> Nobody is actually doing anything interesting with these.
Now wait a second, that's not at all true. In my experience there are armies of people who use them to launch targeted phishing attacks at my business if they buy the goddamn thing before I do.
At a certain point if you are lucky enough to have a business that's worth targeting, every new gTLD is just another fuck.ing security expense.
Most phishing I've encountered comes from .com, in my experience. Everything but ccTLDs seems to be listed in some kind of spam filter (I tried to email from a personal .xyz domain for a while, it just doesn't work). .ru is also quite popular for some reason, but that seems to be mostly untargeted phishing attemps. Most shit comes from legitimate(-looking) gmail.coms and outlook.coms.
I have a feeling people trust .com and .net more than they trust .zip and .mov. Without .com, the URL just looks weird to some people.
I can see why you dislike new TLDs if you're trying to protect your company, but you'll always have that problem. It's not like you're going to transfer money to the Taliban to register yourcompany.af, but criminals don't care, the money they transfer is probably stolen anyway.
One exception is the fact that there's an international bank called "ING". They've already registered bank.ing but I don't think they can come close to claiming all possible phishing attempts for their customer base.
While what you say is completely true, unfortunately how I do my own security has very little to do with how my customers do their security. I see ccTLD and gTLD used in spearphishing and domain impersonation attacks on a frequent enough basis that I have form letters for the abuse reports. Start collecting some backscatter with a DMARC policy and you might be surprised at what you discover.
Turns out companies don't want to abandon whatever perfectly good domain they've already been using for decades just so they can have a funny TLD, who would've thought. Only new brands can really benefit from it.
Modern TLDs are used in various smaller services. squoosh.app comes to mind for something I use. The Fediverse is also full of alternative TLDs: lots of .social, .chat, .lol, .place, and .world in the instance list. .com has been exhausted for a while, if you don't want to buy your new domain from a squatter you'll probably need to go through thisworddoesnotexist.com or register domains that look like .onion URLs.
If squatters and registrars weren't so shite, I could absolutely see a new service with a name like "share.zip" or "you.mov" taking off. call.ing seems like a perfect domain for a video chat service. Too bad these domains cost several thousands of dollars (as a starting price).
Too bad any domain with fewer than five letters has been registered by the companies selling these domains the moment the TLDs came out.
Domains aren't used by multi million dollar companies, but plenty of blogs and other independent servers using the alt-TLDs.
Now wait a second, that's not at all true. In my experience there are armies of people who use them to launch targeted phishing attacks at my business if they buy the goddamn thing before I do.
At a certain point if you are lucky enough to have a business that's worth targeting, every new gTLD is just another fuck.ing security expense.
Is phish.ing available?