Residential proxies are hiding in plain sight inside enterprise networks

Residential proxy services route internet traffic through consumer devices to make connections appear to originate from real home IP addresses. Security researchers have tracked their use by threat actors for credential stuffing, ad fraud, and denial-of-service operations. What has been less understood is how widely those services have already penetrated enterprise networks, often without IT or security teams knowing.

As it turns out, the risks posed by residential proxies to enterprise networks are widespread. Infoblox analyzed billions of DNS resolutions across its Threat Defense Cloud customer base and revealed just how a big a problem it is. Key findings from the research include:

• Monthly query volume to those domains grew roughly 25% between January 2025 and April 2026, reaching over 500 billion queries per month.
• Residential proxy traffic appeared in every industry vertical examined, with at least 40% of customers in each sector affected.
• Over 90% of pharmaceutical and food and beverage customers showed such traffic; more than 60% of government and banking customers did as well.
• Brightdata, the most prevalent service observed, appeared in over 50% of cloud customer networks.
• Grass, a cryptocurrency-paying proxy service, appeared in roughly 30% of customer networks.
• A 265% single-day spike in affected customer networks querying IPIDEA domains occurred around the time Google disrupted that service in January 2026.

“We’ve got over approximately 65% of our cloud customers making connections to residential proxy services, which is kind of crazy,” Renée Burton, vice president of threat intelligence at Infoblox, told Network World. “We’re a company that’s got enterprises, governments, banks, car companies, police departments, and 65% making those connections is a very high number.”

How residential proxies get into enterprise networks

A residential proxy routes internet traffic through consumer devices, including home routers, mobile phones, IoT devices, and applications with embedded proxy software. Unlike commercial VPNs or anonymization tools like Tor, which signal to destination sites that a connection is masked, residential proxies make traffic appear to originate from a specific real consumer device. The destination has no indication the connection is not what it appears to be.

The entry point into enterprise networks is the device itself. Employees connecting personal phones or laptops to corporate Wi-Fi bring any proxy software already running on those devices onto the network. Corporate devices can carry proxy SDKs embedded in consumer applications installed by the user. IoT devices deployed in corporate environments, including media streaming boxes or digital picture frames, may arrive with proxy software pre-installed or receive it through a firmware update.

The software typically enters devices through SDKs that app developers embed to monetize free applications. Common vectors include VPN apps, streaming applications, screensavers, and productivity tools. In many cases, users are enrolled with minimal notice. Burton described one example: A user signs up for a streaming service, and buried across multiple linked terms documents is consent for the device to join a residential proxy pool. Burton said the nominal existence of consent does not resolve the problem. The real question, she said, is whether users understood what they were agreeing to.

Why traditional security controls do not block it

Residential proxy traffic does not register as malicious to standard endpoint or network security tools. The traffic uses legitimate devices and legitimate network protocols. The problem is not the traffic itself but who is generating it.

Burton compared the dynamic to the open resolver problem. An open resolver is a DNS server configured to accept and respond to queries from any IP address, rather than restricting responses to authorized users, which allows outside parties to abuse its network resources. Residential proxies present the same structural problem at the device level.

“It’s very similar to the open resolver problem,” Burton said. “You had these open resolvers, which then allow[ed] someone from outside of your network to actually use your network, originally for DNS, but here they can make full connections.”

The security industry itself uses residential proxies to conduct threat intelligence work, since the traffic appears to originate from real consumer locations. That creates a practical tension Burton described directly. Security companies need residential proxy access to see what threat actors are actually doing, but the same infrastructure creates exposure when it appears inside customer networks.

Residential proxy traffic also introduces some risk to enterprise networks including:

• Reputational and legal exposure. When residential proxy traffic routes through a corporate IP address and is used for denial-of-service activity, credential stuffing, or connections to malicious infrastructure, that IP address appears in the incident record.
• Increased alert volume. Proxy users routing through a corporate network are unlikely to observe acceptable use policies, and their activity may trigger a disproportionate volume of security events, raising the analytical burden on defenders.

Recommendations for network defenders

Infoblox outlines several steps network defenders can take to detect and limit residential proxy exposure.

• Protective DNS. Block queries to known residential proxy orchestration domains. Infoblox tracks these domains and makes them available to customers; they function similarly to command-and-control domains in traditional malware.
• DNS query log audits. Review DNS query logs for traffic to known residential proxy domains.
• Application and extension review. Check installed browser extensions and consumer applications on corporate devices for embedded proxy SDKs.
• IP address verification. Check organizational IP addresses against external tracking resources such as Synthient, which collaborated on the research.

Technical controls address the symptoms but not the underlying consent problem. Burton argued that informed consent requirements, similar to those introduced for third-party web cookies, are needed at the regulatory level to address how residential proxy networks recruit device owners.

“We need to push into an informed consent,” Burton said.

She added that enterprises face a further complication. As an enterprise, the question becomes even more serious about enterprise control. So, if your employee has consent on their device, but they’re using your network, what does that mean?

“I suspect there will be some sort of … legal or policy or enforcement action, just because it’s crazy,” Burton said. “People are going to pay attention.”