Back to BEC Investigation
Lookalike Domain Detection
CLI
dfir-cli bec lookalikeDetect typosquat, homoglyph, and other lookalike domains targeting your organization. Supports two modes: local generation (free) and inbound email scanning (5 credits). Includes DNS, MX, WHOIS, and DMARC enrichment to identify actively weaponized domains.
Mode B
Local generation (free)
Mode A
Scan inbound (5 credits)
Algorithms
7 mutation algorithms
Enrichment
DNS, MX, WHOIS, DMARC
Mode B: Local Generation
Generates lookalike domain candidates locally and optionally enriches them with DNS, WHOIS, and DMARC data. No API credits required.
Basic scan
dfir-cli bec lookalike --domain contoso.com
Full enrichment
dfir-cli bec lookalike --domain contoso.com \ --check-whois --check-dns --check-dmarc \ --top 50 --concurrency 10 --min-risk 40
| Flag | Type | Description |
|---|---|---|
| --domain | string | Your organization's domain to generate lookalikes for (required) |
| --check-whois | bool | Perform WHOIS lookups on discovered domains |
| --check-dns | bool | Resolve A, MX, and NS records for discovered domains |
| --check-dmarc | bool | Check DMARC policy configuration for discovered domains |
| --top | int | Number of top results to display (default: 20) |
| --concurrency | int | Number of concurrent DNS/WHOIS lookups (default: 5) |
| --min-risk | int | Minimum risk score to include in results (0-100, default: 0) |
| --include-unregistered | bool | Include unregistered domain candidates in output |
Mode A: Scan Inbound Email
Scans inbound email sender domains for lookalike matches against your organization's domain. Costs 5 API credits per scan.
Scan inbound
dfir-cli bec lookalike --scan-inbound --domain contoso.com
| Flag | Type | Description |
|---|---|---|
| --scan-inbound | bool | Scan inbound email for lookalike sender domains (requires API, 5 credits) |
| --domain | string | Your organization's domain to match against inbound senders (required) |
Detection Algorithms
| Algorithm | Description |
|---|---|
| bitsquat | Single-bit flip variations (e.g. gontoso.com) |
| homoglyph | Visually similar character substitution (e.g. c0ntoso.com, contöso.com) |
| insertion | Extra character inserted between letters (e.g. conntoso.com) |
| omission | Single character removed (e.g. contso.com, cntoso.com) |
| replacement | Adjacent keyboard character swap (e.g. contosi.com) |
| vowel_swap | Vowel substitution (e.g. cuntoso.com, contaso.com) |
| tld_variation | Top-level domain change (e.g. contoso.net, contoso.co) |
Example Output
{
"data": [
{
"domain": "contoro.com",
"algorithm": "replacement",
"original_domain": "contoso.com",
"risk_score": 70,
"risk_level": "high",
"enrichment": {
"dns_resolves": true,
"has_mx": true,
"mx_records": [
"contoro-com.mail.protection.outlook.com."
],
"whois_age": "2226d",
"whois_registrar": "Squarespace Domains II LLC",
"spf_present": false
}
}
],
"meta": {
"total_permutations": 400,
"resolved": 50,
"with_mx": 37,
"critical": 0,
"high": 14,
"medium": 36,
"low": 0
}
}Important Notes
- Mode B (local generation) is completely free and runs offline. DNS/WHOIS/DMARC enrichment sends network requests but does not consume API credits.
- Mode A (scan inbound) requires a connection to the DFIR platform API and costs 5 credits per scan.
- Increase
--concurrencyfor faster enrichment, but be mindful of rate limits on public WHOIS and DNS services.