You do realize that most of the domains that are used for malware distribution are registered well in advance until they are needed?
It is common practice to pre-register domains many months in advance before a new campaign is launched.
I have found that most "New" domains within the last 30 days are actually legitimate newbie sites.
Thank you for your reply (though I struggle to read past "you do realize" as a sentence lead thanks to an irritating coworker who uses it too often :-) ).
I agree that while many are registered in advanced, most that hit my inbox via phishing campaigns with uncategorized URL's are often quite newly registered, and nearly always malicious. Born on dates of domains are a useful classifier anded with Uncategorized that helps the shoulder shrugging of "uncategorized." Domains pre-registered in advance can also be easily seeded into a category with the right content, but my experience is that there are many attackers and domains that don't bother. Blocking uncategorized && newer than 30 days is a policy from which a lot of environments would block some badness they otherwise wouldn't. We're able to be more nimble than most though (I can see how this'd be a pain in bigger environments). https://isc.sans.edu/forums/diary/Do+you+block+new+domain+names/17564 has an interesting discussion of the topic from 2 years ago indicating some appliances have this capability.
At any rate, I see this is a duplicate topic of this from a few months back (Set rules on the base of domain registration date ) wherein the answer appears to be "no" currently for us MWG folk.
Might be one for the product enhancement database, but I imagine it'd be in Trusted Source where the domain registration date is most useful to implement rather in MWG.
If you have a way to gather the data related to recently registered domains, you could theoretically use a customer-subscribed list..