I am guessing they have undisclosed private intel vendor telling them which domains are "malicious", or they are looking at compromises and auditing how malware domain is/isn't being blocked as part of their response.