Skip to main content

Traffic to a young domain impersonating a known brand

ID:imposter_young
Data type:DNS, HTTP
Severity:
Low
-
Critical
MITRE ATT&CK:TA0001:T1566

Description

AlphaSOC detected network traffic to a domain that appears to impersonate a known brand. This is a common tactic used by threat actors to conduct phishing campaigns or other malicious activities. Adversaries create domains closely resembling fully-qualified domain names (FQDNs) to deceive users into thinking they are interacting with a legitimate website.

Impact

Traffic to brand-impersonating domains can lead to security breaches. Users may unknowingly submit sensitive information, including login credentials or financial data, to malicious actors. This can result in unauthorized access to corporate systems, data theft, financial fraud, or serve as an entry point for further attacks such as malware deployment or ransomware infections.

Severity

SeverityCondition
Low
Traffic to a valid domain impersonating a known brand
Medium
Traffic to a young domain impersonating a known brand
High
Traffic to a suspicious domain impersonating a known brand
High
Traffic from multiple sources
Critical
Traffic to a suspicious young domain impersonating a known brand

Investigation and Remediation

Investigate the specific domain in question and compare it to the legitimate brand's domain. Analyze the traffic patterns, including the users or systems that accessed the domain. If malicious intent is confirmed, block the domain at the network level.