Kyndryl, Inc. successfully secured the transfer of the disputed domain cacfkyndryl.net, which closely mimicked the company’s legitimate ‘cacf.kyndryl.net’ sub-domain used for its CACF solution. The respondent configured MX records to facilitate corporate impersonation via email and redirected web traffic to pages containing malware and pay-per-click links. WIPO Panelist Lynda M. Braun ruled that the domain was registered and used in bad faith, ordering its immediate transfer.
Case Snapshot
| Case Number | D2025-4219 |
|---|---|
| Complainant | Kyndryl, Inc. |
| Respondent | Host Master, Transure Enterprise Ltd |
| Disputed Domain | cacfkyndryl.net |
| Threat Tactic | Corporate Impersonation |
| Decision Date | 2025-12-14 |
| Panelist | Lynda M. Braun |
| Outcome | Transfer |
| Official Source | https://www.wipo.int/amc/en/domains/search/text.jsp?case=D2025-4219 |
Implications of Solution-Specific Mimicry and Active Mail Exchanger Configurations
The targeting of specialized enterprise sub-domains poses a high-risk commercial threat to brand owners. In this dispute, the registration of the domain name cacfkyndryl.net directly mimicked the legitimate cacf.kyndryl.net sub-domain used by Kyndryl to deliver its CACF solution. By mimicking a specific service interface rather than a general corporate homepage, this tactical approach increases the likelihood that technical clients or enterprise partners will be deceived during routine business operations. Users directed to the disputed domain experienced erratic web redirects, which routed them to pay-per-click links and unauthorized software landing pages, including a fake ‘McAfee Total Security’ page containing malware. Although the case record contains no direct evidence that customers actually downloaded malware or experienced documented financial losses, the exposure to these security hazards threatens to compromise customer trust and dilute the integrity of the primary brand.
The risk of fraud is further compounded by the technical setup of the disputed domain, specifically the configuration of active Mail Exchanger (MX) records. By establishing MX records, the respondent enabled the domain to be integrated into functioning email addresses capable of pretending to originate from Kyndryl, Inc. This technical capability permits sophisticated corporate impersonation, opening the door for potential business email compromise (BEC) and spear-phishing campaigns targeted at employees, vendors, or customers. While the evidence does not show that any specific phishing emails were actively transmitted to third parties, the unauthorized integration of the registered trademark alongside a solution-specific prefix creates an immediate infrastructure threat that brand owners must rapidly neutralize.
Legal Analysis: Sub-Domain Mimicry, Threat Redirects, and MX Configurations under WIPO Review
The Panelist’s analysis of confusing similarity under paragraph 4(a)(i) of the UDRP Policy focused on the wholesale incorporation of Kyndryl’s registered trademarks. Kyndryl established its rights via USPTO Registration Nos. 7,070,586 and 7,070,585. Panelist Lynda M. Braun observed that the disputed domain name, cacfkyndryl.net, integrates the KYNDRYL mark in its entirety, merely prefixing it with the letters "cacf". This combination directly mimics Kyndryl’s legitimate enterprise sub-domain, cacf.kyndryl.net, which is used to deliver its proprietary CACF solution. The addition of a descriptive prefix and the generic Top-Level Domain (gTLD) ".net" does not prevent a finding of confusing similarity, as the registered trademark remains highly recognizable within the disputed domain name.
Under the second element, the Panelist determined that the Respondent, Host Master, Transure Enterprise Ltd, possesses no rights or legitimate interests in the disputed domain name. The domain name did not resolve to a site hosting a bona fide offering of goods or services. Instead, the traffic was routed to randomized third-party websites, including a landing page containing malware under the guise of "McAfee Total Security", a redirect to "Norton" software, and a pay-per-click (PPC) page with third-party sponsored hyperlinks. The Panelist affirmed that leveraging a trademark-infringing domain to distribute malware or generate commercial revenue through PPC links does not constitute a legitimate noncommercial or fair use under paragraph 4(c)(iii) of the Policy.
In establishing bad faith under the third element of the Policy, the legal reasoning addressed both the deceptive redirection tactics and the underlying technical configurations. The Panelist found that the Respondent registered and used the domain name to intentionally attract Internet users for commercial gain by creating a likelihood of confusion with Kyndryl’s mark as to the source, sponsorship, affiliation, or endorsement of the website. Crucially, the configuration of Mail Exchanger (MX) records demonstrated an active setup to facilitate email-based corporate impersonation of the Complainant. Although the record did not prove that specific phishing emails were dispatched, the technical preparation of MX records combined with malicious web redirection provided clear indicators of bad faith targeting and commercial exploitation.
Strategic Target Alignment and Technical Evidence of Bad Faith
Kyndryl’s successful strategy relied on aligning its registered trademark rights with its specific enterprise IT infrastructure architecture. By demonstrating that it delivers its CACF solution via the legitimate sub-domain ‘cacf.kyndryl.net’, the Complainant established that the Respondent’s registration of ‘cacfkyndryl.net’ on September 2, 2025, was a highly targeted exploitation rather than a coincidental combination. Proving that the prefix ‘cacf’ combined with the registered ‘KYNDRYL’ marks (including USPTO Registration Nos. 7,070,586 and 7,070,585) directly mirrored an active corporate environment allowed the Complainant to build an irrefutable case of confusing similarity designed to deceive enterprise customers.
Crucially, the Complainant secured the transfer by presenting concrete technical indicators of bad faith beyond standard web traffic diversion. Kyndryl documented that the disputed domain resolved to various unauthorized pages, including malware alerts and pay-per-click links, while also showing that the Respondent had configured Mail Exchanger (MX) records. This evidentiary approach is highly instructive for brand owners, as it demonstrates that proving the technical capacity for email-based corporate impersonation is sufficient to establish bad faith use under the UDRP, even without direct evidence that actual phishing emails were dispatched or that consumers suffered financial harm.
Practical Recommendations
- Monitor domain registration logs specifically for patterns that collapse known enterprise sub-domains (e.g., ‘cacf’) into the second-level domain structure alongside your brand name, as attackers frequently target IT service portals for corporate impersonation.
- Implement automated DNS alert systems to scan for active Mail Exchanger (MX) record configurations on newly registered typosquatted domains, enabling security teams to preemptively block inbound emails from these domains in secure email gateways (SEGs).
- When documenting bad faith for UDRP complaints, deploy continuous web-capture tools to record rotating or randomized redirection paths, such as fake software updates, malware warnings, and pay-per-click landing pages, which prove non-bona fide commercial use.
- Correlate threat intelligence data—specifically active MX records and deceptive landing pages—to fast-track WIPO UDRP filings under paragraph 4(b)(iv) of the Policy, leveraging the established precedent that combining brand names with active mail setups constitutes clear bad faith.
Frequently Asked Questions (FAQ)
Why was the domain ‘cacfkyndryl.net’ considered confusingly similar to Kyndryl’s trademarks?
The Panel found the domain confusingly similar because it integrated the registered KYNDRYL mark in its entirety, coupled with the ‘cacf’ prefix, which deliberately mimicked Kyndryl’s legitimate ‘cacf.kyndryl.net’ sub-domain used for its enterprise CACF solution.
What evidence established that the Respondent had no rights or legitimate interests in the disputed domain?
The Respondent’s lack of rights was proven by its failure to make a bona fide use of the domain. Instead, the domain resolved to unauthorized landing pages hosting malware, impersonating security software like McAfee and Norton, and displaying commercial pay-per-click links.
How did the Panelist determine that the Respondent acted in bad faith?
Bad faith was established by the Respondent’s intentional efforts to exploit the KYNDRYL mark for commercial gain and, critically, the configuration of Mail Exchanger (MX) records, which enabled the Respondent to conduct email-based corporate impersonation of the Complainant.
What is the primary business risk highlighted by the tactics used in this case?
The case highlights the danger of ‘sub-domain mimicry’ combined with active email infrastructure; by setting up MX records, the Respondent positioned the domain to intercept or send fraudulent communications, posing a significant risk for spear-phishing and business email compromise (BEC) campaigns.
Facing corporate impersonation through a domain?
The Kyndryl case demonstrates how attackers use MX records and sub-domain mimicking to facilitate sophisticated brand impersonation and email fraud. If you have identified domains configured for email routing that attempt to spoof your corporate infrastructure, speak with our team about a proactive UDRP assessment.
This case note is for informational purposes only and is not legal advice.



