If you could keep only one piece of metadata about a suspicious URL, you should keep the age of its domain. Across the scan corpus, registration age separates convicted pages from clean ones more sharply than any other single infrastructure signal — and the reason is economic, not technical.
Why campaigns run young
A phishing domain is a consumable. From the operator's point of view it has a simple lifecycle: register, deploy the kit, deliver the lure, harvest for as long as the domain stays unflagged, abandon. Every day the domain exists before delivery is a day it can be scanned, reported and blocklisted before earning anything. So the median campaign compresses the timeline brutally — in our corpus, the typical convicted domain goes from registration to active credential harvesting in under 48 hours, and most are effectively dead within a week.
Blocklists, meanwhile, work on confirmation: someone must encounter the page, recognise it, report it, and have the report propagate. That loop takes longer than the campaign lives. Age-based suspicion inverts the race — instead of asking "has anyone confirmed this is bad?", it asks "has this domain existed long enough for anyone to have had the chance?"
The laundering counter-move
Operators know defenders score age, so the better-resourced ones pre-register. Domains are bought in bulk, parked on placeholder pages or benign content, and left to mature for weeks before activation — we covered one variant of this in our homograph research. Aged domains cost more and are a real evasion, but they also leave their own tell: a domain that spent sixty days serving a parking page and then suddenly grew a login form has a content age of one day, whatever the registration record says. This is why age is scored alongside behaviour, never instead of it.
When young domains are innocent
Fresh registration alone convicts nothing. Legitimate young domains appear constantly: product launches, event microsites, rebrands, regional storefronts. What separates them from campaign infrastructure is everything else — they do not clone another brand's login page, geofence crawlers, or post form data to a different origin. A useful rule: age raises the cost of trust; behaviour decides it.
A domain registered on Tuesday asking for your password on Wednesday has a résumé of one day. You are allowed to ask for references.
How this surfaces in a scan
When Voretix scans a URL on recently registered infrastructure, the findings card flags it explicitly — newly registered domain, with the age in days — as its own signal, independent of the heuristic and AI verdicts. Cross-reference it with two other cards: the certificate validity window (infrastructure assembled all at once tends to have a cert as young as the domain) and the redirect chain (fresh domains hiding behind aged redirectors are a classic shape). When all three point the same direction, you are usually looking at a campaign in its first 48 hours — exactly the window where reputation feeds are still blind.
Frequently asked questions
Are newly registered domains always malicious?
No — product launches, event microsites and rebrands are young too. Age raises the cost of trust; what the page does (cloned logins, cross-origin form posts, cloaking) decides the verdict.
How do I check how old a domain is?
A Voretix scan flags newly registered domains in its findings with the age in days, and the TLS certificate validity window gives a second, independent timestamp for when the infrastructure was assembled.
Why do phishing domains live for such a short time?
A phishing domain is a consumable: every extra day is another chance to be reported and blocklisted before it earns anything. Operators register, deliver, harvest and abandon — usually inside a week.