Malicious domain detection
Malicious domain detection combines registration signals, DNS behavior, content analysis, and reputation feeds to identify domains used for phishing, malware, or fraud. This guide covers detection approaches, scoring models, and false positive management.
3 min read
What it is#
Malicious domain detection is the process of identifying domains that are being used, or are likely to be used, for phishing, malware distribution, fraud, or other abuse. Detection combines multiple signal categories because no single indicator reliably separates malicious from legitimate domains. It is a core function of phishing domain detection and broader domain-focused threat intelligence.
Signal categories#
Registration signals#
Newly registered domains are disproportionately associated with abuse. Key indicators include domain age (domains under 30 days old are higher risk), the registrar used (some registrars have weaker abuse controls), bulk registration patterns, and privacy-protected WHOIS records on domains that mimic known brands.
DNS behavior#
DNS configuration reveals operational intent. Fast flux (rapidly rotating A records across many IPs) is a classic evasion technique. Domain generation algorithms (DGAs) produce pseudo-random domain names (e.g., xkj7q2m.net) for command-and-control communication. Unusual record types, short TTLs, or name servers associated with known malicious infrastructure are additional signals. Passive DNS data helps identify these patterns historically.
Content analysis#
Crawling a domain's web content and comparing it against known phishing kits or legitimate brand pages adds high-confidence signal. Phishing page fingerprints (specific HTML structures, form actions, or resource paths) can match domains to known campaigns. Visual comparison of screenshots against brand assets catches clones that text analysis might miss.
Reputation feeds#
Commercial and community threat feeds aggregate known-bad domains from incident reports, spam traps, honeypots, and takedown databases. These feeds provide quick lookups but have inherent latency. A domain may be active for hours before it appears in a feed. ASN reputation and hosting provider reputation offer additional infrastructure-level context.
Real-time vs retrospective detection#
Real-time detection aims to flag domains before or as they become active, through Certificate Transparency log monitoring, newly registered domain feeds, or DNS query analysis. Retrospective detection re-evaluates historical data, catching domains that were missed initially or identifying infrastructure patterns across past campaigns. Both are necessary. Real-time reduces exposure time, while retrospective analysis improves future detection.
Scoring models#
Most detection systems assign a risk score that aggregates weighted signals. A domain registered yesterday on a flagged registrar, resolving to a known-bad ASN, and serving a login form scores higher than an aged domain with clean history. Scoring thresholds determine automated actions (block, alert, or deprioritize) versus manual review.
False positive management#
False positives are the persistent challenge. Legitimate new businesses register domains daily, and shared hosting means a clean domain may resolve to an IP with a poor reputation. Effective programs tune scoring weights based on feedback, maintain allowlists for known-good infrastructure, and require multiple corroborating signals before automated blocking. Analyst review remains essential for edge cases.
More from Threat intelligence
View allDomain threat intelligence
Domain threat intelligence is the collection and analysis of signals from domain registrations, DNS, certificates, and hosting to detect abuse. This guide covers core data sources, enrichment workflows, and how domain threat intelligence supports incident response.
What is certificate transparency?
Certificate Transparency (CT) is an ecosystem of public, append-only logs of issued certificates. Originally created to catch rogue certificates after high-profile CA compromises, CT logs have become an important source of threat intelligence for domain and subdomain monitoring.
What is passive DNS?
Passive DNS collects historical DNS resolution data by observing resolver traffic rather than querying authoritatively. This guide explains how passive DNS data is gathered, what it records, and how investigators use it for infrastructure pivoting.