Free subdomain host

Tactic or Technique: Free subdomain host

Attackers often use free subdomain hosting platforms—like *.web.app, *.netlify.app, or *.github.io—to create phishing sites that look more trustworthy than they are. These services let anyone spin up a website under a well-known domain, which helps malicious pages inherit the reputation of the larger platform.

When you get a phishing email with a link to one of these subdomains, the parent domain may look familiar and safe. But the subdomain itself often hosts fake login pages or malware downloads, making it hard to tell what’s real and what’s not.

Because these hosting providers are widely used for legitimate purposes, blocking them outright isn’t practical for most organizations. That makes this tactic especially tricky—it hides malicious content behind domains people trust, and it forces defenders to find more precise ways to detect threats without disrupting day-to-day business.

Blog Post

Living Off the Land: Credential Phishing via Docusign abuse

Sublime Security Attack Spotlight: Credential phishing attempt using Docusign service to deliver multi-stage malicious links via fake PDF.

Attack Types (4):

Detection Methods (13):

Content analysis

URL analysis

Sender analysis

Natural Language Understanding

Whois

Header analysis

Computer Vision

Optical Character Recognition

Rule Name & Severity	Last Updated	Author	Types, Tactics & Capabilities
Link: Webflow Link from Unsolicited Sender	5d ago Jun 13th, 2025 UTC	Sublime Security	Callback Phishing Free file host Free subdomain host Content analysis URL analysis Sender analysis	/feeds/core/detection-rules/link-webflow-link-from-unsolicited-sender-d4f3b8cf
Vendor Compromise: GovDelivery Message With Suspicious Link	14d ago Jun 4th, 2025 UTC	Sublime Security	Credential Phishing Malware/Ransomware Free subdomain host IPFS Social engineering Evasion Impersonation: Brand Natural Language Understanding URL analysis Whois	/feeds/core/detection-rules/vendor-compromise-govdelivery-message-with-suspicious-link-0d2d5172
Credential phishing: Onedrive impersonation	14d ago Jun 4th, 2025 UTC	Sublime Security	Credential Phishing Free subdomain host Impersonation: Brand Social engineering Content analysis Header analysis Natural Language Understanding URL analysis	/feeds/core/detection-rules/credential-phishing-onedrive-impersonation-1f990c92
Brand Impersonation: Fake Fax	16d ago Jun 2nd, 2025 UTC	Sublime Security	Credential Phishing Impersonation: Brand Image as content Free file host Free subdomain host Social engineering Computer Vision Content analysis Optical Character Recognition Sender analysis URL analysis	/feeds/core/detection-rules/brand-impersonation-fake-fax-2a96b90a
ClickFunnels link infrastructure abuse	1mo ago May 16th, 2025 UTC	Sublime Security	Credential Phishing Free email provider Free subdomain host Social engineering Content analysis Header analysis QR code analysis Sender analysis URL analysis	/feeds/core/detection-rules/clickfunnels-link-infrastructure-abuse-9192fbe9
Link: Credential Phishing via WordPress	2mo ago Apr 11th, 2025 UTC	Sublime Security	Credential Phishing Social engineering Free subdomain host URL analysis Header analysis Computer Vision	/feeds/core/detection-rules/link-credential-phishing-via-wordpress-db696058
Link: Multistage Landing - Abused Docusign	2mo ago Apr 11th, 2025 UTC	Sublime Security	Credential Phishing Evasion Free subdomain host Free file host Content analysis Sender analysis URL analysis Whois HTML analysis	/feeds/core/detection-rules/link-multistage-landing-abused-docusign-4189a645
Message Traversed Multiple onmicrosoft.com Tenants	6mo ago Dec 18th, 2024 UTC	Sublime Security	Callback Phishing Evasion Free email provider Free subdomain host Sender analysis Header analysis	/feeds/core/detection-rules/message-traversed-multiple-onmicrosoftcom-tenants-9cf01c0d
Link: Abused Adobe Express	6mo ago Dec 16th, 2024 UTC	Sublime Security	Credential Phishing Evasion Free subdomain host Free file host Content analysis Sender analysis URL analysis Whois HTML analysis	/feeds/core/detection-rules/link-abused-adobe-express-c7d17bfd
Free subdomain link with credential theft indicators	6mo ago Dec 12th, 2024 UTC	Sublime Security	Credential Phishing Free subdomain host Content analysis Header analysis Natural Language Understanding Optical Character Recognition URL analysis URL screenshot	/feeds/core/detection-rules/free-subdomain-link-with-credential-theft-indicators-9187479c
Shopify infrastructure abuse	7mo ago Nov 13th, 2024 UTC	Sublime Security	Credential Phishing Spam Evasion Free subdomain host Impersonation: Brand Social engineering Content analysis Header analysis URL analysis	/feeds/core/detection-rules/shopify-infrastructure-abuse-844ff164
Link: IPFS	8mo ago Oct 16th, 2024 UTC	Sublime Security	Credential Phishing Malware/Ransomware Free file host Free subdomain host IPFS Sender analysis URL analysis	/feeds/core/detection-rules/link-ipfs-19fa6442
Link: Jensi File Preview Link from Unsolicited Sender	8mo ago Oct 2nd, 2024 UTC	Sublime Security	Callback Phishing Free file host Free subdomain host Content analysis URL analysis Sender analysis	/feeds/core/detection-rules/link-jensi-file-preview-link-from-unsolicited-sender-122b39f3
Attachment: EML with link to credential phishing page	9mo ago Sep 13th, 2024 UTC	Sublime Security	Credential Phishing Evasion Free file host Free subdomain host Social engineering Computer Vision Content analysis File analysis Header analysis HTML analysis Natural Language Understanding Optical Character Recognition URL analysis URL screenshot	/feeds/core/detection-rules/attachment-eml-with-link-to-credential-phishing-page-1df41cca
Link: Free Subdomain host with undisclosed recipients	11mo ago Jun 27th, 2024 UTC	Sublime Security	Free subdomain host Header analysis URL analysis	/feeds/core/detection-rules/link-free-subdomain-host-with-undisclosed-recipients-c23d979d
Spam: Link to blob.core.windows.net from new domain (<30d)	1y ago May 21st, 2024 UTC	Sublime Security	Spam Free subdomain host Header analysis URL analysis Sender analysis	/feeds/core/detection-rules/spam-link-to-blobcorewindowsnet-from-new-domain-less30d-a09b3800
Low reputation link to auto-downloaded HTML file with smuggling indicators	1y ago May 9th, 2024 UTC	Sublime Security	Credential Phishing Evasion Free file host Free subdomain host HTML smuggling Impersonation: Brand Open redirect Social engineering Content analysis File analysis HTML analysis Javascript analysis Sender analysis URL analysis	/feeds/core/detection-rules/low-reputation-link-to-auto-downloaded-html-file-with-smuggling-indicators-339676c6
Credential phishing: Engaging language with IPFS link	1y ago May 3rd, 2024 UTC	Sublime Security	Credential Phishing Free file host Free subdomain host IPFS Content analysis Natural Language Understanding URL analysis	/feeds/core/detection-rules/credential-phishing-engaging-language-with-ipfs-link-996c4d83
Spoofable internal domain with suspicious signals	1y ago May 3rd, 2024 UTC	Sublime Security	Credential Phishing Free file host Free subdomain host Social engineering Spoofing Content analysis Header analysis Natural Language Understanding Sender analysis	/feeds/core/detection-rules/spoofable-internal-domain-with-suspicious-signals-40089d69
Attachment: EML file with IPFS links	1y ago Apr 25th, 2024 UTC	Sublime Security	Credential Phishing Evasion Free file host Free subdomain host IPFS File analysis URL analysis	/feeds/core/detection-rules/attachment-eml-file-with-ipfs-links-1fe9d7e7