How to detect lookalike domains

Homoglyphs, homographs, lookalike domains, and typosquats

Background

Some phishing attacks involve a domain that is a very close 'look alike' to your own domain. For example, if your company's domain is acme.com, an adversary may send an email to one of your organization's executives from a domain such as 'acne.com', hoping that the executive does not notice the minor character substitution that represents a completely different DNS domain.

See here for more information about homoglyph attacks.

Replace example.com with your domain, or any domain you want to protect. Consider increasing or decreasing the edit distance value if your domain is longer or shorter.

Detect inbound messages where the sender domain is a typosquat of your domain

Will return true if the sender's root domain is a typosquat of the protected domain. So exanple.com or ecample.com would be flagged by this rule, but example.com or example12345.com would not be flagged.

type.inbound
and edit_distance(sender.email.domain.root_domain, 'example.com') <= 2
and sender.email.domain.root_domain != 'example.com'

Detect inbound messages where the sender domain is a typosquat of one of several domains you are protecting

Some organizations may have multiple domains. You can write a rule to detect typosquats and protect as many different domains as you like.

For example, let's say you have 3 domains: example.com, example-europe.com, and example-finance.com. The following rule would identify inbound emails that try to typosquat on any of those 3 domains.

Will return true if the sender's root domain is a typosquat of the protected domain.

type.inbound
and edit_distance(sender.email.domain.root_domain, 'example.com') <= 2
and edit_distance(sender.email.domain.root_domain, 'example-europe.com') <= 2
and edit_distance(sender.email.domain.root_domain, 'example-finance.com') <= 2
and sender.email.domain.root_domain not in ('example.com', 'example-europe.com', 'example-finance.com')

Detect inbound messages where a link in the body is a typosquat of a protected domain

Will return true if any body link is a typosquat of the protected domain.

type.inbound
and any(body.links, edit_distance(.href_url.domain.root_domain, 'example.com') <= 2)
and sender.email.domain.root_domain != 'example.com'