Updates: August 26, 2022

Highlights include a new lookalike observations panel and extended automatic categorization of lookalikes

Francesca Runger-Field avatar
Written by Francesca Runger-Field
Updated over a week ago

New features

New lookalike observations panel

OnDOMAIN now shows a panel of new lookalike observation cards across the top of the Domains and Activity dashboards. The purpose of these cards is to quickly provide more information and a threat priority assessment for the domains OnDOMAIN has discovered. They show:

  • Potential high-priority threats that use your logo

  • Potential threats from parked observations

  • Potentially safe observations which may be assets of your organization

  • Potentially safe observations that require your attention

When you click on the alert box button, the alert criteria will be applied in the form of filters to your Activity table, letting you review the resulting set and take action.

Resizable columns with persistable preferences

In order to allow a higher level of customization for your Activity and Domains page tables, we have added the option to resize columns. Whenever you resize a column in either table, the column will keep its width dimension after you come back to the table, even after refreshing the browser tab.

New DMARC status column

OnDOMAIN scans a varied amount of information for each lookalike it detects. One such item is checking for the existence and policy of a DMARC record.

The Activity table now includes a brand new column labeled DMARC Status which you can use to check for DMARC record policies in the currently detected lookalikes list. For example, you may filter for lookalikes that are in p=reject policy or in p=none.

If no DMARC policy record exists, the value for that lookalike on the DMARC Status column will be empty.

Extended automatic categorization of lookalikes

OnDOMAIN can automatically discover lookalikes that are more likely to be your assets.

We have expanded the number of data sources for the automatic asset discovery process in order to find even more potential assets related to your domains.

The categorization of the lookalikes detected from these new data sources will be shown in the form of the Asset? keyword (note the trailing question mark) - not to be confused with the current Asset keyword.

The difference between the two keywords is as follows:

  • Asset: we’re confident that the corresponding lookalike domain is an asset of yours.

  • Asset?: we believe the corresponding lookalike domain could be an asset of yours but requires further investigation from you.

Improvements

Renaming of Safe tab to Ignored in Activity

The Safe word has strong connotations associated with it, so we decided to rename it to Ignored, as shown in the screenshot below:

In the end, lookalikes that you don’t consider a threat, but want to keep in a classified state, can be marked as Ignored.

However, OnDOMAIN will not ignore them and will keep scanning them periodically.

More consistent back navigation in Activity

OnDOMAIN redirects you to the Unclassified tab of Activity when accessing this page, by default. If you entered a given lookalike details page from a different tab, and clicked the Back button, you would get redirected back to the default tab, Unclassified.

Now OnDOMAIN will return you back to the Activity tab you initially where, when accessing the lookalike details page.

Better screenshot fetching of domains

The scanning process of OnDOMAIN includes a stage in which the screenshot of the scanned lookalike domain is obtained and displayed in the details page.

This screenshot comes from a built-in Red Sift service that has been improved in order for OnDOMAIN to get screenshots faster and more consistently.

Fixes

Consistent action of marking lookalikes as domains

OnDOMAIN allows you to mark a lookalike domain as a domain you own, by using the Add as my domain action.

However, this action behaved inconsistently, especially when marking a subdomain as a domain.

We fixed the logic surrounding this action so that, whenever you mark a lookalike as your domain, the following happens:

  • The TLD (Top Level Domain) is added to your list of domains.

  • If the targeted lookalike domain is a subdomain, add the subdomain to the list of subdomains for the associated TLD.

  • Add any lookalike subdomains associated to the TLD from Activity to the list of subdomains of the TLD.

As a practical example, imagine you have the following in your Activity table:

  • _bimi.example.com in the Unclassified tab.

  • example.com in the Ignored tab.

  • _dmarc.example.com in the Threats tab.

If you add _bimi.example.com as your domain, the following will happen:

  • Example.com will be added to your Domains page, as another row in the table.

  • _bimi.example.com and _dmarc.example.com will be added as subdomains of example.com, and you will be able to see them in the example.com details page, at the subdomains table.

Did this answer your question?