SecurityBrief UK - Technology news for CISOs & cybersecurity decision-makers
United Kingdom
Dns web shields cutting malicious red nodes early cybercrime stop
#
Phishing
#
Advanced Persistent Threat Protection
#
Email Security

Netcraft tool targets malicious domains before attacks

Wed, 18th Mar 2026
Author image
By Sean Mitchell, Publisher

Netcraft has launched a service designed to identify and take down attacker-controlled internet domains before they are used in phishing and business email compromise schemes.

The product, called Preemptive Domain Disruption, targets the period after criminals register a domain name but before it becomes active in a live campaign. Security teams and investigators have long tracked how attackers often prepare domain infrastructure in advance, then switch it on at short notice once a campaign is ready.

In early deployments, Netcraft said, "approximately 90%" of malicious domains were removed within 24 hours. One enterprise customer recorded more than 21,000 takedowns over three months, the company added.

How it works

The approach combines domain monitoring with analysis that groups related infrastructure. Netcraft uses what it calls infrastructure clustering and campaign fingerprinting to identify domains that show signs of preparation for abuse, even when they do not yet host phishing pages or other malicious content.

It uses "high-fidelity data clusters and verified attack indicators" to flag domains configured for abuse before a campaign launch, and correlates signals including shared infrastructure, registration artefacts, technical configurations, and indicators linked to impersonation and fraud.

After confirming a cluster and collecting what it describes as "enforcement-grade evidence", Netcraft works with hosting providers and other internet infrastructure partners to disable domains. It also distributes risk signals to third parties, including DNS operators and email reputation systems.

Industry shift

The launch comes as security teams face high volumes of brand impersonation and credential theft, alongside fraud attempts that use email to impersonate staff, suppliers and executives. Many organisations already run takedown services for active threats, including lookalike domains that host phishing pages.

Preemptive disruption targets an earlier stage of the same playbook. Attackers often use the time between domain registration and campaign launch to set up hosting, mail services and other components; that window can stretch from days to months. Security teams can struggle to act without visible malicious content, or without enough context to link a domain to an active cluster of criminal activity.

Netcraft positioned the service as part of a wider move towards earlier intervention, and linked the need for faster action to criminals' use of AI, which has increased the speed and scale of phishing and related fraud.

Peter Cassidy, Co-Founder, Anti-Phishing Working Group, said: "Netcraft's approach to preemptively disrupting malicious campaigns brings the contest against cybercrime where it belongs: into the future. With AI tools simplifying cybercrime's scaling, prevention is more vital than ever. Long-time APWG member Netcraft will be contributing data from Preemptive Domain Disruption to a new sub-category of predeployed domain names on APWG's member eCrime eXchange, reflecting Netcraft's steadfast commitment to securing Internet infrastructure."

Netcraft plans to contribute data from the new service to a new category within the APWG eCrime eXchange, which members use to share threat intelligence.

Operational impact

For security teams, the core promise is fewer incidents reaching inboxes and fewer brand-impersonation pages appearing online. Netcraft said its clustering approach increases confidence in assessments and reduces manual investigation, lowering reputational, financial and operational risk by disrupting domains earlier in the attack chain.

Preemptive takedowns can still depend on cooperation from registries, hosting providers and other intermediaries. They also require sufficient evidence at a point when visible malicious content may not exist. Netcraft's model centres on correlating multiple signals and linking domains to a broader campaign context before seeking suspension or removal.

"Attackers operate differently in an AI age. They can quickly stand up infrastructure well in advance of a campaign. With more than two decades of fighting cybercrime and disrupting online threats, Netcraft is uniquely positioned to deliver Preemptive Domain Disruption, which leverages our knowledge of threat actor behavior to identify signals of malicious activity before domains are used in an attack. By removing attacker infrastructure upstream, we don't just detect threats faster; we prevent them from reaching our customers and the people who trust them," said Ryan Woodley, Chief Executive Officer, Netcraft.

Netcraft said it will continue developing its predictive disruption work alongside its existing domain detection and takedown services, with an emphasis on identifying attacker infrastructure during the dormant phase before campaigns go live.

Related stories
Anthropic launches Claude Opus 4.7 with stronger coding
CIQ launches Linux compliance platform ahead of deadlines
Your.Cloud acquires Pure Cloud Solutions in UK push
Emerson & OPSWAT strike global reseller deal for OT patching
OVHcloud adds Quandela Belenos quantum computer to platform

Top stories

Team Cymru launches Total Insights Feeds for threat data
FIRST conference highlights AI & CVE disclosure push
Protegrity launches AI Team Edition for secure inferencing
CERN joins OpenSearch foundation as associate member
OpenAI launches Trusted Access for Cyber with major names