Documentation

Phishing & Brand Monitoring

Phishing, fraud, and brand impersonation attacks are evolving rapidly—becoming more targeted, more convincing, and harder to detect. These threats can damage customer trust, disrupt operations, and put sensitive assets at risk. Organizations must stay vigilant and respond quickly when signs of compromise appear.

How Google Threat Intelligence Helps

Google Threat Intelligence (Google TI) provides deep visibility and context to help you detect and understand these threats before they escalate. With insights derived from billions of daily signals, global telemetry, and expert analysis, Google TI gives your team the intelligence edge needed to stay ahead of evolving attacker tactics.
Google TI enables you to:

  • Analyze malicious activity with rich context to assess severity, intent, and potential impact.
  • Identify impersonation campaigns targeting your brand, infrastructure, digital assets, or customer base.
  • Monitor third-party risk by tracking suspicious activity originating from vendors or partners.
  • Protect sensitive data by identifying potential leaks or misuse of proprietary information.

Use Cases

Comprehensive Brand and Domain Impersonation Monitoring

Detect malicious activity, brand impersonation, and typosquatted domains targeting your organization or users.

Google TI allows you to uncover URLs, domains, and visual assets used by attackers to mimic your brand for phishing or fraud—whether through lookalike domains or reused logos and icons.

How to do it

A. Detect Suspicious URLs Using Your Brand Name
Attackers often register URLs that include your brand name to mislead users. You can detect these by searching for URLs that contain your brand but are not part of your legitimate domains.

  1. Go to Google TI Search.

  2. Start by crafting queries to identify suspicious indicators:
    Search for URLs that contain your brand name but are not part of your legitimate domains:

entity:url content:"my brand" not parent_domain:”my_org_domain”
  1. Refine your results with filters
    Reduce the scope by adding more modifiers such as title, first seen and positives.
title:”my title” fs:30d+ p:1+

B. Identify Typosquatted Domains

Typosquatting is a common tactic where attackers register misspelled or lookalike versions of your domain to trick users. Google TI can help detect these using fuzzy logic.

  1. Run this query in Google TI Search:
    Search for domains that are typographically similar to your legitimate domains but are not controlled by you.
entity:domain fuzzy_domain:my_org_domain.com
  1. Refine your results with filters
    Use filters such as creation_date or gti_verdict to prioritize newly registered or malicious domains.

C. Find Domains Reusing Your Brand’s Visual Identity

  1. Find your favicon’s dhash:
  • Search your legitimate domain in Google TI
  • Click on the favicon to retrieve its main_icon_dhash value
  1. Use this query to find reuse across domains:
entity:domain main_icon_dhash:mydhash

You can also find documents or binaries using the same icon for deceptive purposes. Add filters like not parent_domain:"my_org_domain", creation_date:30d+ or gti_verdict:malicious to further refine the results.

You can refine your searches by adding modifiers like gti_verdict:malicious to only include domains identified as malicious by Google TI, or creation_date:30d+ to find newly created urls. You can automate any of these queries using the Google TI API to enable continuous monitoring and alerting for brand impersonation activity.

Hunting for phishing targeting your organization

Proactively identify phishing attempts that mimic your brand by tracking suspicious URLs based on shared characteristics.

With Google TI’s Livehunt and YARA-based detection, you can build targeted rules to surface phishing infrastructure that reuses elements like your favicon, page titles, or domain structure.

How to do it

  1. Navigate to the Livehunt section within Google Threat Intelligence, click on New Livehunt Ruleset and select “New ruleset to get URLs”.

  2. Click on the Structure tool on the left menu and write your url, in the example we use http://www.acme.com

  3. Click on the relevant information you want to create the rule with, and combine the values in a single rule. In the example we use url.favicon.dhash, url.html_title and domain.root

Combine the extracted values into a YARA rule that identifies phishing attempts mimicking your brand. 

import "vt"

rule example_phishing_rule {
  condition:
    vt.net.url.favicon.dhash == "6190b6b8595c5523"
    and
    vt.net.url.html_title icontains "ACME Laboratories"
    and not
    vt.net.domain.root == "acme.com"
}

This YARA rule would trigger if a domain uses the same favicon as yours, a title containing “ACME Laboratories” (not case-sensitive) and its root domain is not acme.com.

  1. Save and activate your Livehunt rules. You will receive notifications when new samples matching your criteria are observed on the IoC Stream.

You can learn more about Livehunts in the documentation. To keep reading about how to protect your organization from Phishing, check our Phishing Exposed blogpost.

Updated about 13 hours ago