1. Use wildcard cert to avoid the domains from being logged by CT

2. Avoid Let’s Crypt. Use fronting by trusted providers

3. Use trusted domains and delay the redirection to bypass sandbox

4. Obfuscate your HTML

5. Use old/expired domains or Living Off Trusted Sites

6. Use reverse proxy

7. Block vendors IPs

8. Use CAPTCHA

References