Powerful Pivots: Uncovering Brand Impersonation with Multi-Layered Queries

Proactively finding convincing clones of a major brand like Gmail is difficult; the internet is full of legitimate and benign sites that use the word “gmail.” The key is to use a multi-layered query that combines data points to filter out the noise.

The Technique: We can build a query that stacks several conditions to find only the fakes.

Search Logic:

  1. Pivot on Favicon: First, find all sites using the official Gmail favicon hash.
  2. Filter by Content: Add a condition that the HTML Title must contain “gmail”.
  3. Exclude Legitimate Sites: This is the most important step. Filter out any site where the SSL Issuer Organization is “Google Trust Services” (as this would be a real Google-owned property).

The Result: This precise, multi-layered search successfully identifies high-fidelity phishing sites, such as the convincing clone gmaii.email, while completely ignoring legitimate Google infrastructure.

Try this example yourself using our free Community Edition: