Brand Protection & Anti-Phishing

You're watching for abuse of your organization's brand in domain registrations, lookalike infrastructure, and phishing kits.

Quick Triage

Find Registered Typosquatting Variants

Your brand is paypal.com and you want to know which look-alike domains have actually been registered — without hand-writing dozens of STARTS WITH and CONTAINS patterns.

// Generate typosquatting variants and keep only the registered ones
CALL whisper.variants("paypal.com")
YIELD variant, method, confidence, confidenceLabel
RETURN variant, method, confidence, confidenceLabel LIMIT 20

Sample output:

[
  {"variant": "aypal.com", "method": "OMISSION", "confidence": 0.7, "confidenceLabel": "medium"},
  {"variant": "pypal.com", "method": "OMISSION", "confidence": 0.7, "confidenceLabel": "medium"},
  {"variant": "papal.com", "method": "OMISSION", "confidence": 0.7, "confidenceLabel": "medium"}
]

Tip: whisper.variants() runs the domain through more than a dozen generation methods — character omission, repetition, transposition, keyboard-adjacent typos, homoglyphs, bitsquatting, and TLD swaps — and by default returns only variants that are registered. A registered variant is not automatically malicious: pass each hit to CALL explain() for a threat verdict, then check where it resolves.

Brand Name Search

Find all domains in the graph that contain your brand name.

// All domains containing the brand name
MATCH (h:HOSTNAME) WHERE h.name CONTAINS "paypal"
RETURN h.name LIMIT 20

Sample output:

[
  {"h.name": "mail-paypal-security.com"},
  {"h.name": "mexico-paypal-fundtransfer.com"},
  {"h.name": "paypal--accountsummary.com"},
  {"h.name": "paypal--auth.com"},
  {"h.name": "paypal--confirm.com"}
]

Tip: CONTAINS searches across the entire hostname string — it will match both paypal.phishing.example and phishing-paypal.example. Combine with LIMIT and review results manually before automating alerts.

Lookalike Prefix Scan

Target domains that start with your brand name followed by common abuse patterns.

// Lookalike domains starting with brand-
MATCH (h:HOSTNAME) WHERE h.name STARTS WITH "paypal-"
RETURN h.name LIMIT 15

Sample output:

[
  {"h.name": "paypal--accountsummary.com"},
  {"h.name": "paypal--auth.com"},
  {"h.name": "paypal--confirm.com"},
  {"h.name": "paypal-comp.lang.modula2.com"}
]

Tip: Run multiple variants: STARTS WITH "yourbrnd-", STARTS WITH "yourbrnd.", CONTAINS "yourbrnd-secure", CONTAINS "yourbrnd-verify". Each pattern catches different typosquatting styles.

Deep Dive Investigation

Trace Where Typosquatting Variants Point

You have a list of registered look-alike domains. The next question is operational: which ones are live, and what infrastructure are they sitting on? This chains the variant generator straight into DNS resolution.

// Registered variants that resolve, with their IP addresses
CALL whisper.variants("paypal.com")
YIELD variant, method
WITH variant, method
MATCH (h:HOSTNAME {name: variant})-[:RESOLVES_TO]->(ip:IPV4)
RETURN variant, method, ip.name AS resolves_to LIMIT 20

Sample output:

[
  {"variant": "aypal.com", "method": "OMISSION", "resolves_to": "103.224.212.202"},
  {"variant": "pypal.com", "method": "OMISSION", "resolves_to": "199.191.50.130"},
  {"variant": "papal.com", "method": "OMISSION", "resolves_to": "100.20.5.222"}
]

Tip: A variant that resolves to a parking IP is squatting; one that resolves to a live host with a mail server is a phishing risk. Feed the resolves_to addresses into the "Hunt for Co-Hosted Domains" and threat-listing recipes to see whether the variant shares infrastructure with known-bad domains.

Phishing Cluster Mapping

A suspicious domain was reported. Find all other domains on the same IP — they may be part of the same phishing kit deployment.

// All domains sharing an IP with a suspicious domain
MATCH (h1:HOSTNAME {name: "paypal--confirm.com"})
      -[:RESOLVES_TO]->(ip:IPV4)
      <-[:RESOLVES_TO]-(h2:HOSTNAME)
WHERE h1 <> h2
RETURN h2.name AS related_domain, ip.name AS shared_ip LIMIT 20

Tip: Cross-check the related domains against your brand watchlist — a single phishing kit deployment often targets multiple brands.

WHOIS Registrant Analysis

Check whether a suspicious domain was registered by a known bad actor.

// Registration details for a suspicious domain
MATCH (h:HOSTNAME {name: "paypal--confirm.com"})
OPTIONAL MATCH (h)-[:HAS_REGISTRAR]->(r:REGISTRAR)
OPTIONAL MATCH (h)-[:HAS_EMAIL]->(e:EMAIL)
OPTIONAL MATCH (h)-[:REGISTERED_BY]->(org:ORGANIZATION)
RETURN h.name, collect(DISTINCT r.name) AS registrar,
       collect(DISTINCT e.name) AS emails,
       collect(DISTINCT org.name) AS org

Tip: If the WHOIS email appears in other suspicious domain registrations, use the shared-email pivot query to map the full cluster.

Shared Nameserver Detection

Find all domains that use the same nameservers as a known abusive domain.

// All domains using the same nameservers as the seed domain
MATCH (ns:HOSTNAME)-[:NAMESERVER_FOR]->(seed:HOSTNAME {name: "paypal--confirm.com"})
WITH ns
MATCH (ns)-[:NAMESERVER_FOR]->(other:HOSTNAME)
WHERE other.name <> "paypal--confirm.com"
RETURN other.name AS related_domain, ns.name AS nameserver LIMIT 20

Tip: Phishing operators often reuse the same DNS provider or self-operated nameserver across their campaigns. A nameserver cluster is one of the most durable infrastructure signals.

Threat Feed Status

Check whether a suspicious domain is already tracked by threat intelligence.

// Is this domain listed in any threat feed?
MATCH (h:HOSTNAME {name: "paypal--confirm.com"})-[:LISTED_IN]->(f:FEED_SOURCE)
RETURN h.name, f.name

Tip: An empty result means the domain isn't yet in any feed — not that it's clean. Brand-new phishing domains are often ahead of feed coverage. Combine feed checks with CALL explain() for a broader signal.

Check Who Links to Brand Domains

Find sites that reference your brand's official domain — useful for identifying parked domains or phishing pages that embed official logos by linking back.

// External sites that link to your domain
MATCH (source:HOSTNAME)-[:LINKS_TO]->(h:HOSTNAME {name: "cloudflare.com"})
RETURN source.name LIMIT 15

Sample output:

[
  {"source.name": "0x1.academy"},
  {"source.name": "12345.ae"},
  {"source.name": "151.ae"}
]

Tip: Legitimate backlinking is common and noisy. Look for newly registered domains or domains with threat feed hits in the source list.