Most brand impersonation can be detected with the same basic set of IOK rules. This page gives you a set of recipes you can adapt to your own needs.
You can't scan every single site on the internet. These discovery rules help identify potentially malicious sites which should be investigated further. For example, submitted for a full scan to check them for known phishing kits.
Monitoring domains containing your brand name
title: brand-keywords description: Monitor domains containing "brand" level: monitored detection: containsBrandname: hostname|contains: - "brand" - "brand2" condition: containsBrandname
Getting alerted to sites with the same title as your login page
Phishing sites will commonly use exactly the same title as your login page (either intentionally to make them more believable, or unintentionally as part of the cloning process).
title: login-title description: Page has the same title as Brand's login page level: likely_malicious detection: loginTitle: title: "Login | Brand" realDomain: hostname|subdomain: brand.com condition: loginTitle and not realDomain
Find sites hotlinking assets from your login page
Poorly constructed phishing sites will often still load assets (e.g. your logo) from your actual website.
title: hotlinked-assets description: Page hotlinks assets from Brand's login page level: likely_malicious detection: hotlinkedAsset: requests|startswith: - "https://brand.com/static/" - "https://brand.com/login/assets/" realDomain: hostname|subdomain: brand.com condition: hotlinkedAsset and not realDomain
Identifying specific phishing kits
Phishing sites loading distinctive filenames
Your real website often loads files named like
styles.1cc93f3a.css where the middle component references the deployed version.
When you make a change to your website, this version changes.
However, phishing sites cloned from your website will still be using their copied version of your assets with the original filename.
title: kit-1cc93f3a description: Page loads a distinctive filename associated with a previous clone of Brand's login page level: likely_malicious detection: distinctiveFilename: requests|endswith: - "/styles.1cc93f3a.css" condition: distinctiveFilename
Read more about detecting sites using hashes in filenames.