They don’t even need to hijack the actual
TLD. Just have an internal catch all that is defined on their internal DNS. Then the sender has to double confirm the addresses before it’d be passed through.
And if the senders are mostly within the US military and are thus resolving that domain through their infrastructure, changing the outgoing domain resolution configuration for the mail servers may be able to help with this.
Yeah, you don't have to route those emails. I'm pretty sure the number of people sending emails to both .mil and .ml are a dozen people in the State Dept.