July 15, 2026
🐑Red Team Domain Shepherding🤠
How to properly warm your domains for phishing and other red team operations, with a new AI augmented automation tool: flockFront. Learn…

By Robert Scocca
12 min read
How to properly warm your domains for phishing and other red team operations, with a new AI augmented automation tool: flockFront. Learn aging, categorization and traffic cultivating techniques, so your emails land in inboxes and initial access is assured.
As I've talked about at length, phishing has gotten intense. Every organization makes their employee's click through dozens of hours of training videos, every security team has email filtering controls out the wazoo. The threat of phishing has been top of mind for decades, as such, numerous anti-phishing technologies have been developed. This makes our job of building phishing simulations increasingly difficult, on a technical and social engineering level. A key piece of the puzzle is your domain reputation that your command-and-control as well as phishing infrastructure has to contend with on the path to having an effective phishing link or payload execution.
Domain reputation serves as the digital credit score for your offensive infrastructure, dictating whether your servers are viewed as a benign, trusted entity or a malicious threat. Red teams that actively nurture their domains through strategic aging, proper categorization, and clean traffic patterns can bypass these security controls, while neglected or newly minted domains are immediately flagged as high-risk, shattering the effectiveness of our operations.
Man, this is a lot of hoops to jump through. Perhaps the juice is not worth the squeeze. Perhaps the best phishing campaign is no phishing at all. The only way to win is to not play. You'll have time better spent attempting initial access through vishing, smishing or sliding in Insta DM's than trying to trick someone through email for your red team or phishing simulation.
However, if you insist on starting your phishing campaign, I'll walk you though step one. This starts with your domain. Ideally this starts months in advance. I know this isn't a popular starting point in our instant-gratification dopamine saturated hellscape. Yet, if you want to shepherd your precious domains through the wide open fields of the internet and protect them from the blue team wolves, you need the patience of Christ our Lord.
You'll learn below the whole domain shepherding process step by step, in painstaking detail, complete with screenshots and hand-holding.
- How to select a good domain tailored to your social engineer ploy
- How to background-check your domain
- How to watch over your herd with Cloudflare
- How to cultivate domain categorization, age and web traffic
- Pointers how to weaponize domain for phishing action
- How to use flockFront to automate everything.
Choosing Your Sheep — Domain Selection
For Jesus, the world is his flock, but for us heathens, we need to be a bit more discriminating… mostly because of budget concerns. Every phishing campaign begins with picking your domains with extreme prejudice. It really doesn't matter which domain registrar you purchase from. Personally I use the no-frills, no nonsense Porkbun. It does matter which domains you select though. It helps if your domain naming is related to the specific social engineering ploy you're trying to carry out (like a computer service provider sounding name for a IT Help Desk related ploy) or to approximate the specific company or organization you're trying to phish.
Lookalike vs. generic domains
If you happen to work for one specific company or do phishing for a few repeat customers, I highly recommend using a tool like dnstwist to find domains up for grabs that approximate the name of your clients real domain. Naturally, targets of your phishing ploy will be more likely to fall for a phishing link that approximates their companies name.
However, if you don't know who your client is going to be week to week or you work on more of a 'consulting' basis, you'll want to opt for picking more generic, unrelated "trusted category" domains that aren't limited to any particular company or ploy. Instead you want your domains to be more flexible to be used in multiple scenarios. Trusted categories such as education, health, finance, e-commerce, use your imagination and create a trustworthy sounding health and wellness business name but is actually unhealthy and hiding daggers like vitaminwater.com or frootloops.org.
Generally this is my go-to strategy because later you can then set a subdomain to mimic your clients domain such as evilcorp.vitaminwater.com. Or if your social engineering ploy calls for a specific online service or login portal you can tailor your subdomain to that like spotify.itheretohelp.com or gmail.itheretohelp.com. With this strat you can buy a bunch of domains now and worry about specific ploys and implementations later, a robust approach.
TLDs and Duration
It's also worth prioritizing selecting only .com, .org or .net domains. Those .io and .xyz may be cheaper but are generally more suspicious looking to your future clickers. More importantly, many organizations block these less common Top Level Domains (TLDs) all together, which would really kill our campaign before it even starts.
In terms of how long to buy your domain, selecting for just one year and deciding to manually extend your ownership is best. It's unlikely your domain will survive being burnt for more than a year of use. Rough life cycle of a domain is 3–9 months of aging and forgetting about it, then rocking and rolling for a campaign or two before it's stamped as a bad boy domain by the powers that be and it's officially 'burnt'.
Background-check your Domain
Don't commit to anything before you do your due diligence. You don't know where that domain has been! It's possible the one that has caught your eye has been used and abused in the past. Luckily, we can check who previously used the domain, what it was used for, etc to make sure we have a clean domain who kept their virtue and said their prayers before bed every night.
I'll demonstrate by scoping out a fresh domain and walk through all the processes from initial vetting to long term shepherding. First I'll pick a generic sounding health and wellness product name like 'Bread in a Can'.
First let's check if there are any obvious no-no bad boy points associated with this domain on Virustotal and URLscan.io.
This domain for sure has a long history, but doesn't look like it was used for malicious purposes, by your friendly neighborhood APT, ever. We can be especially prudent by checking for any red flags in the historical WHOIS records as well as for any freaky stuff on the WayBackMachine.
Looks like we are in the clear. Now let's buy it!
Create a account, enter some credit card details, search and add your domain to cart, purchase and boom, you're proud owner of BreadInACan.com. Some nice things like a free SSL cert and WHOIS Privacy comes for free by default with Porkbun.com as well.
Begin Watching Over Your Flock With Cloudflare
Now to really get into how the sausage is made: begin with making a Cloudflare account. From there, you can manage your new domain more easily and use Cloudflare Workers for free web hosting. We will also use Cloudflare Workers to begin warming the site, drawing traffic and bots to it for favorable web categorization. This is where your shepherding activities will take place most of the time, as well as where you can quickly manipulate the DNS records in the future to weaponize the domain for your phishing campaign.
Once logged in, click the following in the upper right corner of the Cloudflare user interface to add your domain.
Type in your domain name and click 'Continue'.
Select the free plan.
There are a bunch of DNS records set by Porkbun by default, don't worry about that for now and just click 'Continue to activation'.
To be able to control your domain you just purchased on Porkbun from Cloudflare, all you need to do is replace the name servers. Note the Cloudflare nameservers.
Back in your Porkbun account, in the upper right, select 'Domain Management'.
The click the little 'NS' box under your domain.
Delete all these Porkbun nameservers.
Replace it with the two Cloudflare nameservers and click save, then 'ok'.
Now back in Cloudflare, scroll down and click 'I updated my nameservers'.
It will take a minute for the DNS servers of the internet to propagate with these changes to your new domain. If you're impatient you can click this button to check on the progress.
It says it can take hours but I've found it usually takes less than 10 minutes.
Our Lamb has no Wool.
Our domain has no website, an anonymous owner (WHOIS Privacy) but lots of potential. We have a domain with minutes of registration history(bad) and no categorization(worse). To the internet, this is deeply suspicious. The solution is to dress up our domain with a fresh coat of paint in the form of a new website and just wait for bots to crawl it and categorize it. As for domain age, our domain will age like fine wine, time is on our side.
Next, delete all those old DNS records to make way for our new website.
Now go to 'Quick search' and type in 'workers' then click on 'Workers & Pages'.
In the upper right, click 'Create application', 'Start with Hello World!', then 'Deploy'.
Then go to your 'Domains' -> 'Add Domain' -> select your domain name then hit 'Add Domain' a final time.
Disable the worker.dev domain so that bots don't confuse between the worker.dev domain and our real domain for categorization.
Then we can edit our website's code
Currently we have a blank slate. On the right hand side our website renders with a cute 'Hello World!' message. On the left hand side we have Javascript that we can edit to have any website we so desire. Now to just hire a web developer to create a website to reflect our health food brand breadinacan.com so our domain can be properly crawled, aged and categorized as a legitimate business website!
Scratch that part about hiring a web developer, because it's current year and software developers are all obsolete. Simply go to your LLM of choice and ask it to create a website for you. I'll use Gemini as an example.
Simply copy the code, paste it back in the text editor on the right hand side of the Cloudflare user interface, and click 'Deploy' in the upper right.
Click the refresh button and you'll see our new site done! See for yourself: https://breadinacan.com/
Now the hard part… the waiting! 3–6 months in and you'll have your domain categorized and bots crawling it, making it look like a legitimate website. From the 'Domains -> Overview' tab in Cloudflare you'll be able to watch the traffic roll in over the months.
This is How we Win
We can check our categorization process with this site. https://urlfiltering.paloaltonetworks.com/query/
Most of the time when you purchase a new domain, it'll start out as 'uncategorized' or 'Uknown' like so:
Yet, because our breadinacan.com website has a 15 year history as an e-commerce site in the past, it's already categorized! Score! Nonetheless, we still want to keep our website up for the purposes of drawing web traffic and aging the domain. Big factors for email filtering.
Here is an example of a domain and website I stood up months ago using the same methodology for categorization, aging and web traffic. Similarly I chose a healthcare theme for the site. It started out with 'Unknown' and ended up in our desired state of 'Health-and-Medicine', a very trustworthy category!
Weaponization
The payoff here is actually switching the code in the Cloudflare worker from benign business stuff to a phishing page for the purposes of capturing credentials or eliciting some sort of action not in the user's best interest. How to specifically do that is outside the scope of this blog post, but I'll re-post the screenshot of the Cloudfare worker IDE and invite you to use your imagination.
You can put any Javascript or HTML code you want here. You have a more or less trusted domain to leverage for phishing campaign from this page. There is lots of potential for abuse here. There are countless other blog posts about how Cloudflare workers are being exploited in creative ways by white hat and black hat hackers like.
A u t o m a t i o n
This is great and all but wow does it take a lot of time to click through all of these buttons to set up a single webpage. I'm a busy hackerman or woman or hackerperson! Good point, especially when you have 12 domains that you just purchased and want to get this niece process over with. I created a small tool to automate this part of the process called flockFront. You can find it here.
How to use the script? You need to have purchased a domain already and set up your NS servers to work with Cloudflare, as we walked through above. Assuming that is all in order, you just need to create an Cloudflare API key to work with the script. Go to dash.cloudflare.com/profile/api-tokens.
Click Create Token → scroll to the bottom → Create Custom Token (skip the templates).
- Give it a name, e.g.
flockFront. - Under Permissions, add three rows:
Zone→Zone→ReadAccount→Workers Scripts→EditZone→Workers Routes→Edit
Click Continue to summary → Create Token. Copy the token shown. Cloudflare only displays it once. Be sure to copy it and put it in your password manager of choice. If you don't have one, I don't know how you made it this far.
Now we can rock and roll, this time we will give our domain an educational theme.
What took us 15 minutes of clicking between websites and panels and copy pasting now took us a few seconds. That saves lots of man-hours when doing this in bulk with many phishing domains.
Now with AI!!!!!!!!!!!!
Even better, you can use your Gemini or Claude API key to create a webpage that is non-deterministically generated with LLMs.
Oh yea, that is much nicer… Wouldn't you trust your money with this firm?
In our Cloudflare GUI, we can access our new Worker, tweak the webpage as we desire or weaponize it in the future.
For some concrete examples, to get your imagination going, here are some clickfix pages I used on engagements recently: