The anatomy of domain impersonation

30 de December de 2025

The integrity of the corporate digital ecosystem is being attacked at a silent but crucial point: the internet identity infrastructure , especially the domain name layer, DNS, TLS certificates, and email.

Modern phishing is rarely “improvised.” In many cases, it is a structured social engineering operation supported by infrastructure , the core of which is domain impersonation : the registration and use of look -alike domains.

It is important to separate two phenomena that are commonly confused:

Spoofing a legitimate domain via email: someone tries to impersonate another domain @suaempresa.comwithout authorization. This is where SPF, DKIM, and DMARC (email authentication and security policy) come in. They prevent many things, but not everything.
Impersonation using a similar domain: the attacker registers suaempresa-suporte.com, suaempresaa.com, suaempresa-login.netand builds the scam from this new domain. Here, DMARC does not prevent the registration or use of the fraudulent domain—because it is another domain, with its own “identity” in the DNS. This is why continuous monitoring of the domain and rapid removal are also crucial.

In summary:

Impersonation = “it looks like one domain, but it’s another”
Spoofing = “claims to be the domain, but is not”

In practice, attacks are often combined: the email may be “spoofed” and contain links to an impersonated domain.

Understanding this technical anatomy — from domain registration to certificate issuance, from DNS configuration to reverse proxy usage — is the first step toward proactive defense: reducing time to detect (MTTD) and time to respond (MTTR), dismantling the campaign before it escalates.

Dominance as a pillar of social engineering.

For years, phishing was synonymous with poorly written messages and grotesque URLs.

Today, sophistication lies in exploring how we — and our systems — interpret addresses and trust signals.

Attackers register domains that differ from the original by almost imperceptible details, exploiting “minimal distances” (small variations, big effect):

Typosquatting (typing error)
Ex.: letters swapped, duplicated, omitted.
Combosquatting (brand + auxiliary terms)
Ex.: -suporte, -login, -seguranca, -atualizacao, creating an “official hierarchy” through semantics.
TLD squatting (alternative extensions) Ex.: using less monitored TLDs to bypass simple .com/.com.br-based blocks.
TLD squatting (alternative extensions) Ex.: using less monitored TLDs to bypass simple .com/.com.br-based blocks.
IDN homograph / Unicode (identical appearance, different script)
Use of characters from distinct alphabets that are visually similar to Latin characters. In some cases, the domain may be presented in Punycode, but this does not eliminate the risk in all contexts (especially outside the browser, in apps and clients).

On mobile devices, where the viewport often hides part of the URL, a look-alike domain becomes even more efficient: the user sees the “right beginning” and decides quickly .

The domain serves two key functions in the coup:

Psychological anchor: reduces friction and lowers the chance of suspicion.
Technical anchor: supports the cloned website and provides the basis for delivery mechanisms (email, ads, redirects). In email, the attacker can authenticate the fraudulent domain with SPF/DKIM/DMARC of the domain itself, improving the deliverability of the scam—without this proving the legitimacy of the brand.

The anatomy of the campaign (from acquisition to abuse)

Phishing attacks and domain impersonation are no longer isolated initiatives carried out by individuals. Today, these attacks operate as structured business models, geared towards large-scale profit-making, with the financial sector as one of their main targets.

A prime example occurred in November 2024, when Microsoft’s Digital Crime Unit (DCU), in cooperation with international partners, took control of approximately 240 malicious domains linked to the operation known as ONNX. This was a phishing-as-a-service network operated by an Egyptian cybercriminal identified as MRxC0DER, whose fake domains were used to bypass multi-factor authentication mechanisms and exploit the trust associated with major brands—especially financial institutions and Microsoft’s own services.

To properly understand this type of campaign, it helps to analyze it as a continuous operational chain, composed of well-defined stages: asset acquisition → infrastructure preparation → attack delivery → victim exploitation → detection evasion → response (or dismantling of the operation) .

1) Asset acquisition: domain registration and infrastructure

The first step isn’t “sending an email.” It’s buying (or hijacking) the address .

Domain registration with calculated variations (type/combo/TLD/IDN).
Contracting hosting and/or using intermediary infrastructure (CDNs, proxies, redirectors).
Preparation of cloned pages or a dynamic mechanism (proxy).

This stage already leaves useful traces for defense: nameserver patterns, ASN, hosting provider, abuse history, campaign recurrence.

2) Preparation: DNS, TLS certificate, and trust signals

To increase conversion rates, the attacker tries to appear “normal”.

TLS certification and the myth of the padlock.

Issuing a TLS certificate helps avoid “not secure” warnings and increases user confidence. The problem is cognitive: TLS proves encryption of the transport, not brand legitimacy . The padlock does not mean “real company”; it only means “encrypted connection to that domain”.

Monitoring Certificate Transparency (CT) as an early detection tool

Trusted public certificates tend to appear in transparency logs. Monitoring CT is an effective form of early warning because it allows the detection of certificates issued for suspicious domains very early, sometimes before the campaign is launched.

In practice, CT can be used as a complementary sensor — with some noise: not every similar domain is malicious, and not every campaign depends on a public certificate to begin. Still, as a pillar of brand detection, it works very well.

3) Delivery of the scam: email, SMS, ads and “borrowed” traffic

The campaign needs to bring the victim to control.

Email: still the most efficient channel for corporate scale (and BEC/credentials).
SMS/WhatsApp: increases conversion rates in environments with low security maturity.
Sponsored ads: capture intent (user already wants to access “login”, “payment slip”, “support”).
Redirects: URL shorteners, compromised websites, malvertising.

The key detail: many traditional controls look at the message and the IP address, but the “centerpiece” is the look-alike domain .

4) Exploration: Static cloning vs. reverse proxy (AiTM)

The old cloning method was “copying HTML.” The modern method, in many scenarios, is real-time intermediation .

Proxy reverso / Adversary-in-the-Middle (AiTM)

Reverse proxy tools and kits act as intermediaries: the victim enters credentials on an “identical” website, but in practice is authenticating with the real service via an attacker, who captures credentials and, most importantly, session tokens/cookies .

This can bypass traditional MFA (OTP/push) in certain flows, because what grants access is not “the password,” but the already established session . Measures such as phishing-resistant authentication (e.g., WebAuthn/passkeys) tend to drastically reduce this class of attack, but their adoption is not yet homogeneous.

5) Exfiltration and monetization: speed before detection

Value extraction is usually planned to occur quickly, before the SOC can react.

Capture & forward: immediate sending of credentials/tokens to operators (bots, dashboards, integrations).
Sequence attacks: password change, two-factor authentication, email rule creation, key/API changes, payment data alteration.
Post-scam “clean”: redirection to the legitimate website to reduce suspicion (“it seemed normal”).

When there are attempts to capture data (keystrokes/clipboard), it’s important to treat it as data collection via a webpage — and not confuse it with “persistent malware” (persistence usually requires installation/exploitation, which is a different level).

6) Evasion: cloaking, geofencing, and selective analysis

To survive, campaigns operate like a “conditional website”.

IP cloaking: if access comes from known ranges (bots, SOCs, security companies), it displays benign content.
User-Agent targeting: shows the scam only on mobile, reducing analysis on desktop.
Geofencing: restricts access by country/state/city to avoid global monitoring and mass reporting.

This explains why, often, an analyst “opens the link” and sees nothing — but the victim does.

From incident to response: dismantling the campaign

The effective response is not just “user education.” It’s operationalizing defense through infrastructure , with a clear playbook :

1) Strengthen legitimate domain email (real spoofing)

This is where SPF/DKIM/DMARC come in, but with the right objective: to protect your domain, reduce spoofing, and receive reports for visibility.

SPF (sending IP/host authorization)
DKIM (cryptographic message signature)
DMARC (policy + alignment with “From” + reports; actions such as quarantine/ reject)

This doesn’t prevent lookalike domains, but it does prevent the attacker from “using yours”.

2) Brand detection: monitor before clicking

Monitor for new similar records (type/combo/TLD/IDN).
Monitor CT logs for certificates issued to lookalike domains.
Correlate with technical signals (DNS/ASN/nameserver) and reputation.

The competitive advantage here is simple: detect before mass shipping.

3) Takedown and containment

Reporting via lists and browser protections (to display alerts to the user).
Notifications from registrars/hosts with objective evidence (screenshots, headers, URLs, IOC, proof of brand impersonation).
Blocking on internal gateways/proxies and EDR/IdP where applicable.

4) Metrics: MTTD + MTTR

In addition to MTTR, follow:

Time to detection (MTTD);
time until internal lockout;
Time until blacklist/alert while browsing;
Time until domain/hosting suspension.

Conclusion: Infrastructure integrity as a determining factor.

Domain name spoofing is not a problem that can be solved with simple guides. It’s a problem of the integrity of the technical fabric that underpins digital identity. The moment a customer falls victim to fraud, the perception is rarely “the criminal was clever,” but rather “the brand failed.”

Companies that treat domain, DNS, certificates, email, and brand intelligence as critical surfaces can reduce losses, preserve trust, and react before the campaign gains scale. Early detection—at domain registration, certificate issuance, and the first evidence of infrastructure issues—allows them to dismantle the trap before the “send” phase.

References: