Brand Protection & Anti-Phishing

You're watching for abuse of your organization's brand in domain registrations, lookalike infrastructure, and phishing kits.

Quick Triage

Brand Name Search

Find all domains in the graph that contain your brand name.

-- All domains containing the brand name
MATCH (h:HOSTNAME) WHERE h.name CONTAINS "paypal"
RETURN h.name LIMIT 20

Sample output:

[
  {"h.name": "mail-paypal-security.com"},
  {"h.name": "mexico-paypal-fundtransfer.com"},
  {"h.name": "paypal--accountsummary.com"},
  {"h.name": "paypal--auth.com"},
  {"h.name": "paypal--confirm.com"}
]

Tip: CONTAINS searches across the entire hostname string — it will match both paypal.phishing.example and phishing-paypal.example. Combine with LIMIT and review results manually before automating alerts.

Lookalike Prefix Scan

Target domains that start with your brand name followed by common abuse patterns.

-- Lookalike domains starting with brand-
MATCH (h:HOSTNAME) WHERE h.name STARTS WITH "paypal-"
RETURN h.name LIMIT 15

Sample output:

[
  {"h.name": "paypal--accountsummary.com"},
  {"h.name": "paypal--auth.com"},
  {"h.name": "paypal--confirm.com"},
  {"h.name": "paypal-comp.lang.modula2.com"}
]

Tip: Run multiple variants: STARTS WITH "yourbrnd-", STARTS WITH "yourbrnd.", CONTAINS "yourbrnd-secure", CONTAINS "yourbrnd-verify". Each pattern catches different typosquatting styles.

Deep Dive Investigation

Phishing Cluster Mapping

A suspicious domain was reported. Find all other domains on the same IP — they may be part of the same phishing kit deployment.

-- All domains sharing an IP with a suspicious domain
MATCH (h1:HOSTNAME {name: "paypal--confirm.com"})
      -[:RESOLVES_TO]->(ip:IPV4)
      <-[:RESOLVES_TO]-(h2:HOSTNAME)
WHERE h1 <> h2
RETURN h2.name AS related_domain, ip.name AS shared_ip LIMIT 20

Tip: Cross-check the related domains against your brand watchlist — a single phishing kit deployment often targets multiple brands.

WHOIS Registrant Analysis

Check whether a suspicious domain was registered by a known bad actor.

-- Registration details for a suspicious domain
MATCH (h:HOSTNAME {name: "paypal--confirm.com"})
OPTIONAL MATCH (h)-[:HAS_REGISTRAR]->(r:REGISTRAR)
OPTIONAL MATCH (h)-[:HAS_EMAIL]->(e:EMAIL)
OPTIONAL MATCH (h)-[:REGISTERED_BY]->(org:ORGANIZATION)
RETURN h.name, collect(DISTINCT r.name) AS registrar,
       collect(DISTINCT e.name) AS emails,
       collect(DISTINCT org.name) AS org

Tip: If the WHOIS email appears in other suspicious domain registrations, use the shared-email pivot query to map the full cluster.

Shared Nameserver Detection

Find all domains that use the same nameservers as a known abusive domain.

-- All domains using the same nameservers as the seed domain
MATCH (ns:HOSTNAME)-[:NAMESERVER_FOR]->(seed:HOSTNAME {name: "paypal--confirm.com"})
WITH ns
MATCH (ns)-[:NAMESERVER_FOR]->(other:HOSTNAME)
WHERE other.name <> "paypal--confirm.com"
RETURN other.name AS related_domain, ns.name AS nameserver LIMIT 20

Tip: Phishing operators often reuse the same DNS provider or self-operated nameserver across their campaigns. A nameserver cluster is one of the most durable infrastructure signals.

Threat Feed Status

Check whether a suspicious domain is already tracked by threat intelligence.

-- Is this domain listed in any threat feed?
MATCH (h:HOSTNAME {name: "paypal--confirm.com"})-[:LISTED_IN]->(f:FEED_SOURCE)
RETURN h.name, f.name

Tip: An empty result means the domain isn't yet in any feed — not that it's clean. Brand-new phishing domains are often ahead of feed coverage. Combine feed checks with CALL explain() for a broader signal.

Check Who Links to Brand Domains

Find sites that reference your brand's official domain — useful for identifying parked domains or phishing pages that embed official logos by linking back.

-- External sites that link to your domain
MATCH (source:HOSTNAME)-[:LINKS_TO]->(h:HOSTNAME {name: "cloudflare.com"})
RETURN source.name LIMIT 15

Sample output:

[
  {"source.name": "0x1.academy"},
  {"source.name": "12345.ae"},
  {"source.name": "151.ae"}
]

Tip: Legitimate backlinking is common and noisy. Look for newly registered domains or domains with threat feed hits in the source list.