Cybersecurity researchers have identified a persistent trend in which threat actors exploit vulnerabilities in government websites to further phishing campaigns.
Based on data spanning November 2022 through November 2024, malicious actors have misused numerous .gov top-level domains (TLDs) across more than 20 countries.
Exploitation of Legitimate .Gov Domains
While .gov domains are generally trusted by users, this trust is being exploited to host phishing pages, redirect victims to malicious links, or even serve as command and control (C2) servers.
Open redirects, a type of vulnerability where web applications redirect users to external, malicious destinations, play a central role in these cyber campaigns.
Exploited .gov domains are often embedded in phishing emails, allowing attackers to bypass secure email gateways (SEGs) that inherently trust government-linked domains.
Victims, unaware of the redirection, are lured into sharing sensitive credentials on phishing pages.
Role of Liferay Platforms
A significant portion of the abuse arises from open redirect exploits linked to CVE-2024-25608, a vulnerability in the widely used Liferay digital experience platform.
Nearly 60% of observed phishing campaigns involving .gov domains carried a “noSuchEntryRedirect” path indicative of this specific exploit.
Liferay’s adoption across multiple governmental organizations may have contributed to this extensive abuse.
The vulnerability allows attackers to redirect users to credential phishing pages or intermediary sites.
Although such vulnerabilities are not exclusive to government websites, their presence underscores the importance of vigilance among web developers.
According to the Cofense report, governments and organizations must prioritize patch management and security auditing to mitigate risks stemming from outdated or unpatched software.
While .gov domains affiliated with the United States accounted for only 9% of all exploited domains, they remain the third most-targeted globally.
All observed cases of U.S.-specific .gov domain abuse involved open redirects, primarily linked to CVE-2024-25608.
Microsoft-themed phishing campaigns were particularly prominent, often featuring emails impersonating legitimate entities and bypassing widely used SEGs such as Microsoft ATP, Cisco IronPort, and Proofpoint.
Statistical analysis reveals that the majority of abuse originates from a small subset of government domains.
For example, Brazilian .gov domains emerged as the most exploited, but the misuse was concentrated in a limited number of unique domains.
This pattern was consistent across other countries, suggesting targeted exploitation rather than widespread vulnerability.
In addition to redirect-based abuse, some compromised .gov domain email addresses have been repurposed as C2 infrastructure for malware, such as Agent Tesla Keylogger and StormKitty.
Despite these incidents, the frequency remains low, highlighting that governments may be taking steps to safeguard email systems.
The exploitation of .gov domains for phishing underscores the broader challenge of securing trusted digital infrastructure.
With government websites serving as high-value targets, sustained monitoring, timely patching, and security awareness at the organizational level are critical to mitigating risks.
As threat actors continue to innovate, collaborative efforts in cybersecurity will play a pivotal role in defending against evolving threats.
Are you from SOC/DFIR Teams? – Analyse Malware Files & Links with ANY.RUN Sandox -> Try for Free