How age-weighted reputation became the blind spot
Most enterprise mail filters from major vendors, including Microsoft Defender for Office 365, Proofpoint, Mimecast and Cisco Talos, factor domain age heavily into their classification decisions. A freshly registered .com triggers immediate reputation penalties. A domain with years of stable hosting, consistent certificate issuance and clean DNS history gets treated as low risk. The logic made sense ten years ago, when newly minted abuse domains dominated phishing infrastructure and aged domains usually meant established small businesses.
I work with several enterprise environments that pay for the most expensive tiers of email security and still see phishing lures land in users’ inboxes. When I trace those lures back to their parent domains, an increasing percentage show the same pattern. Long-stable cert history through some point in 2024 or 2025. A several-month gap with no new certs issued. Then certs start appearing again for subdomains that have nothing to do with the original brand. The reputation score on these domains is high. The infrastructure behind them is criminal. The filter doesn’t know the difference.
What aged-domain acquisition actually looks like
There are two reasonable ways for an operator to acquire an aged domain. They can drop-catch an expired registration, or they can hijack an active one through credential theft against the owner’s registrar account. Drop-catching is cheaper and lower-risk. Services like DropCatch, SnapNames and GoDaddy Auctions exist precisely to acquire domains the moment they expire, and a determined operator can pay $50 to $500 for a domain with a decade of clean history.
The domain I want to walk through is one I documented in detail during the Sneaky2FA case: digitalscrapbookingfreebies.com. The certificate transparency record shows the takeover in full. From 2016 through July 2025, the cert history reads like a normal small-business cPanel-hosted blog. cPanel Inc. issued ECC certs every 60 to 90 days for the standard cpanel., mail., webdisk. and webmail. subdomains. Let’s Encrypt R3 issued certs for the apex and www. every 90 days. The subjects stayed stable across nine years. Someone was running a hobby blog providing free scrapbooking assets to a small audience, and the cert pattern reflects that.
