Related domain detection

Related domain detection allows you to monitor your zone for lookalike domains that pose a risk to your organization and your organization’s brand. This feature allows you to monitor and protect your zones from the following threats:

  • Phishing. Domains used for a phishing campaign or for fake websites. Phishing domains are often used to create websites that look legitimate but actually deceive users into providing sensitive information, such as login credentials, credit card information, and more.

    A phishing attack can target users within an organization by sending fake notices that urge immediate action. These fraudulent notices may arrive in the form of an email and use sophisticated scare tactics. For example, these notices may warn of copyright or trademark infringement in an attempt to obtain sensitive information about an organization. ​Akamai​ monitors the domains that belong to the email address of email senders.
  • Typosquatting. Domains that are a common misspelling or mistype of another popular domain or brand. While typosquatting can be used for activity that has a low risk to your organization, threat actors may use this technique to direct users to fake websites that are designed to steal information or install malware.

When you enable Related Domain Detection, ​Akamai​ actively monitors zones and reports on domains that are used for this malicious activity.

In Control Center, you can:

  • Enable Related Domain Detection for five zones. If your organization uses Posture Management, you can monitor up to 25 zones. For more information, see Monitor additional zones
  • View a detailed report on domains that pose a threat to your organization. Information includes risk indicators, URLs where the domain was used, and more. You can filter domains by threat level, set a priority level for domains, assign the administrators who should follow the domain, and review the report. For more information, see Related domains report.
  • Add or remove domains in an allowlist. Edge DNS zones are automatically added to the allowlist. Domains in this list are not monitored for phishing threats and are not included in the related domains report or any zone report.

Monitor additional zones

By default, you can enable Related Domain Detection for up to five zones. To monitor more zones, consider these additional Akamai products:

  • Posture Management. Provides centralized visibility, continuous monitoring, and operational intelligence across critical infrastructure layers—including Domain Name System (DNS), distributed denial-of-service (DDoS), certificates, and brand security. With this solution, you can monitor up to 25 zones.For more information, see Posture Management.
  • Brand Guardian. Detects and takes down threats that target your brand. This solution finds phishing sites, fake domains, impersonation attempts, and fraudulent assets across the web and other attack surfaces, such as social media and app marketplaces. For more information, see Brand Guardian.

To try these solutions, contact your Akamai account representative.

Related domains report

If related domains are detected, you can view a detailed list of these domains. The related domains report shows data on domains that ​Akamai​ detected are a risk to your organization. In this report, you can:

  • Filter the list of domains to narrow your view. You can filter by zone or zones, risk level, assigned priority level, UTC timestamp of when the domain was last registered, whether an administrator is following it or not, whether a notification about a risk level change was sent to administrators, and assigned tags.
  • View detailed information about a domain. You expand the table row of a domain in the report to view additional information about the domain. For more information, see Detailed domain information.
  • Review the risk level that was detected and assigned to the domain. The report automatically sorts domains by the highest risk level.
  • Assign priority level. To manage the list of domains, you can assign a priority level that lets you or other administrators manage it more easily.
  • View a screenshot of content that’s hosted by the related domain. This allows you to view content without navigating to the domain.
  • Follow a domain. You provide the email address of administrators or other users who are notified when the risk level for a domain changes
  • Add a domain to an allowlist. After a domain is added to an allowlist, it no longer appears in zone reports for your account. Similarly, you can also remove a domain from the allowlist.
  • Download a CSV that contains a filtered list of domains in the report.
  • Perform bulk actions on multiple domains. These actions include adding domains to an allowlist, setting a priority level, managing tags, following or unfollowing domains, and updating the follow settings with new recipient email addresses.
📘

To take down a domain that you believe is a threat to your organization, use Brand Guardian. To try this solution, contact your Akamai representative.

Detailed domain information

You can expand a domain to view more detailed information about the domains that ​Akamai​ considers a risk to your organization.

Data FieldDescription
Risk IndicatorsAttributes that were identified and allowed Akamai to identify the domain as a threat. These attributes include device, browser information, a domain update, and more.
Domain URLsURLs where the domain is used
TagsTags associated with the domain. You can add or remove a tag. For more information, see Create and manage tags.
WHOIS Registration Time (UTC)The date and time in UTC format when the domain was registered with WHOIS.
Screenshot timestampThe date and time in UTC format when the screenshot was taken.
DNSSECIndicates whether the domain was protected with Domain Name System Security Extensions (DNSSEC). DNSSEC are cryptographic signatures added to DNS records to secure DNS data transmitted over the internet.
Name serversAddresses of the name servers that are associated with the domain.
DNSRecords in the domain.
Rule nameShows the specific rule that identified the domain as a risk.
Zone(s)Zone or zones of the related domain.
CommentComment that you can enter about the domain.

Risk levels

​Akamai​ monitors your zone and assigns one of these risk levels to domains.

You can use the report filter to show the domains for a specific risk level. Each risk level includes the attributes of the previous risk level. For example, a risk level with a Medium risk level also includes the attributes of a domain with a low and minimal risk level. For more information, see Filter the related domains report.

Risk LevelDescription
CriticalIndicates the domain appears in a long URL that is likely part of a phishing scam.
HighIndicates the domain leads to a phishing form that is used to steal sensitive information.
MediumIndicates the domain includes a DNS record that is a mail exchanger (MX) record. An MX record routes emails to email servers.
LowIndicates a website is live with this domain.
MinimalIndicates the domain is an A or Address record where a domain maps to an IP address.

Priority levels

To help you manage domains in the related domain reports, you can assign one of these preset priority levels:

  • Critical
  • High
  • Medium
  • Low
  • Minimal

The priority level you assign is based on your preference. A critical priority level should be reserved for domains that require the most attention, while minimal should be assigned to domains that require the least amount of attention. For instructions on setting a level, see Set a priority level.

Enable related domain detection

Complete this procedure to enable related domain detection.

To enable related domain detection:

  1. From the Control Center menu, click Security > Security analytics > Infrastructure Security Analytics. The dashboard for Infrastructure Security Analytics appears.
  2. Go to the zone where you want to enable related domain detection. To filter zones, see Filter list of zones.
  3. Enable the Related domain detection toggle.

View data on related domains at a high level

After you enable related domain detection, the Infrastructure Security Analytics page provides a graphical view and total number of domains for each risk level and priority level.

To view high-level data on related domains:

  1. From the Control Center menu, click Security > Security analytics > Infrastructure Security Analytics. The dashboard for Infrastructure Security Analytics appears.
  2. Go to the zone where you enabled related domain detection
  3. In the Related Domain Detection column, click View. A window appears that shows some data on related domains. Review this data.
    To view more detailed data, see View the related domains report.

View the related domains report

Complete this procedure to view the related domains report.

To view the related domains report:

  1. In the Infrastructure Security Analytics Dashboard, go to the zone where you enabled related domain detection.
  2. In the Related Domain Detection column, click View. A window appears that shows some data on related domains.
  3. Click Investigate to view the related domains report.
  4. Apply filters to narrow the list of domains. For instructions, see Filter the related domains report.

Did this page help you?