Tutorial — Investigate a suspicious domain

A phishing report names a domain. Your job is to find out who is behind it, what infrastructure it sits on, and whether it is part of a wider campaign. This walkthrough is the standard pattern for that kind of investigation.

What you need

• The toolkit installed and licensed.
• A target domain you have a lawful reason to investigate. (For practice, pick a clearly-known historical phishing domain, or one of your own test domains.)
• Twenty-five minutes.

Step 1 — Open a profile (1 minute)

From the dashboard, create a new profile. Name it after the target (e.g., phishing-suspect-bank-clone-2026-05).

In the profile's notes, write three lines:

1. Question: Who is behind this domain and is it part of a wider campaign?
2. Audience: Internal SOC team / threat-intel publication / fraud team — pick one.
3. Done when: Either confidently attributed or confidently exhausted.

Step 2 — WHOIS lookup (3 minutes)

Open the command palette (Ctrl+K) and type whois. Pick WHOIS Lookup. Paste the domain. Run.

You're looking for:

• Domain age. A registration in the last thirty days is a phishing red flag.
• Registrar. Reputable corporate registrars are rare for phishing; aggressively-cheap registrars are common.
• Privacy proxy. Most personal-domain registrants use one. Always-redacted is normal; the absence of redaction (real name visible) is interesting.
• Nameservers. The DNS infrastructure tells you which provider the domain points at.

Pin the result to the profile. Read more about WHOIS in Network → WHOIS.

Step 3 — DNS lookup (3 minutes)

Pivot from the WHOIS result by clicking the domain. The pivot menu opens. Pick DNS Lookup.

Look at:

• A / AAAA records. Where the domain points.
• MX records. Whether the domain accepts email — if yes, the operator can receive replies; if no, the domain is one-way.
• SPF / DMARC. Whether mail-from-this-domain is hardened (legitimate sites usually are; throwaway phishing usually is not).
• TTL. Low TTLs (sub-minute) suggest the operator expects to change records.

Pin to the profile.

Step 4 — IP enrichment (5 minutes)

Click the A record IP. Pivot to IP Geolocation. The result shows:

• Country, city.
• ISP and ASN.
• Hosting / residential flag — phishing domains almost always sit on hosting / VPS, rarely residential.

Pin. Click the same IP again, pivot to ASN Lookup. Read the:

• Organisation name (the network's owner).
• Announced prefix count (small ASN with few prefixes = small VPS provider; large ASN = major cloud provider).
• Abuse contact.

Pin. One more pivot from the IP: IP Reputation. Cross-feed check tells you if the IP is on threat-intel feeds.

Pin.

Step 5 — Reverse DNS for co-tenants (5 minutes)

From the IP, pivot to Reverse DNS. The PTR records tell you the hostname the operator gave the IP.

Then run reverse-DNS as a bulk operation against the surrounding /24 — paste the expanded range from the CIDR tools range expander. The hostnames that do resolve in the neighbourhood often share patterns with the target — strong infrastructure-cluster signal.

Pin any clusters you find.

Step 6 — Certificate transparency for siblings (5 minutes)

Pivot back from the original domain. Open Certificate Transparency (subdomain discovery).

Run it against the apex. Every name that has ever appeared on a certificate the apex covered shows up. Look for:

• Suspicious sibling subdomains (login.target.com, secure.target.com, etc.).
• Sibling apex domains in the SAN (occasionally one cert covers several "sibling" phishing domains together).
• "First seen" dates close to today (newly-issued cert = newly-built infrastructure).

Pin the cluster.

Step 7 — Site analysis for the live page (3 minutes)

If the domain is currently live, pivot to Site Analysis. You will see:

• Tech stack (CMS, framework, third-party scripts).
• Security headers (or lack thereof).
• Cookies set.
• External hosts the page references.

Compare against the legitimate site the target is impersonating. Differences in tech stack are common — phishers rarely match the real site's stack.

If the domain is not live, pivot to Wayback Archive instead — what the page used to show.

Pin.

Step 8 — Favicon hash for cluster spotting (2 minutes)

Pivot to Favicon Hash. The hash is the same regardless of how the operator hosts it.

Open the constructed Shodan / Censys facet links. Every other host on the internet sharing the same favicon is a candidate cluster member. For a phishing campaign, this is the single highest-signal way to find the rest of the operator's infrastructure.

Pin any cluster you find.

Step 9 — Synthesise (3 minutes)

Open the profile's notes. Write the executive summary:

The domain target.com, registered on 2026-04-15 (30 days ago) at Namecheap with full privacy redaction, points to an IP at small VPS provider X (ASN 12345, organisation "Discount Hosting"). The IP hosts 14 other domains, of which 6 share the same registration date window. Certificate transparency shows the apex has had certs covering login.target.com, secure.target.com, and account.target.com in the last week. Favicon hash matches 8 other live domains in the same VPS range, all currently unflagged on threat-intel feeds. Recommendation: block the entire cluster at the firewall and submit to abuse.ch URLhaus.

Tag every finding confirmed or pending. Mark the headline finding critical.

Step 10 — Export (1 minute)

From the profile's top-level menu, click Export → PDF. The dark-themed PDF is your deliverable.

Done.

Variations

Things you might add depending on the case:

• Email permutator against the registrant's apparent name → breach lookup to see whether the registrant uses real personal emails on this infrastructure.
• TLS inspector to read the cert details and compare to the legitimate target.
• Web crawler to extract emails / phones from the live page.
• Pastebin search for any of the IPs / domains you discovered — sometimes someone has already posted IOC dumps.

What you learned

The domain-investigation pattern is one entity, eight tools, two pivot levels deep, one profile, one export. Internalise it, and most domain-investigation cases run in under thirty minutes.