A suspect domain, like adsitct.bgjutdqwpcdddtj[.]com, surfaces in your alerts without context. Is it isolated noise, or does it mirror infrastructure from known threats, such as phishing kits? Manual pivots across DNS, certs, and feeds drain your triage time.
The Context Similarity view uncovers malicious domains from Silent Push Indicator of Future Attack (IOFA) feeds that share setup and management patterns with your target indicator, all in Total View. It ranks similarities via a graph and table, utilizing over 50 traits, including shared nameservers, ASNs, certificate handling, reputation scores, and open directories, to highlight behavioral ties.
Available for domains, this view leverages Silent Push's DNS and Web Data aggregation to enhance tools like Infrastructure Variance for ownership shifts and PADNS for resolution details.
Unknown indicators require quick context, but scattered analysis hinders the hunt. This view provides instant “directionality,” guiding next steps without prior knowledge, by clustering similar threats and revealing patterns, such as overlaps in bulletproof hosting. Security teams assess the likelihood of malicious activity, infer activity types (e.g., malware C2), and prioritize pivots, thereby freeing resources for overstretched SOCs.
It supports proactive hunting, such as linking a novel domain to FIN7-style infrastructure via certificate similarities, or auditing open directories for data leaks, essential for rapid attribution in defender workflows.
How It Works
Silent Push's proprietary engine profiles every IOFA domain with 50+ characteristics, computing similarity scores to benchmark your input against the corpus. The graph orders results from left to right (most to least similar), with colors indicating feed types. The table expands on traits (green for matches, red for differences) for nuanced judgments.
No third-party reliance ensures gap-free datasets tailored for unknowns. It integrates seamlessly: A high-similarity hit might echo PADNS anomalies, flagging dynamic resolutions, while tying into Total View for layered enrichment.
Generate a Set of Results
Input a domain (e.g., adsitct.bgjutdqwpcdddtj[.]com) in the search bar to launch Total View, then select Context Similarity. The graph and table populate, allowing you to hover over dots for feed details, expand rows for traits, and filter by similarity threshold or feed color.
Example
Query adsitct.bgjutdqwpcdddtj[.]com in Context Similarity: The graph shows a leftmost red dot for lukkal[.]cyou (Bulletproof Hosting Feeds), with 85% trait overlap on nameservers and ASNs. Farther right, muvisfaeco[.]top clocks 62% similarity, still viable for review.
The table ranks lukkal[.]cyou first, expanding to green-matched cert issuers and red-diffed reputation scores, with a trend line peaking at 1,247 indicators (2025-10-08). Hover the cluster for feed notes: Description flags bulletproof ties to evasion TTPs.
Fields
Similarity rank: The ordinal position based on trait matches (e.g., #1 for closest infra twin).
Domain: The matched malicious indicator from IOFA Feeds (e.g.,
lukkal[.]cyou).Feed Color/Legend: Visual cue for Source Type, with hovers showing descriptions.
Context Similarity view
The table view logs ranked domains with expandable trait breakdowns for deep dives. For benign inputs like example.com, it may return sparse or low-similarity results.
It lists domains (e.g., Bulletproof Hosting Feeds), similarity percentages, and IOFA flags. Expand for 50+ diffs: Shared ASNs in green, unique open dirs in red. Hover graph lines for granular info: Trait weights, update timestamps, and pivot links.
Use Case
Spot phishing patterns, like cert-managed domains tied to credential harvesters.
Work with Context Similarity Results
The view supports one-click actions, such as pivoting to DNS records or Live Scans for real-time infrastructure snapshots. Customize columns (e.g., add reputation diffs), export CSVs for intel sharing, or save clusters to Draft Feeds for ongoing similarity monitoring, such as emerging campaign spikes.
Tips
Prioritize graph: Scan the leftmost dots and legend colors for high-fidelity threats, such as phishing feeds.
Dive into the table: Sort by Similarity Rank, expand traits to cross-check with external intel.
Layer analysis: Pair with Infrastructure Variance or PADNS for full infra storytelling.