# Look-alike Domain Monitoring

WhiteIntel now includes **Look-alike Domain Monitoring,** a proactive detection system that identifies newly registered domains that visually or textually resemble your protected assets or brand names.

This feature helps organizations detect **impersonation**, **phishing**, and **brand abuse** attempts early, before they are weaponized.

***

### 🔍 Overview

When attackers register domains that closely mimic legitimate ones (e.g., `micros0ft-support.com` instead of `microsoft.com`), they often use them in phishing campaigns, credential harvesting, or malware delivery.

Whiteintel continuously scans newly registered domain names worldwide and identifies those similar to any domain on your **Watchlist**.

Detected domains are added as new **Watchlist Events** under the *Look-alike* category.

***

### 🧠 How It Works

1. **Continuous Monitoring**\
   New domain registrations are checked against your protected entries using fuzzy-matching algorithms (string similarity, homograph patterns, and brand resemblance).
2. **Automated Enrichment**\
   When available, WHOIS and DNS data are retrieved to help assess the legitimacy or potential risk of each detected domain.
3. **Event Generation**\
   When a match is found, a **Look-alike Event** is created within your Watchlist, grouped by the original monitored domain.
4. **Alert Delivery**\
   If configured, alerts are also sent via Slack and Jira integrations.

***

### 🧾 Event Details

Each Look-alike event includes:

* **Detected Domains:** The list of newly registered domains that resemble your monitored entry.
* **WHOIS & DNS Data (when available):** Registrar, creation/expiry dates, name servers, and abuse contact emails.

You can view these under the **Contents** tab in your event sidebar.\
If WHOIS data is unavailable for a domain, it will be marked as *No WHOIS available*.

***

### 💡 Example Use Case

* **Brand Protection:** Detect newly registered look-alike domains impersonating your organization or customers.
* **Phishing Prevention:** Identify domains that could be used in future email or website impersonation.
* **Threat Hunting:** Investigate registrar trends and ownership overlaps with known malicious actors.

***

### ⚙️ License Availability

Look-alike Domain Monitoring is available for:

* **Enterprise**
* **Threat Intelligence (TiFirm)**

Customers on these licenses automatically receive access to this feature.\
If you are on a Researcher plan and wish to upgrade, please contact support.

<figure><img src="/files/HiTHvEAn1qh9rZYkSNza" alt=""><figcaption></figcaption></figure>

***

***

### 💬 Support

If you have any questions or would like to enable this feature, contact us at:\
📧 <info@whiteintel.io>

***

> *Available to customers with active Enterprise or Threat Intelligence subscriptions.*


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://knowledge.whiteintel.io/white-intel-usage/look-alike-domain-monitoring.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.