Skip to main content

Block Documents Containing Newly Registered Domains

· 2 min read
Contextal Team
Contextal Team
Contextal Platform Creators

According to recent research, newly registered domain names used in phishing attacks remain one of the biggest threats to internet users. The study found that domain names used in phishing attacks have an average lifetime of 21 days, with the majority being used within 4 days of registration.

We will create a scenario that detects and blocks Office, ODF, and PDF documents containing links to domain names registered less than 30 days ago.

Starting with Contextal Platform 1.1, all data processors capable of extracting URLs or text can collect unique domain names and submit them to the Domain processor for further analysis. This processor retrieves domain record information from databases maintained by Network Information Centers and gathers details such as domain creation and expiration dates, domain age, and associated name servers.

This enables us to write the following simple ContexQL query, which checks if the documents contain a domain name with a short lifetime:

(object_type == "Office" || object_type == "ODF" || object_type == "PDF")
  && @has_descendant(
        object_type == "Domain"
        && @match_object_meta($age_days < 30)
    )

Since domain names get collected from any relevant data format (documents, html, text, e-mails, etc.), a similar approach could be used to detect newly registered domains in other places or to combine this information with other characteristics for even more accurate detections.

info

Click on the download button below to get the scenario and then upload it using Contextal Console or the ctx command line tool (when using the latter, don't forget to reload remote scenarios after adding a new one!)

Document-Fresh-Domain.json
{
  "name": "Document With Fresh Domain",
  "min_ver": 1,
  "max_ver": null,
  "creator": "Contextal",
  "description": "Block documents containing domain names with short lifetimes.",
  "local_query": "(object_type == \"Office\" || object_type == \"ODF\" || object_type == \"PDF\")\n  && @has_descendant(\n        object_type == \"Domain\"\n        && @match_object_meta($age_days < 30)\n    )",
  "context": null,
  "action": "BLOCK"
}