When legitimate URLs lead to dangerous destinations

How often does your security team have to deal with cyber-attacks on end-users that employ techniques such as DNS poisoning and URL spoofing? I’ve had to deal with that in the last 15 years…

Cybercriminals have been manipulating how DNS resolves web addresses and silently redirect users to malicious lookalike sites that can install malware, harvest sensitive information, or serve ransomware.

These risks are growing as hybrid and remote work environments expand attack surfaces, and as employees freely interact with online tools and AI platforms. And we need to nip them in the bud.

CybersecAsia finds out more in this Q&A with Paul Wilcox, VP, APJ, Infoblox.

Has DNS become a favored weapon in the cyber-attacker’s toolkit? If so, why?

Wilcox: DNS has become a key enabler in modern cyber-attacks, not just as the starting point, but as a tool that attackers actively exploit. Attackers use DNS to trick users into visiting fake websites, communicate with their own servers and even steal data, all while making it look like normal internet activity.

Every one of these activities starts with a DNS request. In fact, the US National Security Agency (NSA) found that 92% of cyber-attacks involve the use of DNS at some point in their execution.

That makes DNS a prime target; but it’s also a powerful tool for defenders when used correctly.

For instance, at Infoblox, we put DNS at the center of our cybersecurity strategy. In a world where most defenses are reactive — waiting for something to go wrong — we take a preemptive approach. By embedding threat intelligence directly at the DNS layer, organizations can detect and block threats before they reach the endpoint, application or user.

How have hybrid and remote work environments exacerbated this cybersecurity challenge?

Wilcox: The shift to hybrid and remote work has massively expanded the attack surface. Employees are now connecting from everywhere — coffee shops, home networks, mobile hotspots — often bypassing traditional on-prem security controls and, in turn, amplifying DNS-related risks.

For instance, users connected to public Wi-Fi are particularly vulnerable to DNS spoofing. These environments are ripe for attackers to redirect users to malicious sites that install malware, often without the user ever realizing they’ve left a legitimate domain. In distributed work environments, attackers exploit this openness to sneak through undetected. Without consistent visibility into DNS activity across all digital activities and connections, organizations are flying blind.

A preemptive security approach embeds intelligence directly at the DNS layer, so threats can be blocked before they spread, regardless of a user’s location.

What are some AI-related developments that organizations and their employees need to be aware of?

Wilcox: The most pressing concern is the sheer scale and sophistication of AI-powered cyber-attacks. Generative AI allows attackers to produce highly convincing phishing attacks – not just en masse, but highly personalized, with perfect grammar, context-aware language and even with the tone of someone the victim knows.

We are also observing an increase in deepfake technology, where audio and video manipulation create a false sense of trust. In 2024, an employee in Hong Kong was tricked into transferring $25 million after a video call with a video of their deepfaked CFO.

This is especially concerning in the Asia Pacific region. A recent Cyber Security Agency of Singapore survey reported that 3 out of 4 Singaporeans could not tell apart a deepfake video from a real video, noting that the ability to spot deepfakes is not progressing at the same rate the technology is.

In today’s threat landscape, organizations cannot solely rely on their users to spot threats. That’s where DNS-centric preemptive security becomes vital. Traditional cybersecurity models wait for a first victim, or “patient zero,” to trigger a response. These approaches are no longer effective. Today’s attacks are targeted, AI-enhanced and often designed to make you patient zero.

That’s why preemptive security is critical. It’s critical to stop threats before they reach the user; before a malicious email is clicked, or a fake login page loads. By leveraging AI and machine learning, massive volumes of DNS traffic and threat signals can be turned into clear, actionable insights — helping security teams cut through alert fatigue and focus on what truly matters.

Advanced technology like AI has changed the speed and scale of attacks. Our defense strategy has to change as well: by embedding intelligence earlier in the cyber kill chain, closer to the infrastructure and away from the end user.

What can organizations do to protect this critical layer of their digital infrastructure?

Wilcox: One of the most important shifts we’re seeing in cybersecurity is the move away from the old “patient zero” model. For years, security strategies relied on detecting malware only after someone else had been hit — learning from their misfortune and updating defenses accordingly.

But that model is breaking down. Today’s threat actors are increasingly crafting attacks that are targeted and tailored, not just to a specific industry, but to individual organizations and even employees. That means the chance of you being patient zero increases drastically, and by the time traditional tools catch on, it’s already too late.

To stay ahead, organizations need a proactive approach focused on cutting off the communication channels that threats rely on, before an attacker can establish a foothold, move laterally, or exfiltrate data. The DNS layer is uniquely suited for this because almost every connection attempt, whether legitimate or malicious, starts with a DNS query.

By combining real-time DNS analytics with predictive intelligence, such as identifying suspicious infrastructure before it’s weaponized, organizations can stop threats before they have an opportunity to execute.

The future of cybersecurity isn’t just about reacting faster; it’s about intervening earlier. Security must be woven in at the infrastructure level to prevent threats from ever reaching their target. In a world of fast-moving, tailored attacks, that level of preemptive protection is no longer a luxury – it’s essential.