
Jul 23rd, 2025 UTC
Sublime Security
/feeds/core/detection-rules/spoofable-internal-domain-with-suspicious-signals-40089d69
Vendor Compromise: GovDelivery Message With Suspicious Link
17h ago
Jul 23rd, 2025 UTC
Sublime Security
/feeds/core/detection-rules/vendor-compromise-govdelivery-message-with-suspicious-link-0d2d5172
Brand Impersonation: Coinbase with suspicious links
17h ago
Jul 23rd, 2025 UTC
Sublime Security
/feeds/core/detection-rules/brand-impersonation-coinbase-with-suspicious-links-b61e2f8e
Link: Multistage Landing - Abused Docusign
17h ago
Jul 23rd, 2025 UTC
Sublime Security
/feeds/core/detection-rules/link-multistage-landing-abused-docusign-4189a645
Low reputation link to auto-downloaded HTML file with smuggling indicators
17h ago
Jul 23rd, 2025 UTC
Sublime Security
/feeds/core/detection-rules/low-reputation-link-to-auto-downloaded-html-file-with-smuggling-indicators-339676c6
Link: Abused Adobe Express
17h ago
Jul 23rd, 2025 UTC
Sublime Security
/feeds/core/detection-rules/link-abused-adobe-express-c7d17bfd
Attachment: Calendar invite with suspicious link leading to an open redirect
8d ago
Jul 16th, 2025 UTC
Sublime Security
/feeds/core/detection-rules/attachment-calendar-invite-with-suspicious-link-leading-to-an-open-redirect-5d6294c7
Link: IPFS
8d ago
Jul 16th, 2025 UTC
Sublime Security
/feeds/core/detection-rules/link-ipfs-19fa6442
Link: Jensi File Preview Link from Unsolicited Sender
8d ago
Jul 16th, 2025 UTC
Sublime Security
/feeds/core/detection-rules/link-jensi-file-preview-link-from-unsolicited-sender-122b39f3
Attachment: PDF with credential theft language and link to a free subdomain (unsolicited)
8d ago
Jul 16th, 2025 UTC
Sublime Security
/feeds/core/detection-rules/attachment-pdf-with-credential-theft-language-and-link-to-a-free-subdomain-unsolicited-90f4ef4e
Attachment: HTML Smuggling Microsoft Sign In
8d ago
Jul 16th, 2025 UTC
Sublime Security
/feeds/core/detection-rules/attachment-html-smuggling-microsoft-sign-in-878d6385
Spam: Link to blob.core.windows.net from new domain (<30d)
8d ago
Jul 16th, 2025 UTC
Sublime Security
/feeds/core/detection-rules/spam-link-to-blobcorewindowsnet-from-new-domain-less30d-a09b3800
Free subdomain link with login or captcha (untrusted sender)
8d ago
Jul 16th, 2025 UTC
Sublime Security
/feeds/core/detection-rules/free-subdomain-link-with-login-or-captcha-untrusted-sender-93288f82
Link: Free Subdomain host with undisclosed recipients
8d ago
Jul 16th, 2025 UTC
Sublime Security
/feeds/core/detection-rules/link-free-subdomain-host-with-undisclosed-recipients-c23d979d
Attachment: EML with link to credential phishing page
8d ago
Jul 16th, 2025 UTC
Sublime Security
/feeds/core/detection-rules/attachment-eml-with-link-to-credential-phishing-page-1df41cca
Brand Impersonation: Fake Fax
13d ago
Jul 11th, 2025 UTC
Sublime Security
/feeds/core/detection-rules/brand-impersonation-fake-fax-2a96b90a
Deceptive Dropbox Mention
28d ago
Jun 26th, 2025 UTC
Sublime Security
/feeds/core/detection-rules/deceptive-dropbox-mention-58a107bc
Zoom Events Newsletter Abuse
1mo ago
Jun 23rd, 2025 UTC
Sublime Security
/feeds/core/detection-rules/zoom-events-newsletter-abuse-c8fce846
Link: Webflow Link from Unsolicited Sender
1mo ago
Jun 13th, 2025 UTC
Sublime Security
/feeds/core/detection-rules/link-webflow-link-from-unsolicited-sender-d4f3b8cf
Credential phishing: Onedrive impersonation
1mo ago
Jun 4th, 2025 UTC
Sublime Security
/feeds/core/detection-rules/credential-phishing-onedrive-impersonation-1f990c92