Full Report
BlueVoyant found that the use of lookalike domains in email-based attacks is allowing actors to extend the types of individuals and organizations being targeted
Analysis Summary
# Tool/Technique: Lookalike Domain Impersonation
## Overview
This technique involves creating and utilizing domain names that closely mimic the appearance of legitimate, well-known organizational domains. The purpose is to facilitate targeted email-based social engineering and financial fraud scams by deceiving recipients into believing communications originate from a trusted source.
## Technical Details
- Type: Technique
- Platform: Any platform relying on email communication (Windows, macOS, Linux, Mobile)
- Capabilities: Deception, impersonation, establishment of high-trust communication channels for phishing/fraud.
- First Seen: Continual evolution, but explicitly highlighted in reports around 2024-2025.
## MITRE ATT&CK Mapping
- TA0001 - Initial Access
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (If used to deliver malware)
- T1566.002 - Spearphishing Link (If used to direct users to malicious sites)
- TA0009 - Collection
- T1598 - Phishing for Information
- T1598.003 - Spearphishing via an Electronic Medium (Email using lookalike domains)
## Functionality
### Core Capabilities
- **Domain Registration:** Registering domains that share character sets or structure with legitimate brands, often exploiting homoglyphs (e.g., 'o' swapped for '0', 'I' for '1') or using different Top-Level Domains (TLDs) while keeping the base name almost identical.
- **Email Setup:** Configuring email servers on the malicious domain to enable the distribution of deceptive communications.
### Advanced Features
- **Targeted List Compilation:** Gathering specific lists of potential victims, often sourced from publicly available information, to maximize the impact of financial fraud or targeted attacks against specific employees within an organization.
- **Sector Focus:** Targeting critical sectors such as finance, legal services, insurance, and construction with high relevance to the impersonated brand.
## Indicators of Compromise
- File Hashes: N/A (Technique-focused)
- File Names: N/A (Technique-focused)
- Registry Keys: N/A (Technique-focused)
- Network Indicators: Registered domains externally resembling legitimate business domains (e.g., typosquatted or homographic lookalikes). Specific examples are not provided in the context but would involve the newly registered lookalike domains.
- Behavioral Indicators: High volume of suspicious emails originating from recently registered domains that closely match known corporate domains, especially when associated with financial requests or urgent actions.
## Associated Threat Actors
- Undisclosed Cybercriminals (General threat actors exploiting current trends, particularly those focused on financial fraud and targeted social engineering).
## Detection Methods
- Signature-based detection: Limited effectiveness against new, custom-registered lookalike domains unless blocklists are aggressively maintained.
- Behavioral detection: Monitoring for sudden increases in email traffic claiming to be from a known domain but originating from a domain with a low reputation or recent registration date. Sender authentication checks (SPF, DKIM, DMARC) failing against the expected policy are crucial indicators.
- YARA rules: N/A (Technique-focused)
## Mitigation Strategies
- **Domain Monitoring:** Implement continuous monitoring and brand protection services to detect the registration of lookalike domains shortly after they are created.
- **User Training:** Conduct frequent and specific security awareness training focusing on visual inspection of email sender domains, especially for requests involving payments or sensitive information. Train users to hover over sender addresses and check TLDs.
- **Email Gateways:** Configure email security gateways to aggressively flag or quarantine emails where the display name impersonates a legitimate sender but the actual underlying domain has not passed DMARC validation or is unusual.
## Related Tools/Techniques
- Typosquatting (A subset of lookalike domain usage)
- Homograph Attacks
- Brand Impersonation Phishing