Cybersecurity experts are reporting a 19x increase in malicious campaigns being launched from .es domains, making it the third most common, behind only .com and .ru.

The .es domains that host the malicious content, like the fake Microsoft sign-in portals, are in most cases randomly generated rather than crafted by a human. For potential targets, this potentially makes it easier to spot a lookalike/typosquat-style URL.