← Back to documentation

Threat Indicators

Active infrastructure analysis that identifies when suspicious domains are prepared for malicious activities.

What are Threat Indicators?

Threat indicators are signs that a suspicious domain has moved beyond simple registration and is actively being prepared for malicious use. While many suspicious domains are registered but never used, threat indicators help identify domains that pose immediate danger to your brand and customers.

Our system continuously monitors the infrastructure setup of detected domains, analyzing DNS records, SSL certificates, and other technical indicators to assess the actual threat level posed by each domain.

How We Detect Threat Indicators

Our threat analysis system performs comprehensive infrastructure monitoring by:

  • Querying DNS records for web and mail infrastructure setup
  • Monitoring SSL certificate issuance through Certificate Transparency logs
  • Analyzing email security configurations (SPF, DKIM, DMARC)
  • Tracking changes in infrastructure over time
  • Contextual service pattern analysis - detecting when domains mimic legitimate service patterns (e.g., mailgoogle.com vs mail.google.com)

Critical Threat Indicators

Full Infrastructure Setup

Domain has complete infrastructure including web servers, mail servers, and security configurations. This indicates the domain is fully operational and ready for immediate use in attacks.

Risk: Indicates active preparation for phishing or fraud operations

Professional Email Infrastructure

Domain has professional email setup with proper SPF, DKIM, and DMARC configurations. This suggests sophisticated attackers who understand email authentication and are preparing for email-based attacks.

Risk: High likelihood of being used for convincing phishing emails

Mail Infrastructure Ready

Domain has configured MX records and basic email infrastructure, indicating preparation for email-based attacks such as phishing campaigns or business email compromise.

Risk: Prepared for email phishing and social engineering attacks

Phishing Ready

Domain shows specific indicators of phishing preparation, such as SSL certificates for credential harvesting pages, specific DNS configurations, or infrastructure patterns commonly used in phishing operations.

Risk: Actively configured for credential theft and data harvesting

Web Infrastructure Ready

Domain has basic web infrastructure with A/AAAA records pointing to web servers. This indicates the domain is prepared to host websites, potentially including fake login pages or malicious content.

Risk: Capable of hosting malicious websites and fake login pages

Service Impersonation

Domain mimics legitimate service patterns by combining known service prefixes with brand names. Examples include mailgoogle.com impersonating Gmail (mail.google.com), orloginpaypal.com mimicking PayPal login pages.

This attack vector is particularly dangerous because users are familiar with these service patterns and may not notice the missing subdomain separator, making them highly susceptible to deception.

Risk: Extremely high user deception potential - exploits familiar service patterns

Threat Scoring System

Each threat indicator contributes to the overall infrastructure risk assessment, with higher levels indicating more immediate and serious threats:

Critical RiskImmediate threat - fully operational
High RiskAdvanced preparation - likely active soon
Medium RiskBasic infrastructure - monitoring required
Low RiskMinimal infrastructure - dormant domain

Why Infrastructure Analysis Matters

  • Prioritization: Focus response efforts on domains with active infrastructure
  • Early warning: Detect malicious activity before attacks are launched
  • Attack sophistication: Understand the technical capabilities of attackers
  • Response planning: Tailor countermeasures based on infrastructure setup

Continuous Monitoring

Threat indicators are not static - our system continuously monitors suspicious domains for changes:

  • Real-time DNS monitoring: Detect when domains add new infrastructure
  • Certificate tracking: Monitor SSL certificate issuance and changes
  • Infrastructure evolution: Track how domains develop over time
  • Escalation alerts: Immediate notifications when dormant domains become active

Response Recommendations

When threat indicators are detected, consider these immediate actions:

Critical/High Risk Domains

  • • Immediate legal action (UDRP, cease and desist)
  • • Abuse reporting to hosting providers and registrars
  • • Customer alerts and security warnings
  • • Monitoring for active attacks and content analysis

Medium Risk Domains

  • • Enhanced monitoring and periodic reassessment
  • • Proactive legal preparation and documentation
  • • Internal team notifications and awareness

Low Risk Domains

  • • Continue monitoring for infrastructure changes
  • • Document for potential future action
  • • Include in regular brand protection reports

Learn More

Understand how our comprehensive monitoring system protects your brand:

DNS Infrastructure Analysis →Detection Methods →