Hackernoon logoDisposable Email Domains: A Possible COVID-19 Attack Vector by@WhoisXMLAPI

Disposable Email Domains: A Possible COVID-19 Attack Vector

WhoisXML API Hacker Noon profile picture


Top Whois, DNS, IP and threat intelligence data provider. We provide APIs, databases, and tools.

Since the virus’s emergence in early January 2020, COVID-19 has been widely used in various malicious campaigns online. Several disposable email domains using the term “coronavirus” and its variations have appeared since then.

While not all these COVID-19-related disposable email domains may have been created with malicious intent, some still could have been used for nefarious purposes. With that in mind, companies may want to consider detecting and possibly blocking communications coming from related disposable email domains to avoid cyber threats as well as possible freemium service abuses.

Detecting disposable email domains is doable with the help of tools like disposable email domain data feeds. We used one such tool to analyze these feeds and present our findings in this post.

COVID-19-Related Terms and Detecting Disposable Email Domains

The coronavirus is proving to be not just a physical but also a virtual threat. Apart from avoiding the disease, people the world over also need to be on the lookout for COVID-19-related security threats every time they go online, given statistics like:

  • From January to April 2020, 907,000 coronavirus-related spam messages, 737 malware incidents, and 48,000 malicious URLs were detected, according to an INTERPOL report.
  • One in three cyber attacks in 2020 is COVID-19-related, according to the U.K. National Cyber Security Centre (NCSC).
  • Coronavirus-themed phishing attacks increased by 220% at the height of the pandemic compared to the yearly average, according to F5’s phishing and fraud report. 

We looked at the disposable email domain data feeds from March 2020 to March 2021. The data revealed an increase in COVID-19-themed disposable email domains over time, especially between May and June 2020.

Chart 1: The number of coronavirus-themed disposable email domains shows an increase over time.

Of the four strings tracked—“corona,” “covid,” “vaccine,” and “pandemic”—“corona” was the most commonly used term for disposable email domains. Domains containing “covid” followed, then those with “vaccine” and “pandemic.”

Chart 2: A majority of the disposable email domains obtained from the feeds contained the string “corona.”

That finding isn’t surprising, as a similar trend is reflected by the interest in the search terms over the past 12 months, according to Google Trends.

Examples of the disposable email domains obtained from the data feeds include corona-virus-live[.]ru, applyforcovid19relief[.]com, plantbasedvaccine[.]com, and pandemic[.]cloud.

Further checks on VirusTotal showed that corona-virus-live[.]ru, for instance, was flagged for phishing, not to mention tagged “suspicious” by several vendors. Applyforcovid19relief[.]com is another example of a domain that was reported as malicious as well.

With this in mind, it may be a good idea to track email domains that contain the four strings using a disposable email domain data feed, conduct further analysis, and block these, if needed. The examples above are just a few that could be included in organizations’ blocklists.

Moreover, an analysis of the top-level domain (TLD) extensions used revealed that a vast majority (i.e., more than a third of the total number) fell under .com.

Chart 3: The most popular TLDs among the disposable email domains were .com, .online, and .xyz.

It isn’t surprising to see most of the disposable email domains use .com, as this remains the most popular TLD worldwide as of October 2020. The TLD lends an email address more credibility since most companies still prefer .com when creating their own websites. It’s also worth noting that among the new generic TLDs (gTLDs), .online and .xyz top the most commonly used list. Alphabet (i.e., Google’s parent company), for instance, uses the domain abc[.]xyz.

Organizations that wish to stay safe from coronavirus-themed threats may want to be especially cautious of disposable email domains that use the TLDs in Chart 4. They can configure their email security software to flag emails using temporary addresses containing the four strings mentioned earlier, especially those sporting the TLDs above.  


As this post showed, the usage trend for COVID-19-related disposable email domains is consistent with the volume of coronavirus-themed threats. It may be worth monitoring and consequently filtering out disposable email domains using the strings featured here as an additional precautionary measure. Since their owners can’t easily be determined, they may figure in malicious campaigns.


Join Hacker Noon

Create your free account to unlock your custom reading experience.