Punycode🔗
The Punycode Detector looks for phishing domains that use punycode for homograph attacks where the domain is trying to appear similar to a legitimate domain. With punycode phishing attacks, URLs will look legitimate, and the content on the page might appear legitimate, but it’s actually a different website. The Punycode Detector compares domains to a monitored, hand-curated list of the most popular legitimate domains, looks at the age of the new domain (older domains are more likely to be legitimate) and other factors. If the visual similarity of the URL crosses a predetermined threshold, an alert is issued to the Secureworks® Taegis™ XDR Alerts API and will appear in XDR. The confidence level of an alert is currently binary, with a return of 0 or 1.
Requirements🔗
This detector requires the following data sources, integrations, or schemas:
- DNS
Inputs🔗
Detections are from the following normalized sources:
- DNS
Outputs🔗
Alerts from this detector are pushed to the XDR Alert Database and Alert Triage Dashboard.
Configuration Options🔗
This detector is enabled by default when the required data sources or integrations are available in the tenant.
MITRE ATT&CK Category🔗
- MITRE Enterprise ATT&CK - Initial Access - Spearphishing Link. For more information, see MITRE Technique T1566.002.
Detector Testing🔗
This detector does not have a supported testing method, though an Advanced Search will verify if alerts originated with this detector.
Note
If no supported testing method is available, an Advanced Search will show you if any alerts came from this detector if a qualifying event was observed. A search with no results does not indicate the detector is not working. A lack of search results for the detector may only indicate that the specific attack has not been observed in the tenant. However, it could indicate the underlying data is not available. Ensure the required schemas are provided in Data Sources along with the supported device type(s) for that schema.
References🔗
- Schemas