Tactic or Technique: Free subdomain host

Attackers often use free subdomain hosting platforms—like *.web.app, *.netlify.app, or *.github.io—to create phishing sites that look more trustworthy than they are. These services let anyone spin up a website under a well-known domain, which helps malicious pages inherit the reputation of the larger platform.
When you get a phishing email with a link to one of these subdomains, the parent domain may look familiar and safe. But the subdomain itself often hosts fake login pages or malware downloads, making it hard to tell what’s real and what’s not.
Because these hosting providers are widely used for legitimate purposes, blocking them outright isn’t practical for most organizations. That makes this tactic especially tricky—it hides malicious content behind domains people trust, and it forces defenders to find more precise ways to detect threats without disrupting day-to-day business.
Rule Name & Severity
Last Updated
Author
Types, Tactics & Capabilities
Link: Fraudulent state business filing notice
2d ago
Jul 14th, 2026
Sublime Security
Brand impersonation: Government / Tax Authority document lure
2d ago
Jul 14th, 2026
Sublime Security
Zoom Events newsletter abuse
8d ago
Jul 8th, 2026
Sublime Security
Credential phishing: Onedrive impersonation
16d ago
Jun 30th, 2026
Sublime Security
Service abuse: Google Firebase sender address with suspicious content
28d ago
Jun 18th, 2026
Sublime Security
Service abuse: Outlook Groups with Google Sites link and evasion tag
29d ago
Jun 17th, 2026
Sublime Security
Brand impersonation: Fake Fax
29d ago
Jun 17th, 2026
Sublime Security
Link: Flare-branded credential harvesting via Cloudflare tunnels
1mo ago
Jun 12th, 2026
Sublime Security
Service abuse: Suspicious Datadog alert
1mo ago
Jun 11th, 2026
Sublime Security
ClickFunnels link infrastructure abuse
1mo ago
Jun 5th, 2026
Sublime Security
Attachment: PDF Attachment with links to workers.dev
1mo ago
Jun 4th, 2026
Sublime Security
Credential phishing: AWS Lambda URL with recipient targeting
1mo ago
May 28th, 2026
Sublime Security
Service abuse: Google OAuth with suspicious redirect destination
1mo ago
May 27th, 2026
Sublime Security
Link: File sharing impersonation with suspicious language and sending patterns
2mo ago
Apr 30th, 2026
Sublime Security
Attachment: Calendar invite with suspicious link leading to an open redirect
2mo ago
Apr 28th, 2026
Sublime Security
Attachment: HTML smuggling Microsoft sign in
2mo ago
Apr 27th, 2026
Sublime Security
Self-sender with copy/paste instructions and suspicious domains (French/Français)
3mo ago
Apr 16th, 2026
Sublime Security
Link: Tax document lure Portuguese/Spanish with suspicious domains
3mo ago
Apr 14th, 2026
Sublime Security
Service abuse: GitHub notification with excessive mentions and suspicious links
3mo ago
Apr 7th, 2026
Sublime Security
Attachment: PDF bid/proposal lure with credential theft indicators
3mo ago
Mar 27th, 2026
Sublime Security