One Phishing Domain Is Never Just One
Kaveh Azarhoosh
Community & Research Lead
One Phishing Domain Is Never Just One
Your security team detects a phishing domain impersonating your brand. They block it, report it, maybe submit a takedown request. Case closed.
Except it isn't.
That domain didn't appear in isolation. It was registered alongside dozens of others, parked on shared infrastructure, configured through the same nameservers, issued a certificate from the same authority. While you blocked one, the rest sit dormant, waiting to rotate into action the moment defenders move on.
Blocking a single phishing domain while ignoring its infrastructure connections is like closing one door while leaving the rest of the building wide open.
Phishing at scale
Phishing campaigns don't operate one domain at a time. Modern threat actors register infrastructure in bulk—tens, hundreds, sometimes thousands of lookalike domains designed to impersonate trusted brands. They spread these across hosting providers, age some for weeks to build reputation, and rotate through them as each gets flagged or taken down.
The economics favour the attacker. Domains are cheap. Registration is fast. And most defensive responses are reactive: detect, block, repeat. By the time a domain lands on a blocklist, the attacker has already moved traffic to the next one in the queue.
This is why phishing remains so persistent despite years of investment in detection. Defenders are playing whack-a-mole against an adversary who pre-positioned the moles.
Infrastructure reveals the campaign
Here's what changes the equation: phishing domains share infrastructure.
Not by accident, by necessity. Attackers building campaigns at scale make choices that leave traces. They favour certain registrars. They cluster registrations around similar timestamps. They reuse nameservers, park domains on the same IPs, obtain certificates from the same issuers. These patterns exist because operating infrastructure at scale requires consistency, and consistency creates fingerprints.
When you detect one phishing domain, you're looking at a single node in a larger network. The question is whether you can see the rest of it.
Graph-based analysis makes this possible. Instead of treating each domain as an isolated indicator, you map its relationships: which IP does it resolve to? What else resolves to that IP? Who registered it, and what other domains were registered through the same account or at the same time? What nameservers does it use, and what else shares them?
Follow these connections, and a single detection expands into a campaign map. Domains that haven't yet been weaponised become visible, not because they've been reported, but because they're structurally connected to infrastructure you've already identified as malicious.
From reactive to pre-emptive
This shift, from blocking individual domains to mapping campaign infrastructure, transforms phishing defence from reactive to pre-emptive.
Instead of waiting for each domain to appear in an inbox, trigger a detection, and earn a place on a blocklist, defenders can pivot from one confirmed phishing domain to its infrastructure neighbours. They can block related domains before the first email is sent. They can identify registration patterns and monitor for new domains that match the signature.
The attacker's advantage, cheap, fast, bulk infrastructure, becomes a vulnerability. The same operational consistency that enables scale also creates detectable patterns for anyone with visibility into the graph.
Seeing the network
Whisper connects phishing domains to their underlying infrastructure, registration patterns, hosting, DNS, BGP routing, and certificates, so security teams can expand a single detection into a full campaign map.
One phishing domain is never just one. The question is whether you can see the rest. Start mapping them today with a free Whisper API key.
