The 36-Rule Brand Impersonation Scan

Lookalike domains are often registered before phishing, impersonation, or invoice-fraud campaigns. We discover them from the outside — using publicly available signals — and show which ones have the strongest observable signs of abuse readiness.

36
Rules
9
Categories
10/50/100
Lookalike Candidates Analyzed (FREE/STANDARD/EXECUTIVE)
What We Analyze on Every Lookalike Domain
📝
Registration & WHOIS
6 rules
🌐
DNS & Hosting
5 rules
🖥️
Web Content
6 rules
📧
Mail Infrastructure
7 rules
🔒
SSL / TLS
4 rules
⚠️
Reputation & Corroboration
4 rules
🧬
Similarity Scoring
2 rules
🔗
Composite Signals
1 rule
🎯
Risk Classification
1 rule

The 4 Pillars of Typosquat Detection

Each pillar targets a specific attack vector. A lookalike domain that is registered, active, and showing multiple corroborating signals deserves immediate review — but the report is measuring observable risk, not claiming intent.

1. Registration & Ownership

Is someone squatting on a domain that looks like yours? How new is it? Is the registrant hidden? Is the registration metadata complete enough to support review? Do they use a known squat registrar?

  • BGD-REG-001Lookalike is registered
  • BGD-REG-002Domain age < 90 days
  • BGD-REG-003Privacy/proxy WHOIS
  • BGD-REG-004Registration metadata completeness
  • BGD-REG-005Squat-associated registrar

2. Mail & BEC Readiness

Is the lookalike configured for email? MX plus email-auth signals on a typosquat domain materially raises review priority for BEC/phishing readiness, without proving abuse by itself.

  • BGD-MAIL-030MX records present
  • BGD-MAIL-031SPF record configured
  • BGD-MAIL-032DMARC record present
  • BGD-MAIL-035Mail forwarding / hosted routing provider
  • BGD-MAIL-036Email-only (no web) — BEC pattern

3. Web & Credential-Risk Signals

Is the site live? Does it have a login form? Does it mention your brand? These are high-signal indicators commonly associated with credential harvesting and impersonation.

  • BGD-WEB-020Live web content detected
  • BGD-WEB-022Login form / credential-collection indicator
  • BGD-WEB-023Brand mention in page content
  • BGD-SSL-042SSL cert references your brand

4. Reputation & Corroboration

Is this domain already being flagged elsewhere? Reputation checks add supporting context, but they are not the only reason a domain is escalated.

  • BGD-REP-050External threat-intelligence flag
  • BGD-REP-051External security-DNS flag
  • BGD-REP-052Multi-source reputation corroboration
  • BGD-REP-056Reputation flag + active infrastructure

See It In Action

Our engine generates lookalike permutations, preflights them, and applies 36 rules to the prioritized candidates included in the report. No questionnaires. No manual compilation.

Homoglyph, keyboard-typo, TLD, and prefix/suffix permutations
RDAP/WHOIS registration metadata + privacy detection
Passive mail checks (MX + SPF + DKIM + DMARC + hosted routing signals)
Reputation checks used as corroboration, not as standalone proof
Live web content + login form + brand mention detection
MOORLI BrandGuardDiagnostic
> BRAND: acmecorp.com
> generating permutations... 1,247 lookalike candidates
> scanning: acrnecorp.com (homoglyph)
[FAIL] BGD-REG-002: Registered 3 days ago
[WARN] BGD-MAIL-030: MX records present
[FAIL] BGD-WEB-022: Login form detected
[WARN] BGD-REP-050: External reputation signal observed
→ ACTIVE THREAT SIGNALS
> scanning: acme-corp.com (hyphenation)
[PASS] BGD-REG-004: Registration metadata complete ✓
[PASS] BGD-MAIL-030: No MX configured ✓
→ DEFENSIVE HOLD
> COMPLETE: 100 lookalike candidates evaluated
> prioritizing active findings. Generating report...

Sample Rules Explained

The report explains what each finding means and what to do about it.

BGD-REG-002

Newly Registered

Flags lookalike domains registered in the last 90 days — a meaningful risk signal that deserves review.

BGD-MAIL-036

Email-Only BEC Pattern

Domain has MX records but no A/AAAA web resolution. That email-first pattern deserves immediate BEC review because it may be configured for phishing or invoice-fraud readiness.

BGD-WEB-022

Login Form / Credential Risk

Lookalike domain contains a login form. This is a strong credential-collection indicator and warrants immediate review.

BGD-COMP-080

High-Risk Composite

Privacy-protected WHOIS plus corroborating active mail or web signals. This combination is a higher-priority review signal, but not standalone proof of malicious intent.

BGD-SIM-060

Homoglyph Detection

Identifies the most deceptive permutation type — characters that look identical but aren't (rn→m, cl→d, 0→O).

BGD-REP-051

Reputation Corroboration

Uses corroborating reputation checks to add context when a lookalike is already being flagged by external defenses.

See Which Lookalikes Deserve Review

Run the free scan and see which lookalikes show the strongest observable signals first.

Run Free Scan See Full Pricing