Subscribe to the Taegis™ XDR Documentation RSS Feed at .

Learn more about RSS readers or RSS browser extensions.



The Punycode Detector looks for phishing domains that use punycode for homograph attacks where the domain is trying to appear similar to a legitimate domain. With punycode phishing attacks, URLs will look legitimate, and the content on the page might appear legitimate, but it’s actually a different website. The Punycode Detector compares domains to a monitored, hand-curated list of the most popular legitimate domains, looks at the age of the new domain (older domains are more likely to be legitimate) and other factors. If the visual similarity of the URL crosses a predetermined threshold, an alert is issued to the Secureworks® Taegis™ XDR Alerts API and will appear in Secureworks® Taegis™ XDR. The confidence level of an alert is currently binary, with a return of 0 or 1.

Punycode Detector

Punycode Alert




Punycode alerts pushed to the Secureworks® Taegis™ XDR Alert Database and Secureworks® Taegis™ XDR Dashboard.


MITRE Enterprise ATT&CK - Initial Access - Spearphishing Link. For more information, see MITRE Technique T1566.002.

Configuration options


Detector Requirements


On this page: