Stop Phishing,
Before It Happens.

  • We continually scan thousands of domains that looks like yours,
  • Assess for phishing risk on each domain,
  • Alert you in real-time for each threat detected.

Features to Fight Phishing

Following recommendations from NIST CyberSecurity Framework V1.1


Custom Domain Generation

We generate domains similar to yours based on:

  • Your industry, users location.
  • Your employees habits, business practices.
  • Empiric phishing practices.
  • Custom keyword list provided by you.

Complete Mixing

Each generation method is combined with all others to cover a complete map of all possible combinations:
homoglyph TLD swap custom prefixes typo squatting industry lingo hyphenation replacement vowel-swap insertion custom suffixes letter-digit swap bitsquatting repetition transposition


Continuous Monitoring

Once generated, all domains are scanned continuously, several times every hour.

We record 50+ data points per domain over DNS records AS records IP records Whois records HTTP server WAF setup Email setup SSL config HTML content

Per-Domain Telemetry Data

We save raw data at each scan to be able to replay impersonation attacks.

Postmortem forensic analysis can then be performed to understand how impersonation attacks are deployed.


Threat Detection

Each suspicious domain is assigned a threat score.

Our scoring mecanism is grounded in recent academic research[1].

[1]: GUANG et al. ACM Journal. CANTINA+: A Feature-rich Machine Learning Framework for Detecting Phishing Web Sites

Threat Alerting

Threat alerts can be sent to your team over several media: Email Webhook Slack CSV Export API

Support for Incident Response Platforms is planned. Get in touch for custom solutions.


Actionable Takedown

When a phishing threat is detected we send you the exact information you need to take it down — at each level.

We will help you to notify the Web server, WAF, and email services providers used by the impersonators.

False Positive Management

Sometimes a handful of domains scanned will be other legitimate businesses. Sometimes they will be domains your company bought proactively.

Our platform allows for manual annotation for each domain, avoiding cases of false positives.

A Typical Use Case

Emmett Brown Labs LLC wished to protect their clients and employees from phishing attacks.
Their domain:

  1. We generated 83,124 domains suspiciously similar.

    They also added a custom list of words to tailor domain generation, and marked to ignore domains they own themselves.

  2. exå detected hosting a deceitful copy.

    • DNS was configured and pointed to a Russian server hosting a homepage.
    • This homepage mentioned Emmett Brown Labs business and asked for credentials.
    • DNS MX and SPF TXT records were setup to send email via AWS SES.
    • The Whois database indicated the domain was purchased recently.
  3. We alerted Emmett Brown Labs via Webhook.

    The alert landed in their internal Threat Triage System. The alert payload contained:

    • The domain registrar abuse contact info.
    • The Web server provider abuse contact info.
    • Amazon Web Services abuse contact info.
  4. Phishing Site Takedown

    4 hours later the phishing website was taken down by the Web hosting company following a security report. Its IP was added to a phishing+spam database.

    We keep monitoring the domain.

Real World Phishing Detected

A sample of phishing domains we independently detected.

  • Trezor

    Trezor provides security devices to store digital assets. They are located in Czech Republic.

    Phishing Domains Detected: trẹ


  • Ledger

    Ledger provides security and infrastructure solutions to store digital assets. They are located in France.

    Phishing Domains Detected:

    Analysis User Report

  • Blockchain

    Blockchain is a cryptocurrency exchange located in the United Kingdom.

    Phishing Domains Detected:

  • Huobi

    Huobi is a cryptocurrency exchange located in Singapore.

    Phishing Domains Detected:

Frequently Asked Questions

Contact us for any more information.

Does OPRAND need to access my internal networks?

No. OPRAND runs outside of your company’s internal networks.

Depending on the alerting medium you select, you may need to provide a Webhook URL, Slack ID or email address.

How is OPRAND different from DnsTwist?

DnsTwist is an open-source Python script that can generate look-alike domains and check for HTML similarity.

OPRAND is different on 4 aspects:

  1. It checks more than just HTML similarity.
  2. Scans are run continually — No script to run in a crontab on your side.
  3. It alerts your team when a phishing threat is detected with actionable intel to takedown the phishing attacks.
  4. A full history for each look-alike domain is kept available.

The whole process is also customizable to your specific use cases and industry.

How many look-alike domains are generate for one domain?

There is no upper limit on the Entreprise plan. We tend to generate as much as reasonably effective.

Typically a 7 letter domains will generate about 100,000 look-alike domains.

The Pro plan has a 10,000 look-alike domains limit.

What happen after a phishing domain is detected?

You will receive an alert with a maximum of information to take down the deceitful domain. As well as adding them to community spam+phishing black-lists.

Known phishing domains are still monitored even after they are taken down.

What industries does the Phishing Threat Report cover?

As of now only the Cryptocurrency industry is covered.

More industries, as well as government services will be monitored in the future.