Catch the domain a phisher just registered to look like yours.

Lookalike domain detection sits between attack surface management and brand protection. Attackers register thousands of variants every day — typos, vowel swaps, Cyrillic-letter substitutions, alternate TLDs — and the first time most teams find out is when a customer reports a phishing email. Nano EASM scans for the variants continuously so you see them while they're being prepared, not after they've been weaponised.

What we detect

• Typosquats — single-character insertions, omissions, repetitions, transpositions, and replacements of your domain.
• Homoglyph confusables — Cyrillic, Greek, and mathematical look-alike characters substituted for Latin letters (the classic 'app1e.com' / 'аpple.com' attack).
• TLD swaps — your-brand.com versus your-brand.co, .io, .net, .org, .biz, country-codes, and the rest of the long tail.
• Vowel-swap variants — yhaoo.com / yahooo.com style mistakes.
• Active phishing infrastructure — registered variants that resolve via DNS, respond on HTTP/HTTPS, and have certificates issued via the public CT logs.
• Domains being prepared for an attack — certificates issued via CT logs even when DNS hasn't propagated yet.

Why it matters

A registered lookalike with a valid TLS certificate and a copy of your login page is a phishing campaign about to launch. Catching it in the prep window — when the certificate goes into a CT log, before any traffic is sent — is the difference between issuing a takedown request and explaining to customers why someone got their credentials stolen. The CT-log signal in particular is high-confidence: attackers can't avoid issuing a certificate if they want HTTPS, and CT logs are append-only.

How Nano EASM detects it

When you toggle lookalike monitoring on for a root domain (asset detail page → Lookalike monitoring), the engine generates ~250–1,000 plausible variants across the high-signal DNSTwist families (homoglyph, TLD swap, vowel swap, insertion, omission, transposition, replacement, addition, repetition, homophones). The noisier families — bitsquatting, plural-form, hyphenation — are deliberately excluded so the result set stays actionable rather than alert-fatigue inducing. The variants are then verified in parallel against three independent signals: DNS A-record lookups, HTTP HEAD probes on ports 80 and 443, and CT-log searches via crt.sh. Any candidate with at least one positive signal becomes a Lookalike finding on the parent domain with severity derived from the signal mix (live HTTPS + recent cert = high; DNS + cert = medium; DNS only = low). The scheduler re-runs each watched domain weekly; the engine self-rate-limits to 6 days so manual triggers can't cost you extra lookups.

Common scenarios