WORKFLOW / PHISHING TRACKING
AI phishing-infrastructure tracking: what the pivot actually looks like
Commercial tools, the OSS pivot toolkit, and what AI genuinely accelerates in phishing campaign infrastructure analysis.
Last verified: April 2026 | Affiliate disclosure: DomainTools links may be affiliate links.
What phishing-infrastructure tracking is
The analyst skill: given one phishing domain, pivot to the full campaign. This is how threat hunters track phishing campaigns at scale, before the next wave of victim lures hits. The pivot starts with a single indicator and expands outward through shared infrastructure attributes.
WORKED EXAMPLE: pivot from one domain
Start: micr0soft-login[.]com (phishing lure reported)
1. dnstwist: generates 340 typosquat variants of microsoft.com; 12 registered in last 7 days
2. urlscan.io: screenshot shows fake M365 login page; favicon hash: "a1b2c3d4"
3. VirusTotal graph: shares ASN 12345 with 8 other domains
4. crt.sh: SSL cert covers 5 domains including this one
5. BGPview: ASN 12345 registered to bullet-proof hosting in AS-X
6. Shodan favicon hash search: 23 active domains share this favicon
Result: 23 related phishing domains, full campaign infrastructure mapped
Time with AI orchestration: ~8 minutes | Time manually: ~3 hours
The pivot attributes that reliably cluster campaign infrastructure: shared registrant email (when not privacy-protected), shared ASN, shared SSL certificate (SAN list), shared nameservers, shared favicon hash, shared HTML template hash (urlscan.io's DOM fingerprint), and shared IP address history (passive DNS). Any one of these is sufficient to link related infrastructure; finding three or more is a high-confidence campaign cluster.
Commercial tools
DomainTools Iris Investigate + Iris Detect
$15k - $60k / yr (Vendr, Apr 2026)The incumbent pivot platform. Strong WHOIS history (DomainTools has one of the longest historical WHOIS databases), registrant correlation, SSL certificate history, and IP history. Iris Detect adds continuous monitoring against a custom watchlist (brand terms, executive names, product names). AI layer in 2026: natural-language pivot summarisation, automated campaign clustering. Best for: teams with phishing as a primary use case who need depth in WHOIS history and registrant correlation.
Silent Push
~$15k - $40k / yr (est.)Newer, ASN-graph focused, aggressive pricing. Strong on internet-scanning-sourced infrastructure data. The ASN pivot approach (tracking infrastructure via autonomous system behaviour, not just domain registration) catches campaign actors who rotate domains but keep consistent hosting infrastructure. Growing enterprise adoption in 2025-2026. Best for: teams that find ASN and hosting-infrastructure pivoting more reliable than WHOIS-based correlation.
Recorded Future Brand Intelligence
Included in Core/Professional/ElitePart of the Recorded Future Intelligence Cloud. Phishing-infrastructure monitoring via domain registration monitoring, WHOIS correlation, and brand-impersonation alerting. Less deep on pivot capability than DomainTools Iris; broader on threat-actor context (the pivot finds the infrastructure; Recorded Future adds the actor attribution). Best for: existing Recorded Future subscribers who want consolidated phishing alerts without a separate DomainTools contract.
Netcraft
Custom enterpriseThe oldest brand-protect vendor, still active and relevant. Netcraft pioneered phishing-site takedown services and has deep infrastructure data. Less prominent in AI-driven pivot workflows than DomainTools or Silent Push, but strong track record on rapid takedown and brand protection. Best for: organisations prioritising takedown speed and established track record.
Open-source pivot toolkit
The complete OSS hunter stack for phishing infrastructure analysis in April 2026:
dnstwist
Typosquat generation. Run locally or via pip install. Generates 300+ permutations per domain, checks registration and DNS resolution status.
urlscan.io
Submit URL, receive screenshot, DOM, network trace, favicon hash, TLS cert, resource breakdown. Free tier with rate limits; paid API for automation.
VirusTotal
IP, domain, file, URL relationship graph. Free tier useful; Enterprise API needed for bulk queries and automated pivoting.
WhoisXML API / Whoxy
WHOIS history and reverse-WHOIS. Query by registrant email to find all domains registered by the same actor. WhoisXML has a free tier for limited queries.
BGPview / HE BGP Toolkit
ASN context: who owns this IP block, what other prefixes are in the same ASN, what other IPs are advertised by the same operator.
Shodan / Censys
Internet scanning databases. Shodan's favicon hash filter is particularly useful for pivoting. Censys has strong SSL certificate search.
crt.sh
Certificate transparency log search. Free, no API key needed. Find all certificates issued for a domain and all domains on the same certificate.
favfreak / mmh3 hash
Favicon hash calculation and search. Calculate the MMH3 hash of a favicon, search Shodan for other hosts serving the same favicon.
Full OSS stack walkthrough at open-source tools. MISP and OpenCTI integrate with these pivot outputs for knowledge-graph storage and sharing.
What AI adds to the pivot
An LLM agent with tool-use capability automates the pivot sequence: given a starting domain, it runs dnstwist, submits top variants to urlscan.io, reads the favicon hash and ASN from urlscan output, queries VirusTotal for related infrastructure, checks crt.sh for certificate SAN lists, queries BGPview for ASN context, and correlates shared attributes across all results. The pivot to depth 2-3 completes in approximately 8-12 minutes rather than 2-3 hours.
Honest caveat: LLMs struggle on pivots beyond depth 3. At depth 4+, the graph of related infrastructure becomes large enough that LLM context limits and tool-use loop overhead make manual analysis faster. Experienced threat hunters report that the LLM is an excellent starting point for routine phishing triage but cannot replace a skilled analyst on complex adversary infrastructure with deliberate anti-analysis evasion.
Reference pattern: daily phishing triage workflow with LLM orchestration. New phishing reports from APWG, PhishTank, and Google Safe Browsing feed are ingested overnight. LLM agent pivots on each new domain via the OSS toolkit, produces a pivot graph in OpenCTI (or as a Markdown brief), and flags campaign clusters for analyst review. Analyst reviews the clusters, promotes confirmed campaigns to the SIEM (Sigma rule for phishing infrastructure ASN), and triggers takedown requests for highest-confidence phishing domains. See AI SIEM correlation for the detection rule generation step.
FAQ
What is phishing infrastructure tracking?
Phishing infrastructure tracking is the analyst skill of pivoting from a single known phishing domain to the full campaign infrastructure. Given one phishing domain (for example, micr0soft-login.com), the analyst pivots to find related infrastructure sharing the same registrant, ASN, SSL certificate, nameservers, favicon hash, or HTML template. AI accelerates this pivot by automating the tool chain: running typosquat enumeration, submitting to URLscan.io, querying certificate transparency logs, checking passive DNS history, and correlating shared infrastructure attributes across all of those sources simultaneously.
How much does DomainTools cost?
DomainTools does not publish list prices. Iris Investigate, their primary pivot platform, typically ranges from $15k to $60k per year based on query volume and WHOIS history access depth, from Vendr data and Gartner Peer Insights reviewer comments (April 2026). Iris Detect (continuous monitoring) is a separate SKU. DomainTools is available on Impact and through direct sales. Smaller teams that primarily need WHOIS history can access a subset of capabilities through the DomainTools API without an enterprise contract.
What is the OSS phishing infrastructure toolkit?
The OSS hunter toolkit in April 2026: dnstwist (typosquat enumeration), urlscan.io (URL submission, screenshot, network trace, DOM, favicon hash), VirusTotal graph (IP, domain, file, URL relationship graph), WhoisXML API or Whoxy (WHOIS history and reverse-WHOIS), BGPview or Hurricane Electric BGP Toolkit (ASN and netblock context), Shodan or Censys (hosting infrastructure enumeration), crt.sh (certificate transparency log query), and favfreak or faviconhash.com (favicon hash pivot). An LLM orchestrator can sequence these tools automatically given a starting domain, performing the pivot to depth 2-3 without human direction.
Can an AI agent do phishing-infra pivot automatically?
Yes, to a meaningful depth. An LLM agent with tool-use capability can automate the standard pivot sequence: run dnstwist on the target domain, submit top variants to urlscan.io, read the favicon hash and ASN from urlscan output, query VirusTotal for related infrastructure, check crt.sh for the SSL certificate's Subject Alternative Names, query BGPview for the ASN's other registered domains, and correlate shared attributes across all results. This covers the pivot to depth 2-3 in seconds rather than hours. Where LLMs still struggle: pivots beyond depth 3, novel infrastructure sharing patterns not in training data, and anti-analysis evasion techniques that produce misleading output in automated tool responses.
What is a favicon hash and why does it help track phishing infrastructure?
A favicon hash (typically a Shodan/Censys MMH3 hash or urlscan.io's favicon hash) is a fingerprint of a website's favicon image. Threat actors building phishing pages often reuse the same favicon across multiple domains in a campaign, particularly when they are building infrastructure quickly using automated tools or phishing kits. The favicon hash is searchable in Shodan (via the HTTP favicon hash filter) and urlscan.io, allowing an analyst to pivot from a single phishing domain's favicon to all other domains in the same campaign that reuse that favicon. It is one of the most reliable campaign pivot pivots because favicon substitution is often overlooked by attackers who focus on evading domain-reputation checks.