From Blocking to Removing: How TrendAI and CleanDNS Are Taking Attacker Infrastructure Offline

For years, the cybersecurity industry has focused on blocking malicious infrastructure — adding bad domains to blocklists, filtering traffic, and sinkholing connections. But blocking doesn't stop attackers; it just forces defenders to play whack-a-mole as criminals spin up new domains by the thousands.

A new partnership between Trend Micro's TrendAI and CleanDNS is changing that equation. Instead of just blocking attacker infrastructure, they're working to remove it from the internet entirely.

The Problem With Just Blocking Malicious Domains

Attackers register tens of thousands of domains every day to host phishing kits, malware command-and-control servers, fake login pages, and credential harvesters. Traditional defences focus on three responses:

  1. Detect the malicious domain through threat intelligence

  2. Block it at the firewall, DNS resolver, or email gateway

  3. Alert users and security teams

The issue? The malicious domain is still live. It can still be reached by users on unprotected networks, mobile devices outside the corporate perimeter, or organisations without enterprise-grade security stacks — which describes a huge number of New Zealand SMEs.

What TrendAI and CleanDNS Are Doing Differently

According to Trend Micro's announcement, the partnership combines two complementary capabilities:

TrendAI: Detection at Scale

TrendAI uses machine learning to analyse domain registration patterns, DNS infrastructure, hosting relationships, and behavioural signals to identify malicious domains — often before they're used in attacks. This proactive detection means threats can be flagged within hours of registration rather than days or weeks.

CleanDNS: Automated Takedowns

CleanDNS specialises in abuse remediation — the often-painful process of getting registrars, hosting providers, and DNS operators to actually suspend malicious domains. By automating evidence packaging and abuse reporting, CleanDNS dramatically reduces the time between detection and takedown.

Together, the two systems form a pipeline: TrendAI identifies the threat, CleanDNS removes it from the internet. Instead of millions of organisations individually blocking the same bad domain, the domain itself disappears.

Why This Matters for New Zealand Businesses

Kiwi businesses face the same phishing and impersonation threats as anywhere else — but often with smaller security teams and tighter budgets. When attackers register lookalike domains like inland-revenue-nz.com or anz-secure-login.co, the impact can be devastating.

Faster takedowns benefit everyone because:

  • Phishing campaigns have shorter lifespans, meaning fewer victims

  • Brand impersonation attacks against NZ banks, government agencies, and well-known retailers get neutralised quicker

  • Supply chain attacks that rely on typo-squatted vendor domains lose effectiveness

  • SMEs without dedicated security teams benefit automatically, without needing to subscribe to threat feeds

What You Can Still Do at the Domain Level

While takedown services work behind the scenes, you still need strong defences for your own domain. Attackers love to impersonate businesses that haven't locked down their email authentication. Here's the baseline every NZ business should have:

1. Publish a Strict SPF Record

Limit who can send email on behalf of your domain:

v=spf1 include:_spf.google.com include:spf.example-esp.com -all

The -all at the end means "reject anything not listed" — far stronger than ~all (soft fail).

2. Enable DKIM Signing

DKIM cryptographically signs your outbound mail. Most providers (Microsoft 365, Google Workspace, Xero, Mailchimp) generate the keys for you — you just publish them as TXT records:

selector1._domainkey.yourdomain.co.nz   TXT   "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBA..."

3. Deploy DMARC With Enforcement

DMARC tells receiving mail servers what to do with messages that fail SPF or DKIM. Start in monitoring mode, then move to enforcement:

_dmarc.yourdomain.co.nz   TXT   "v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.co.nz; pct=100; adkim=s; aspf=s"

A p=reject policy means anyone spoofing your domain gets their mail bounced — denying attackers a key tool.

4. Monitor for Lookalike Domains

The TrendAI/CleanDNS approach focuses on removing impersonation domains, but you should also monitor for them yourself. Watch for:

  • Domains using your brand with .com, .net, .online, .info instead of .co.nz

  • Typo-squats (yourbussiness.co.nz, yuorbusiness.co.nz)

  • Homoglyphs using non-Latin characters that look identical to English letters

  • Subdomain tricks like yourbusiness.co.nz.login-secure.com

If you find one, report it to the hosting provider, the registrar, and CERT NZ.

The Bigger Picture: Cybersecurity as a Collective Effort

The TrendAI and CleanDNS collaboration represents an important shift in how the industry thinks about defence. Blocking is a per-organisation game; takedowns are a collective good. Every domain that gets pulled offline protects everyone — from a multinational enterprise down to a Christchurch tradie checking email on their phone.

For New Zealand businesses, the takeaway is twofold:

  1. Trust the ecosystem — your security vendors, ISPs, and government partners are increasingly working together to remove threats rather than just block them.

  2. Lock down your own domain — because the fastest way to stop attackers impersonating you is to make it technically impossible for their emails to be delivered.

Source

This post summarises the original announcement from Trend Micro. Read the full article here: TrendAI and CleanDNS: From Blocking Attacker Infrastructure to Removing It From the Internet.

Check Your Domain's Defences for Free

Not sure if your SPF, DKIM, and DMARC records are configured correctly? Try xteam's free MailCheck tool — it analyses your domain's email authentication setup in seconds and tells you exactly what to fix. Built in New Zealand, for New Zealand businesses.