Advanced Threat Hunting: Four Techniques to Detect Phishing Infrastructure Before it Strikes
In cyber defense, reacting to a phishing attack means you’re already one step behind. A phishing email in an inbox is the end result of a long chain of attacker activity. The real win isn’t just analyzing the phish; it’s finding the infrastructure it came from before the attack is even launched using a proactive threat hunting model.
Moving from this reactive posture to a proactive one is the single most effective way to get ahead of adversaries. Instead of cleaning up a mess, you’re preventing the mess from happening (sounds nice, right?).
Based on a recent workshop on our Community Edition platform, we’ve outlined four practical, query-based techniques that defenders can use to shift “left of boom” and start proactively dismantling phishing campaigns.
Start Hunting With A Free Silent Push Community Edition Account
All of the queries shared below are supported in our free Community Edition. We’ve included a short link below if you’d like to sign up and follow along.
Table of contents
- Start Hunting With A Free Silent Push Community Edition Account
- Quick Note and Disclaimer
- 1. From a Single Phish to a Full Campaign (The “Ledger” Method)
- 2. Hunting with Infrastructure Fingerprints (The “Harbor Freight” Method)
- 3. Uncovering Brand Impersonation with Multi-Layered Queries (The “Gmail” Method)
- 4. Getting Ahead of Supplier & Partner Spoofing (The “Eversource & Microsoft” Method)
- Staying Ahead of Evolving Cyber Threats
Quick Note and Disclaimer
The hunting queries we’re sharing reflect data from a specific point in time, and threat activity may have changed since their creation. These are intended for threat hunting, not as perfect detections, so minor false positives are possible.
Each query has been validated by our threat analyst team to match relevant threat groups, and we use internal variations for broader coverage. You can adapt or refine these queries to align with your environment and the latest intelligence.
1. From a Single Phish to a Full Campaign (The “Ledger” Method)
Every reactive investigation is an opportunity to build a proactive hunt. Let’s take a real-world phishing email (a “Ledger” phish) and show how to pivot “upstream.”
The Reactive Clues: The investigation starts with email headers. We find IPs like 149.72.223.116 and 159.183.183.61, which indicate compromised SendGrid accounts. Using PTR (reverse DNS) records helps identify the sender, but this is all after-the-fact analysis. The malicious link itself was ledger-recovery-app[.]com.
The Proactive Pivots: Instead of stopping, we use that domain as our first “thread” to pull.
- Content Pivot: We can hunt for other sites that share the same characteristics. A simple query can find all domains that also have an HTML Title of “Are you human?” and a URL that contains “ledger”. This immediately widens the net.
- Domain/WHOIS Pivot: We can hunt for similar domains before they’re armed. Attackers use predictable patterns. We can build a proactive query to find all domains where:
- Domain is one of: ledger-*-*.com OR *-ledger-*.com
- AND
- Registrar is: Amazon Registrar, Inc.
This query finds domains the moment they’re registered, long before they’re ever used in an email campaign.
2. Hunting with Infrastructure Fingerprints (The “Harbor Freight” Method)
Threat actors are lazy. They reuse the same server configurations, even when they host different campaigns. Instead of hunting for content (which changes), we can hunt for the server’s unique technical “fingerprint.”
The Example: A phishing domain harborfrieght[.]shop was identified.
The Technique: We can extract the server’s unique technical signatures. Even if the actor hosts a completely different lure (like a “jeans ad” found in the wild), the underlying server setup is often identical.
The key indicators to pivot on are:
- HHV (HTTP Hash): f2bbb45599ecd7349b164c98a8
- JARM (TLS Fingerprint): 27d40d40d00040d00042d43d00041df04c41293ba84f6efe3a613b22f983e6
The Goal: Run a query to find all domains hosted on infrastructure with these exact HHV and JARM fingerprints. This technique cuts through the noise of different domain names and content, tying disparate campaigns to a single actor.
3. Uncovering Brand Impersonation with Multi-Layered Queries (The “Gmail” Method)
Proactively finding convincing clones of a major brand like Gmail is difficult; the internet is full of legitimate and benign sites that use the word “gmail.” The key is to use a multi-layered query that combines data points to filter out the noise.
The Technique: We can build a query that stacks several conditions to find only the fakes.
Search Logic:
- Pivot on Favicon: First, find all sites using the official Gmail favicon hash.
- Filter by Content: Add a condition that the HTML Title must contain “gmail”.
- Exclude Legitimate Sites: This is the most important step. Filter out any site where the SSL Issuer Organization is “Google Trust Services” (as this would be a real Google-owned property).
The Result: This precise, multi-layered search successfully identifies high-fidelity phishing sites, such as the convincing clone gmaii.email, while completely ignoring legitimate Google infrastructure.
4. Getting Ahead of Supplier & Partner Spoofing (The “Eversource & Microsoft” Method)
Your organization’s attack surface includes your suppliers and third-party partners. Proactively monitoring for infrastructure that could be used to impersonate them is a critical, advanced defense.
The Goal: Identify newly registered domains that could be used in a Business Email Compromise (BEC) or phishing attack spoofing a partner.
Example 1: Eversource (Electric Provider)
- Technique: Search DNS data for any domains that have set their MX (mail) records to point to your supplier (e.g., search for MX records containing *eversource.com).
- The Finding: This uncovers more than just active malicious domains. It reveals a common attacker TTP: parked domains. For instance, wwweversource.com was found with its MX record pointing to park-mx.above.com. Attackers “park” domains to age them, bypassing reputation filters.
Example 2: Advanced Hunting (Microsoft) We can combine these techniques into an advanced query to find newly registered, parked domains actively set up for spoofing.
Search Logic:
- Domain Regex: Use a regular expression to find domains that look like “microsoft” (e.g., (?i)(?:^|[^A-Za-z0-9-])microsoft…).
- AND
- MX Record: Look only for domains whose MX record is park-mx.above.com.
- AND
- WHOIS Date: Find domains registered after a specific date (e.g., whois_after: 2025-08-01).
This query provides a high-confidence alert feed of domains being purpose-built to attack your organization or impersonate your biggest partners.
Staying Ahead of Evolving Cyber Threats
Our Threat Analyst and product teams are hard at work creating fingerprints and capabilities to proactively detect the latest threats, helping our customers stay safe up to months in advance of many other tools.
If your team would like a platform tour to learn more about proactive threat hunting, book a demo with our team today.
