Silent Push provides tools to monitor and detect brand impersonation attempts through various query types: Domain Impersonation, Email Impersonation, Favicon Impersonation, and HTML Title Impersonation. These tools help organizations track potential threats, protect brand integrity, and respond proactively to phishing and impersonation attacks. This guide explains how to use each query, monitor results, and understand the output.
Monitor Brand Impersonation Results
The Monitor feature allows you to track results from any Brand Impersonation query and receive alerts about changes every 24 hours via email. Key benefits include:
Real-time Threat Surveillance: Continuous tracking of domains and sites that may impersonate your brand, alerting teams to new threats as they emerge.
Rapid Phishing Detection: Quickly flags impersonation attempts, enabling proactive responses to reduce phishing risks.
Brand Integrity Protection: Minimizes damage to brand reputation and user trust by addressing impersonation issues early.
Efficiency for Security Teams: Automates detection, freeing teams from manual searches to focus on analysis and mitigation.
Threat Actor Insights: Identifies trends in impersonation tactics, providing data to enhance security strategies.
Set Up Monitoring for a Brand Impersonation Result Set
Run one of the following Brand Impersonation queries:
Domain Impersonation
Email Impersonation
Favicon Impersonation
HTML Title Impersonation
From the Query Results section, select Monitor.
In the Monitor name box, enter a name for the monitor.
(Optional) In the Description box, add a description of the monitor.
Click Save.
Brand Impersonation Query Types
Domain Impersonation Query
The Domain Impersonation query allows users to detect domains impersonating their brand through domain name similarities or other indicators.
Execute a Domain Impersonation Query
Navigate to Brand Impersonation > Domain Impersonation.
Enter a domain name in the Domain Name box.
Click Search.
(Optional) Click Save to store the query or results.
Monitor and Save Results
Monitoring
Click Monitor on the results screen, enter a Monitor name and Description, then click Save to receive daily email alerts.
Save to a Feed
Left-click one or multiple results.
Select Save to in the top-right of the results screen.
Use the contextual menu to save to an existing or new collection/feed.
Email Impersonation Query
The Email Impersonation query detects domains targeting organizations through MX (Mail Exchange) record manipulation, where attackers disguise malicious emails as originating from legitimate mail servers.
Execute an Email Impersonation Query
Navigate to Brand Impersonation > Email Impersonation.
Enter a domain name in the Domain Name box (wildcards are not supported).
(Optional) Click Save to store the query for future use.
Click Search.
Understand Email Impersonation Results
Results are displayed in an Explore table with the following columns:
Query: Domain the result pertains to.
Risk Score: Silent Push Risk Score.
Answer: MX record.
First Seen: Date and time the MX record was first observed.
Last Seen: Date and time the MX record was last observed.
MX Hash: Hash value of the MX record.
MX Server Density: Density of the MX server.
WHOIS Created Date: Domain creation date.
WHOIS Registrar: Registrar of the domain.
Monitor and Save Results
Monitoring
Click Monitor on the results screen, enter a Monitor name and Description, then click Save to receive daily email alerts.
Save to a Feed
Left-click one or multiple results.
Select Save to in the top-right of the results screen.
Use the contextual menu to save to an existing or new collection/feed.
Favicon Impersonation Query
The Favicon Impersonation query identifies domains using a brand’s favicon without authorization to enhance the credibility of phishing or illegitimate domains.
Threat actors use favicons to:
Increase the visual credibility of illegitimate domains.
Enhance the realism of phishing attacks.
Evade basic detection tools.
Boost social engineering efforts.
Maintain consistency across phishing domains.
Execute a Favicon Impersonation Query
From the home page, select Brand Impersonation > Favicon Impersonation.
Click Create New +.
In the Domain Name box, enter the domain to investigate.
Click Search.
(Optional) Click Save to store the results.
Understand Favicon Impersonation Results
Results are displayed in a table with the following columns:
Scan Date: Date and time of the scan.
Origin URL: Originally scanned URL.
URL: Final destination URL of the query.
Hostname: Name of the domain.
Favicon Icons: Image of the favicon.
Favicon Murmur3: Murmur3 hash of the standard favicon.
Favicon2 Murmur3: Murmur3 hash of an alternative favicon.
Filter and Expand Results
Add or remove filters by selecting the icon next to Basic Raw Data and choosing preferences.
Select Expand on a result to view additional details.
HTML Title Impersonation Query
The HTML Title Impersonation query detects domains mimicking a legitimate domain’s HTML title to increase credibility in phishing campaigns or search results.
Threat actors use HTML titles to:
Support phishing campaigns.
Manipulate URLs.Reduce suspicion during redirection to illegitimate domains.
Evade detection mechanisms that monitor explicit branding or logo abuse.
Execute an HTML Title Impersonation Query
From the home page, select Brand Impersonation > HTML Title Impersonation.
Click Create New +.
In the Domain Name box, enter the domain to investigate.
Click Search.
(Optional) Click Save to store the results or Monitor to set up alerts.
Understand HTML Title Impersonation Results
Results are displayed in a table with the following columns:
HTML Title: HTML title of the result.
Scan Date: Date and time of the scan.
Origin URL: Originally scanned URL.
URL: Final destination URL of the query.
IP: IP address of the domain.
Hostname: Name of the domain.
Filter and Expand Results
Add or remove filters by selecting the icon next to Basic Raw Data and choosing preferences.
Select Expand on a result to view additional details.