NRDs: Don't Panic

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Retired Member
Not applicable

See how URL filtering and other best practices from Palo Alto Networks prevail over malicious usage of NRDs, including phishing, malware, and scam. Don't panic! Our podcasts and more are here to help. Got Questions? Get Answers here on LIVEcommunity.


Newly registered domains (NRDs) are known to be favored by threat actors to launch malicious campaigns. Academic and industry research reports have shown statistical proof that NRDs are risky, revealing malicious usage of NRDs, including phishing, malware, and scam.

Category breakdown of NRDs from January through May 2019. Alarming? Check out the Unit 42 blog for more...but don't panic. We've got you covered.Category breakdown of NRDs from January through May 2019. Alarming? Check out the Unit 42 blog for more...but don't panic. We've got you covered.A best security practice calls for blocking and/or closely monitoring NRDs in enterprise traffic. Despite the evidence, there hasn’t yet been a comprehensive case study on the malicious usages and threats associated with NRDs using real-world examples. Unit 42 recently published "Newly Registered Domains: Malicious Abuse by Bad Actors," which presents a comprehensive case study and analysis of malicious abuses of NRDs by bad actors.


Unit 42 has been tracking NRDs for more than nine years. They collaborate with the Internet Corporation for Assigned Names and Numbers (ICANN) and various domain registries and registrars, which provides direct visibility of many NRDs registered under both generic top-level domains (gTLDs) and country-code top-level domains (ccTLDs).


Unit 42 continues to indirectly identify NRDs by leveraging a combination of data sources, including WHOIS, zone files, and passive DNS. The Unit 42 proprietary NRD feed consists of 1,530 top-level domains, which, to our knowledge, exceeds the best NRD feed/service publicly offered on the market.


Palo Alto Networks customers are all protected against malicious indicators (domain, IP, URL, SHA256) mentioned in the Unit 42 blog, via URL Filtering, DNS Security, WildFire, and Threat Prevention where applicable. AutoFocus customers with further interests in the malware mentioned in this blog can refer to the following AutoFocus tags AzoRultEmotetPykspa, and Ramnit.


At Palo Alto Networks, we recommend blocking access to NRDs with URL Filtering. While this may be deemed a bit aggressive by some, due to potential false-positives, the risk from threats via NRDs is much greater. At the bare minimum, if access to NRDs is allowed, then alerts should be set up for additional visibility. We define NRDs as any domain that has been registered or had a change in ownership within the last 32 days. Our own analysis has indicated that the first 32 days are the optimal timeframe when NRDs are detected as malicious.


There is much more to learn on this topic. Make sure to read about all the details in "Newly Registered Domains: Malicious Abuse by Bad Actors," Get protected!


Adapted from the Unit 42 blog, "Newly Registered Domains: Malicious Abuse by Bad Actors"

by: Zhanhao ChenJun Javier Wang and Kelvin Kwan







Check out "Don't Panic," podcasts by Unit 42 at


Great topics from Unit 42 leaders Rick Howard and Ryan Olson include:


  • Insider Threats – a technical problem or a human resource issue?
  • Tech Support Scams – for friends and family who occasionally get tricked into handing over their good, hard-earned money to the "technical support" scammer
  • Watering Holes – watering-hole attacks involve compromising specific websites to target readers with malware.

Check out more podcasts on Unit 42, where they break down the big issues in cybersecurity and tell you why you don't need to panic.


Share what you learn here in the LIVEcommunity. Got questions? Get answers!


  • 324 Subscriptions
Register or Sign-in