Potential Phishing Search API
Detect potential phishing domains that impersonate your brand by appearing on third-party domains (e.g. adnoc.secure-login.xyz targeting adnoc.com).
warning
OEM API requires special partner access. Contact FullHunt sales to enable OEM capabilities on your account.
Search Potential Phishing Domains
Search for domains impersonating a brand on third-party infrastructure, discovered via Certificate Transparency logs.
HTTP Request
POST https://fullhunt.io/api/v1/oem/potential-phishing/search
Request Body Parameters
| Parameter | Required | Type | Description |
|---|---|---|---|
| query | Yes | string | Base domain to search for potential phishing domains |
| query_tags | No | object | Key-value pairs for client-specific tracking |
Example Request
curl -X POST "https://fullhunt.io/api/v1/oem/potential-phishing/search" \
-H "X-API-KEY: xxxx-xxxx-xxxx-xxxxxx" \
-H "Content-Type: application/json" \
-d '{
"query": "adnoc.com",
"query_tags": {
"client_name": "ADNOC",
"workspace": "production"
}
}'
Example Response
{
"base_domain": "adnoc.com",
"total": 3,
"potential_phishing_domains": [
{
"domain": "adnoc.secure-login.xyz",
"base_domain": "adnoc.com",
"type": "PotentialPhishing",
"dns": {
"a": ["192.0.2.45"],
"aaaa": [],
"mx": [],
"ns": ["ns1.registrar.com", "ns2.registrar.com"],
"cname": [],
"txt": [],
"ptr": []
},
"dns_history": [
{
"date": "04-03-2026",
"dns": {
"a": ["192.0.2.45"],
"aaaa": [],
"mx": [],
"ns": ["ns1.registrar.com", "ns2.registrar.com"],
"cname": [],
"txt": [],
"ptr": []
},
"timestamp": 1741052400
}
],
"last_seen": 1741138800,
"date_added": 1741052400
},
{
"domain": "adnoc-login.net",
"base_domain": "adnoc.com",
"type": "PotentialPhishing",
"dns": {
"a": ["198.51.100.88"],
"aaaa": [],
"mx": ["mail.adnoc-login.net"],
"ns": ["dns1.parking.net", "dns2.parking.net"],
"cname": [],
"txt": ["v=spf1 include:_spf.google.com ~all"],
"ptr": []
},
"dns_history": [
{
"date": "01-03-2026",
"dns": {
"a": ["198.51.100.88"],
"aaaa": [],
"mx": ["mail.adnoc-login.net"],
"ns": ["dns1.parking.net", "dns2.parking.net"],
"cname": [],
"txt": ["v=spf1 include:_spf.google.com ~all"],
"ptr": []
},
"timestamp": 1740787200
}
],
"last_seen": 1741138800,
"date_added": 1740787200
},
{
"domain": "my-adnoc.io",
"base_domain": "adnoc.com",
"type": "PotentialPhishing",
"dns": {
"a": ["203.0.113.10"],
"aaaa": [],
"mx": [],
"ns": ["ns1.cloudflare.com", "ns2.cloudflare.com"],
"cname": [],
"txt": [],
"ptr": []
},
"dns_history": [
{
"date": "25-02-2026",
"dns": {
"a": ["203.0.113.10"],
"aaaa": [],
"mx": [],
"ns": ["ns1.cloudflare.com", "ns2.cloudflare.com"],
"cname": [],
"txt": [],
"ptr": []
},
"timestamp": 1740441600
}
],
"last_seen": 1741138800,
"date_added": 1740441600
}
]
}
Response Fields
| Field | Type | Description |
|---|---|---|
base_domain | string | The queried base domain |
total | integer | Total number of potential phishing domains found |
potential_phishing_domains | array | Array of potential phishing domain objects |
Potential Phishing Domain Object Fields
| Field | Type | Description |
|---|---|---|
domain | string | The phishing domain discovered |
base_domain | string | The original/legitimate domain being impersonated |
type | string | Type of threat (always "PotentialPhishing") |
dns | object | Current DNS records for the phishing domain |
dns.a | array | IPv4 addresses |
dns.aaaa | array | IPv6 addresses |
dns.mx | array | Mail server records |
dns.ns | array | Name server records |
dns.cname | array | Canonical name records |
dns.txt | array | Text records |
dns.ptr | array | Pointer records |
dns_history | array | Historical DNS snapshots (only recorded when DNS changes) |
dns_history[].date | string | Date of the snapshot (DD-MM-YYYY) |
dns_history[].dns | object | DNS records at that point in time |
dns_history[].timestamp | integer (Unix timestamp) | Epoch time of the snapshot |
last_seen | integer (Unix timestamp) | Most recent verification timestamp |
date_added | integer (Unix timestamp) | When domain was first discovered |
How It Differs from Typosquatting
| Aspect | Typosquatting | Potential Phishing |
|---|---|---|
| Detection | Misspellings of the domain (e.g. adnco.com) | Brand name on third-party domains (e.g. adnoc.secure-login.xyz) |
| Data Source | Domain permutation algorithms | Certificate Transparency log keyword search |
| Domain Owner | Attacker registers a look-alike domain | Attacker uses the brand name as a subdomain or keyword on their own domain |
Use Cases
Brand Impersonation Detection
- Find domains using your brand name on unrelated infrastructure
- Detect credential harvesting pages (e.g.
brand.secure-login.xyz) - Identify phishing campaigns targeting your customers or employees
Threat Intelligence
- Track attacker infrastructure hosting brand impersonation
- Correlate phishing domains with active campaigns
- Monitor DNS changes over time via
dns_historyto detect infrastructure shifts
Partner Integration
- Provide phishing domain monitoring as a service to clients
- Build brand protection dashboards combining typosquatting and phishing data
- Automate takedown workflows when new phishing domains appear
DNS History Tracking
The dns_history array provides a timeline of DNS changes for each phishing domain. A new entry is only added when DNS records change from the previous snapshot, making it easy to track infrastructure changes over time.
Query Tags for Tracking
Use the query_tags parameter to track searches by client or context:
{
"query_tags": {
"client_id": "client_123",
"client_name": "ADNOC Group",
"workspace": "production",
"scan_id": "scan_789"
}
}
Rate Limiting
OEM Potential Phishing Search API has custom rate limits based on your partner agreement:
- Negotiated limits based on usage requirements
- Burst capacity for high-volume periods
- Priority processing for partner requests
Error Handling
The API returns standard HTTP status codes:
| Status Code | Description |
|---|---|
| 200 | Success |
| 400 | Bad Request - Invalid parameters |
| 401 | Unauthorized - Invalid API key |
| 403 | Forbidden - OEM access not enabled or credit exhausted |
| 429 | Rate limit exceeded |
| 500 | Internal server error |
Example Error Response
{
"error": "Missing required parameter: 'query'"
}
Triggering Scans
You can trigger an on-demand scan to discover potential phishing domains:
Use the On-Demand Scan API:
curl -X POST "https://fullhunt.io/api/v1/oem/on-demand-scan" \
-H "X-API-KEY: xxxx-xxxx-xxxx-xxxxxx" \
-H "Content-Type: application/json" \
-d '{
"type": "domain",
"target": "adnoc.com"
}'
Best Practices
- Trigger Scans First: Use on-demand scan API to ensure fresh data for new domains
- Combine with Typosquatting: Use both APIs together for comprehensive brand protection
- Monitor DNS History: Review
dns_historyto detect infrastructure changes and campaign shifts - Automated Alerts: Set up notifications when new phishing domains are discovered
- Takedown Process: Establish procedures for reporting/taking down malicious domains
- MX Record Analysis: Phishing domains with MX records may be used for email-based attacks