Tutorial, Investigate a suspicious domain

A phishing report names a domain. Your job is to find out who is behind it, what infrastructure it sits on, and whether it is part of a wider campaign. This walkthrough is the standard pattern for that kind of investigation.

What you need

• The toolkit installed and licensed.
• A target domain you have a lawful reason to investigate. (For practice, pick a clearly-known historical phishing domain, or one of your own test domains.)
• Twenty-five minutes.

Step 1, Open a profile (1 minute)

From the dashboard, create a new profile. Name it after the target (e.g., phishing-suspect-bank-clone-2026-05).

In the profile's notes, write three lines:

1. Question: Who is behind this domain and is it part of a wider campaign?
2. Audience: Internal SOC team / threat-intel publication / fraud team, pick one.
3. Done when: Either confidently attributed or confidently exhausted.

Step 2, WHOIS lookup (3 minutes)

Open the command palette (Ctrl+K) and type whois. Pick WHOIS Lookup. Paste the domain. Run.

You're looking for:

• Domain age. A registration in the last thirty days is a phishing red flag.
• Registrar. Reputable corporate registrars are rare for phishing; aggressively-cheap registrars are common.
• Privacy proxy. Most personal-domain registrants use one. Always-redacted is normal; the absence of redaction (real name visible) is interesting.
• Nameservers. The DNS infrastructure tells you which provider the domain points at.

Pin the result to the profile. Read more about WHOIS in Network → WHOIS.

Step 3, DNS lookup (3 minutes)

Pivot from the WHOIS result by clicking the domain. The pivot menu opens. Pick DNS Lookup.

Look at:

• A / AAAA records. Where the domain points.
• MX records. Whether the domain accepts email, if yes, the operator can receive replies; if no, the domain is one-way.
• SPF / DMARC. Whether mail-from-this-domain is hardened (legitimate sites usually are; throwaway phishing usually is not).
• TTL. Low TTLs (sub-minute) suggest the operator expects to change records.

Pin to the profile.

Step 4, IP enrichment (5 minutes)

Click the A record IP. Pivot to IP Geolocation. The result shows:

• Country, city.
• ISP and ASN.
• Hosting / residential flag, phishing domains almost always sit on hosting / VPS, rarely residential.

Pin. Click the same IP again, pivot to ASN Lookup. Read the:

• Organisation name (the network's owner).
• Announced prefix count (small ASN with few prefixes = small VPS provider; large ASN = major cloud provider).
• Abuse contact.

Pin. One more pivot from the IP: IP Reputation. Cross-feed check tells you if the IP is on threat-intel feeds.

Pin.

Step 5, Reverse DNS for co-tenants (5 minutes)

From the IP, pivot to Reverse DNS. The PTR records tell you the hostname the operator gave the IP.

Then run reverse-DNS as a bulk operation against the surrounding /24, paste the expanded range from the CIDR tools range expander. The hostnames that do resolve in the neighbourhood often share patterns with the target, strong infrastructure-cluster signal.

Pin any clusters you find.

Step 6, Certificate transparency for siblings (5 minutes)

Pivot back from the original domain. Open Certificate Transparency (subdomain discovery).

Run it against the apex. Every name that has ever appeared on a certificate the apex covered shows up. Look for:

• Suspicious sibling subdomains (login.target.com, secure.target.com, etc.).
• Sibling apex domains in the SAN (occasionally one cert covers several "sibling" phishing domains together).
• "First seen" dates close to today (newly-issued cert = newly-built infrastructure).

Pin the cluster.

Step 7, Site analysis for the live page (3 minutes)

If the domain is currently live, pivot to Site Analysis. You will see:

• Tech stack (CMS, framework, third-party scripts).
• Security headers (or lack thereof).
• Cookies set.
• External hosts the page references.

Compare against the legitimate site the target is impersonating. Differences in tech stack are common, phishers rarely match the real site's stack.

If the domain is not live, pivot to Wayback Archive instead, what the page used to show.

Pin.

Step 8, Favicon hash for cluster spotting (2 minutes)

Pivot to Favicon Hash. The hash is the same regardless of how the operator hosts it.

Open the constructed Shodan / Censys facet links. Every other host on the internet sharing the same favicon is a candidate cluster member. For a phishing campaign, this is the single highest-signal way to find the rest of the operator's infrastructure.

Pin any cluster you find.

Step 9, Synthesise (3 minutes)

Open the profile's notes. Write the executive summary:

The domain target.com, registered on 2026-04-15 (30 days ago) at Namecheap with full privacy redaction, points to an IP at small VPS provider X (ASN 12345, organisation "Discount Hosting"). The IP hosts 14 other domains, of which 6 share the same registration date window. Certificate transparency shows the apex has had certs covering login.target.com, secure.target.com, and account.target.com in the last week. Favicon hash matches 8 other live domains in the same VPS range, all currently unflagged on threat-intel feeds. Recommendation: block the entire cluster at the firewall and submit to abuse.ch URLhaus.

Tag every finding confirmed or pending. Mark the headline finding critical.

Step 10, Export (1 minute)

From the profile's top-level menu, click Export → PDF. The dark-themed PDF is your deliverable.

Done.

Variations

Things you might add depending on the case:

• Email permutator against the registrant's apparent name → breach lookup to see whether the registrant uses real personal emails on this infrastructure.
• TLS inspector to read the cert details and compare to the legitimate target.
• Web crawler to extract emails / phones from the live page.
• Pastebin search for any of the IPs / domains you discovered, sometimes someone has already posted IOC dumps.

What you learned

The domain-investigation pattern is one entity, eight tools, two pivot levels deep, one profile, one export. Internalise it, and most domain-investigation cases run in under thirty minutes.