What Certificate Transparency Monitoring Catches Before DMARC Ever Sees It
The attack signal that arrives hours before the first spoofed email.
What CT logs are and why they matter
Certificate Transparency is a public framework that requires certificate authorities to log every SSL/TLS certificate they issue. These logs are append-only, publicly auditable, and searchable. Originally designed to catch rogue CAs, CT logs have become one of the most valuable early warning systems for domain security teams.
The key insight is timing. When an attacker registers a lookalike domain, the very first thing they do is provision an SSL certificate so their phishing site gets the padlock icon. That certificate issuance is logged publicly, often hours or days before the first phishing email is sent. DMARC only fires after an email arrives. CT monitoring fires when the infrastructure is being built.
The attacker's playbook
A typical lookalike attack follows a predictable sequence. The attacker registers a domain that visually resembles yours: your-domain-secure.com, yourdoma1n.com, or yourdomain-login.com. Within minutes, they request a free DV certificate from Let's Encrypt or another automated CA. The certificate is issued, logged in CT, and the attacker begins building their phishing page.
Hours later, emails start arriving in your customers' inboxes linking to the now-HTTPS phishing site. DMARC may eventually flag the spoofed sending domain, but the phishing site itself sits on a different domain entirely. Without CT monitoring, you only discover the lookalike when someone reports it or when a customer falls for it.
How SpoofSentry's CT monitor works
SpoofSentry polls crt.sh every 6 hours for certificates matching your monitored domains. The matching engine checks for exact matches, common typosquatting patterns (character substitution, insertion, deletion, transposition), and homoglyph attacks using visually similar Unicode characters.
Each match is scored for similarity and intent. A certificate for yourdomain-internal.com registered by your own IT team scores differently than one for yourdoma1n-secure.com registered by an unknown entity in a different jurisdiction. The system creates a CT alert with the certificate issuer, validity period, subject alternative names, and a similarity score.
The workflow: alert, review, escalate
When a suspicious certificate appears, you see it in the CT Monitor dashboard. From the alert detail page, you can review the full certificate chain and determine whether the domain is legitimate (perhaps a partner or subsidiary) or malicious.
If the certificate is clearly malicious, a single click escalates it into a takedown request. SpoofSentry's takedown system files abuse reports with the domain registrar, hosting provider, and certificate authority simultaneously. A recheck worker re-verifies the target every few hours and automatically closes the takedown when the threat is confirmed removed.
Real-world scenario
Consider a financial services company monitoring acmefinance.com. At 2:14 AM, a certificate is issued for acme-finance-secure.com. SpoofSentry's next CT poll at 6:00 AM picks up the certificate and creates a high-severity alert. The security team reviews it at 8:30 AM, confirms it is not an internal registration, and escalates to takedown. By 10:00 AM, abuse reports are filed with the registrar and the CA. The phishing site never sends a single email because the domain is suspended before the attacker finishes building the page.
Without CT monitoring, this domain would have been discovered days or weeks later, likely after successful phishing attempts.
Get ahead of the attack chain
Certificate Transparency monitoring is available on SpoofSentry Pro and Enterprise plans. It activates automatically for all monitored domains with no additional configuration required.