Powerful Pivots: Uncovering Brand Impersonation with Multi-Layered Queries

Proactively finding convincing clones of a major brand like Gmail is difficult; the internet is full of legitimate and benign sites that use the word “gmail.” The key is to use a multi-layered query that combines data points to filter out the noise.
The Technique: We can build a query that stacks several conditions to find only the fakes.
Search Logic:
- Pivot on Favicon: First, find all sites using the official Gmail favicon hash.
- Filter by Content: Add a condition that the HTML Title must contain “gmail”.
- Exclude Legitimate Sites: This is the most important step. Filter out any site where the SSL Issuer Organization is “Google Trust Services” (as this would be a real Google-owned property).
The Result: This precise, multi-layered search successfully identifies high-fidelity phishing sites, such as the convincing clone gmaii.email, while completely ignoring legitimate Google infrastructure.
Try this example yourself using our free Community Edition:

