A suspect domain, like adsitct.bgjutdqwpcdddtj[.]com, surfaces in your alerts without context. Is it isolated noise, or does it mirror infrastructure from known threats like phishing kits? Manual pivots across DNS, certs, and feeds drain your triage time.
The Context Similarity tab uncovers malicious domains from Silent Push Indicator of Future Attack (IOFA) feeds that share setup and management patterns with your target indicator, all in Total View. It ranks similarities via a graph and table, using over 50 traits like shared nameservers, ASNs, certificate handling, reputation scores, and open directories to spotlight behavioral ties.
Available for domains, this tab leverages Silent Push's DNS and Web Data aggregation to enhance tools like Infrastructure Variance for ownership shifts and PADNS for resolution details.
Why is it useful?
Unknown indicators demand quick context, but scattered analysis slows down the hunt. This tab delivers instant “directionality”, guiding next steps without prior intel, by clustering similar threats, revealing patterns like bulletproof hosting overlaps. Security teams gauge malicious likelihood, infer activity types (e.g., malware C2), and prioritize pivots, freeing resources for stretched SOCs.
It supports proactive hunting, such as linking a novel domain to FIN7-style infrastructure via certificate similarities, or auditing open directories for data leaks, essential for rapid attribution in defender workflows.
How does it work?
Silent Push's proprietary engine profiles every IOFA domain with 50+ characteristics, computing similarity scores to benchmark your input against the corpus. The graph orders results left-to-right (most to least similar), with colors for feed types; the table expands traits (green for matches, red for diffs) for nuanced judgments.
No third-party reliance ensures gap-free datasets tailored for unknowns. It integrates seamlessly: A high-similarity hit might echo PADNS anomalies, flagging dynamic resolutions, while tying into Total View for layered enrichment.
Generate a set of results
Input a domain (e.g., adsitct.bgjutdqwpcdddtj[.]com) in the search bar to launch Total View, then select the Context Similarity tab. The graph and table populate, allowing you to hover over dots for feed details, expand rows for traits, and filter by similarity threshold or feed color.
Example
Query adsitct.bgjutdqwpcdddtj[.]com in Context Similarity: The graph shows a leftmost red dot for lukkal[.]cyou (Bulletproof Hosting Feeds), with 85% trait overlap on nameservers and ASNs. Farther right, muvisfaeco[.]top clocks 62% similarity, still viable for review.
The table ranks lukkal[.]cyou first, expanding to green-matched cert issuers and red-diffed reputation scores, with a trend line peaking at 1,247 indicators (2025-10-08). Hover the cluster for feed notes: Description flags bulletproof ties to evasion TTPs.
Fields
Similarity rank: The ordinal position based on trait matches (e.g., #1 for closest infra twin).
Domain: The matched malicious indicator from IOFA Feeds (e.g.,
lukkal[.]cyou).Feed Color/Legend: Visual cue for Source Type, with hovers showing descriptions.
Context Similarity view
The table view logs ranked domains with expandable trait breakdowns for deep dives. For benign inputs like example.com, it may return sparse or low-similarity results.
It lists domains (e.g., Bulletproof Hosting Feeds), similarity percentages, and IOFA flags. Expand for 50+ diffs: Shared ASNs in green, unique open dirs in red. Hover graph lines for granular info: Trait weights, update timestamps, and pivot links.
Use case
Spot phishing patterns, like cert-managed domains tied to credential harvesters.
Work with Context Similarity results
The tab supports one-click actions, such as pivoting to DNS records or Live Scans for real-time infrastructure snapshots. Customize columns (e.g., add reputation diffs), export CSVs for intel sharing, or save clusters to Draft Feeds for ongoing similarity monitoring, such as emerging campaign spikes.
Tips
Prioritize graph: Scan the leftmost dots and legend colors for high-fidelity threats, such as phishing feeds.
Dive into the table: Sort by Similarity Rank, expand traits to cross-check with external intel.
Layer analysis: Pair with Infrastructure Variance or PADNS for full infra storytelling.