Detection

Combosquatting: The Most Common Lookalike Domain Attack

The most prevalent lookalike-domain pattern spells your brand correctly, so it sails past typo detection and you can't out-register it.

Updated 2026-06-17 · 5 min read

What combosquatting is

Combosquatting is a lookalike-domain attack that keeps your brand name spelled correctly and pairs it with an extra word or a different top-level domain. The result looks trustworthy at a glance because the brand string is intact.

The added word is almost always something benign and reassuring drawn from a small, predictable abuse vocabulary: secure, login, support, account, verify, wallet, pay, help, alert, billing. Typical patterns for a brand like Acme Bank:

  • acmebank-secure.com
  • login-acmebank.com
  • acmebank-support.net
  • secure-acmebank.com
  • acmebank.app (brand intact, alternate TLD)

This is the key distinction from typosquatting. Typosquatting depends on a fat-fingered misspelling — acmebnak.com, acmebanc.com — and is caught by edit-distance detection. Combosquatting never misspells the brand, so the brand string passes any "is this my name?" check cleanly, and the malicious intent hides in the affix.

Why it's the most common pattern

The large-scale academic work on this, Kintis et al.'s 2017 ACM CCS study "Hiding in Plain Sight," found that combosquatting is far more prevalent than typosquatting, and that these domains tend to be long-lived — many persist for years rather than getting registered and burned in a single campaign. They are abused across the full range of attacker activity: credential phishing, malware delivery, and affiliate or ad fraud.

The reasons it dominates are structural:

  • It looks legitimate. A correctly-spelled brand plus the word support reads like an official help portal, not a scam.
  • The space is enormous. Any brand can combine with hundreds of keywords across hundreds of TLDs, so attackers have inexhaustible inventory.
  • It evades simple detection. Detection built around misspellings and visual confusables simply doesn't fire on a perfectly-spelled brand.

Combosquat domains show up most often in email and SMS phishing ("verify your account at acmebank-verify.com") and in paid-ad and landing-page abuse, where a clean-looking domain lends credibility to a fake offer or login page.

Why defensive registration fails

A common instinct is to register the lookalikes yourself before an attacker can. Against combosquatting, this does not work.

The brand-times-keyword-times-TLD space is combinatorial. Even a conservative set — 200 keywords across 100 TLDs, in both keyword-brand and brand-keyword orders — is tens of thousands of domains, before you account for hyphenation, plurals, and localized terms. You would spend a fortune registering domains nobody will ever attack while still leaving the one the attacker actually picks unregistered.

You cannot out-register the keyword space. The only durable defense is to monitor it continuously and take down the combos that show real abuse.

Defensive registration has a narrow role — a handful of the very highest-risk exact combos — but it is a supplement to monitoring, never a substitute.

How to detect it

Effective detection treats the combo space as something to generate and then verify, not something to enumerate exhaustively. The pipeline has three stages:

  1. Permutation. Generate candidates from your brand token against a curated abuse-keyword set and a ranked TLD list, in both affix orders, including hyphenated and concatenated forms.
  2. Enrichment. For each candidate, check what actually exists in the world:
    • Does it resolve to a live host (an A/AAAA record)?
    • Does it have an MX record, making it mail-capable for phishing?
    • Does it appear in Certificate Transparency logs with a valid TLS cert?
    • Was it registered recently, a strong freshness signal for an active campaign?
  3. Scoring. Combine those signals into a risk score so a freshly-registered, mail-capable domain with a live login page ranks far above a parked placeholder.

A permuted candidate that resolves, has MX, and just appeared in CT logs is a credible threat. The same string with no DNS, no cert, and no registration is noise.

The false-positive problem

The hard part of combosquatting detection is not generating candidates — it is suppression. Many domains that match a brand-plus-keyword pattern are entirely legitimate:

  • Your own marketing and campaign domains (acmebank-rewards.com).
  • Partner, reseller, and franchise sites that legitimately carry your name.
  • Regional or product-line domains operated by your own org.

A detector that flags every match floods your team with false positives and trains them to ignore the alerts — which is how a real impersonation slips through. Suppression is the difference between a useful product and an unusable one, and it is exactly why false-positive rate is the metric that matters. It depends on maintained allowlists, registrant and infrastructure correlation, and scoring that demotes benign matches before a human ever sees them.

This is the layer Brandfence is built around. It generates combosquat permutations against a curated abuse-keyword set, enriches each with DNS, MX, and CT signals, suppresses the benign majority, scores the rest, and routes only confirmed impersonations to human-reviewed takedown.

A response playbook

When a candidate clears scoring and suppression and looks like a genuine impersonation:

  1. Confirm and capture evidence. Record DNS, the live page, screenshots, and CT entries with timestamps, so the malicious use is documented and defensible.
  2. Route by the abuse type. A phishing page goes to the registrar and hosting provider; a confusingly-similar domain trading on your mark is a candidate for a UDRP complaint. A registered trademark materially strengthens both UDRP filings and platform abuse reports.
  3. Keep a human in the loop. Takedown notices carry legal weight and liability, so confirmed cases get human sign-off, never an auto-fired notice.
  4. Don't lean on DMARC for these. DMARC at enforcement protects your exact domain from spoofing, but combosquat domains are separate registrations the attacker authenticates themselves. DMARC does nothing for cousin domains — only monitoring and takedown do.

Find the combos targeting your brand

Brandfence generates the brand-plus-keyword permutations attackers actually use, enriches them with DNS, mail, and certificate signals, suppresses the benign majority, and routes confirmed impersonations to evidence-backed, human-reviewed takedown. Get a free brand exposure report.

Frequently asked questions

What is combosquatting?
Combosquatting registers a domain that combines your correctly-spelled brand with an extra benign keyword (like secure-acmebank.com) or a different TLD. Because the brand is not misspelled, it looks legitimate to users and evades typo-based detection.
How is combosquatting different from typosquatting?
Typosquatting relies on a misspelling of your brand (acmebnak.com). Combosquatting keeps the brand spelled correctly and adds a word or swaps the TLD (acmebank-support.net). That correct spelling is exactly what makes it harder to catch.
Can I just register all the lookalike domains to protect my brand?
No. The keyword and TLD space is combinatorial and effectively infinite, so defensive registration can never cover it. The durable defense is continuous monitoring plus targeted takedown of domains that show abuse signals.
Does DMARC stop combosquatting?
DMARC at enforcement protects your exact domain from spoofing, but combosquat domains are separate registrations the attacker controls and can authenticate themselves. DMARC does nothing for these cousin domains.
Keep reading
Free exposure report

See what's impersonating your brand

Send us a domain. We run a passive sweep — permutations, certificate logs, DNS — and send back what we find, free. No signup, no sales call to start.

Get a free exposure report