← ResourcesPhishing Intelligence · Analysis

48 Hours: The anatomy of a phishing takedown

Most phishing campaigns use infrastructure that was visible 72 hours before the attack. The question is whether you were watching. We walk through a real takedown: detection, escalation, and suspension, start to finish.

2024-11-158 min readClairSec Research Team

The problem with reactive phishing response

Most organizations find out about phishing campaigns targeting their brand when a customer calls. By that point, the domain has been live for days, credentials have been harvested, and the attacker has already cycled to a new infrastructure set.

Reactive response is not a phishing strategy. It is a damage assessment process.

The difference between a 4-hour response and a 4-day response is entirely about when detection happens. Our process is built around catching phishing infrastructure while it is still being staged, before the first email is sent.

How phishing domains get built

A threat actor preparing a brand impersonation campaign follows a predictable pattern:

  1. Register a lookalike domain (typosquat, homograph, combo-squat, or subdomain abuse)
  2. Acquire or self-sign an SSL certificate, typically within 24 hours of registration
  3. Stand up hosting infrastructure (often a compromised VPS or a bulletproof provider)
  4. Clone the target's login page or brand materials
  5. Begin sending phishing emails or SMS messages

Steps 1 through 3 leave observable signals. Certificate transparency logs, WHOIS records, passive DNS data, and domain registration feeds all surface new domains before they go live. This is where detection must happen.

The ClairSec detection chain

When a new domain is registered, it enters our monitoring pipeline within minutes. Here is what happens next:

  1. Fuzzy match against your brand profile. We run Levenshtein distance scoring, homoglyph substitution detection, and keyword combination checks against your registered brand terms, product names, and domain variants.
  2. Certificate transparency enrichment. We cross-reference against CT log feeds (crt.sh and others) to identify certificates issued for matching domains, including wildcard certs that suggest broader infrastructure.
  3. Active infrastructure check. We query DNS records, check for live HTTP/S responses, and screenshot any live pages to identify credential harvesting pages or brand clones.
  4. Severity scoring. Findings are scored on a 1 to 5 scale based on brand similarity, infrastructure liveness, and contextual threat actor signals. Score 4+ triggers immediate client notification.
The average time from domain registration to first phishing email sent is 11 hours. Our average detection time is under 2 hours from registration.

The 48-hour takedown timeline

Once a confirmed phishing domain is detected and scored, the takedown process begins. Here is a representative timeline from a real engagement (details anonymized):

  • Hour 0: Domain registered. Certificate issued 40 minutes later. Our systems flag the domain within 90 minutes of registration based on brand keyword match and certificate issuance.
  • Hour 2: Active infrastructure check confirms a live credential harvesting page. Client notified via priority alert with screenshot evidence, WHOIS data, and hosting provider details.
  • Hour 4: Abuse report filed with the registrar and hosting provider simultaneously. CERT-FR and relevant national CERT notified as applicable.
  • Hour 18: Hosting provider suspends the IP. Page goes dark. Domain remains registered but non-functional.
  • Hour 43: Registrar processes the abuse complaint. Domain suspended. DNS records cleared.

Total time from detection to full suspension: 43 hours. Industry average for unmonitored brands: 14+ days.

What you should ask your CTI provider

If you work with a managed security or CTI provider and phishing is in scope, these are the questions that distinguish genuine capability from checkbox coverage:

  • What is your average time from domain registration to detection?
  • Do you monitor certificate transparency logs continuously, or on a schedule?
  • Do you file takedown requests, or do you hand us a list and expect us to act?
  • What is your average time from detection to registrar/hosting suspension?
  • How do you handle bulletproof hosting providers who don't respond to abuse reports?

The answers to these questions will tell you whether you have a detection service or an intelligence service. Detection tells you what happened. Intelligence tells you what to do about it, and does it with you.

Conclusion

48-hour takedowns are achievable. They require continuous monitoring, fast triage, and direct relationships with abuse desks, not a weekly scan or a ticket queue.

If your brand is being impersonated right now, you probably don't know about it yet. Schedule a discovery call and we'll run a dark web and domain scan scoped to your brand within 5 business days.

Related
Phishing · 2026-03-25Lookalike domains: what makes them hard to catchDark Web · 2025-01-20How credential leaks become account takeovers

Act on what you've read

Find out if your brand is being impersonated right now.

Schedule a discovery call. We'll deliver a phishing and dark web scan scoped to your domains within 5 business days.

Schedule a reportMore articles