🌙
 

Subscribe to the Taegis™ XDR Documentation RSS Feed at .

Learn more about RSS readers or RSS browser extensions.

Punycode

detectors


The Punycode Detector looks for phishing domains that use punycode for homograph attacks where the domain is trying to appear similar to a legitimate domain. With punycode phishing attacks, URLs will look legitimate, and the content on the page might appear legitimate, but it’s actually a different website. The Punycode Detector compares domains to a monitored, hand-curated list of the most popular legitimate domains, looks at the age of the new domain (older domains are more likely to be legitimate) and other factors. If the visual similarity of the URL crosses a predetermined threshold, an alert is issued to the Secureworks® Taegis™ XDR Alerts API and will appear in Secureworks® Taegis™ XDR. The confidence level of an alert is currently binary, with a return of 0 or 1.

Punycode Detector

Punycode Alert

Schema

DNS

Outputs

Punycode alerts pushed to the Secureworks® Taegis™ XDR Alert Database and Secureworks® Taegis™ XDR Dashboard.

MITRE ATT&CK Category

MITRE Enterprise ATT&CK - Initial Access - Spearphishing Link. For more information, see MITRE Technique T1566.002.

Configuration options

None

Detector Requirements

 

On this page: