All Collections
Integrated takedown
OnDOMAIN's email honeypot feed
OnDOMAIN's email honeypot feed

How does OnDOMAIN's email honeypot feed work and what value does it provide?

Stéphane Puthod avatar
Written by Stéphane Puthod
Updated over a week ago

OnDOMAIN's email honeypot detects email traffic that relates to domain assets and lookalike domains. The email data obtained through the honeypot feed is not classified as threat data, instead, it consists of general email data acquired from domain assets and lookalike domains. It detects the emails based on the domain name's presence across the email contents and headers.

What does it enable for a user?


The email honeypot provides an additional filter for users who are classifying activity in their Lookalike Domains view. It allows them to sort lookalikes by the number of emails the honeypot has detected. A high volume of emails could suggest an increased risk of fraudulent activity on the domain in question and would alert the Security team to prioritize it for analysis.

Who can access the feature?


Only users with admin permissions will be able to see Emails details after accepting the new T&C (Terms and Conditions).

Where can I find it?

The email honeypot feature has been added to OnDOMAIN's Domain and Activity dashboard under the column name "Detected emails".

To see it in the Domains and Activity dashboard, make sure that the COLUMN called "Detected Emails" is enabled.

To see emails that the honeypot feed has discovered. Follow the steps below:

  1. Click a domain from Domains or a lookalike from the Activity page.

  2. Scroll down the page to the Detect Emails section.

  3. Click an email or alternatively use the filter to obtain the desired result in the given list for more details:

    Example below:

When you are looking at the Detect Emails section of the Domain Details page, you will see the following column headers that allow for more granular search filtering:

  • Malware: OnDOMAIN cross-checks the attachment hash with a malware database to determine whether the attachment is a well-known malicious file.

  • Subject: Email subject sent by the user.

  • Sender Reputation: This score relates to the legitimacy of a sender. The lower, the less legitimate they are. This filter can be used as a reference to prioritize the review of the emails.

  • Received: Time the email was received by the honeypot.

  • File: Number of files attached to the email.

  • SPF check.

  • DMARC check.

  • Country: Origin of the email.

Filter example:

Important note: OnDOMAIN only shows the screenshot of the header, body, and attachment. The image is not clickable like a traditional email, the contents are simply rasterized as a screenshot. The email headers can be checked in the corresponding section, and are copyable/selectable. Attachments cannot be accessed, only checked in terms of their filename, size, and malware status.

OnDOMAIN will start by fetching any detected emails from the last 90 days, and will then add any new emails every 24 hours. Detected emails will live in the system for 30 days.

Note: The feature will now be enabled by default for all users but only for all full accounts.

Did this answer your question?