Mailqor typosquat detectionPublished December 3, 20253 min read
detect lookalike domainsWHOIS alerts Mailqorphishing typosquatsdomain age security badge

Mailqor playbook for spotting typosquatted domains

Attackers love swapping one character in a brand name to bypass quick visual checks. Mailqor combines WHOIS age, registrant clues, and a verified domain base to expose those lookalike domains directly in Gmail or Outlook.

1. Compare the badge domain with the UI display

  • Mailqor extracts the actual RFC5322 sender, not just the display name.
  • When you click the Risk badge, double-check the domain: paypa1-secure.com stands out immediately against paypal.com.
  • Keep an eye on subtle swaps: rn vs m, 0 vs o, country TLD instead of .com.

2. Use WHOIS freshness as your first red flag

  • Typosquats are typically registered days or weeks before the phishing run.
  • Mailqor highlights domain age thresholds (7 days, 30 days, 90 days) and flags privacy-protected registrants.
  • A legitimate enterprise rarely rotates domains that fast.

3. Confirm against Mailqor’s verified domain list

  • Mailqor stores thousands of legitimate domains per sector.
  • The badge tells you if the sender matches the verified list or lands in the “unknown” bucket.
  • If the legitimate domain exists but the current sender doesn’t, escalate immediately.

4. Inspect DNS and infrastructure hints

  • Mailqor correlates DNS/hosting fingerprints and displays warnings when a domain shares infrastructure with known phishing clusters.
  • Sudden nameserver changes or mismatched MX hosts appear in the badge notes.

5. Escalate through AI for content verification

  • Launch the AI badge to analyze links: shortened URLs, Safe Links rewrites, or redirects to unrelated hosts are highlighted.
  • Ask the AI whether the CTA URL is consistent with the sender’s brand domain.

6. Document the impostor inside your trusted sender list

  • When you identify a typosquat, add a note to the legitimate sender entry describing the variation.
  • Example note: “Attackers copy invoices from acme-payments.com; reject anything from acmepayments-support.com.”

FAQ

Does Mailqor block the email automatically?
No, it surfaces the signals so your team can report or archive it.

Can we export typosquat findings?
Use the dashboard history export (CSV) to share suspicious domains with security teams.

Are WHOIS details always available?
Mailqor caches available WHOIS data; if a registry hides it, the badge highlights the privacy block as another risk factor.

Ready to secure your inbox?

Install the Chrome extensionCreate an account

Mail checks

What Mailqor shows the moment you open an email.

finance@trusted.com

Monthly invoice approved

Verified

Mailqor confirms the domain. Proceed with your standard workflow.

support@newvendor.io

First note received

Not checked

Analysis pending—add this vendor to your watchlist.

billing@urgent-update.com

Immediate bank change request

Suspicious

Suspicious: call before making any payment changes.

Why Mailqor

Why teams use Mailqor every day

The same badge appears in Gmail and Outlook with clear actions for finance, support, and leadership.

  • Badge available in the Chrome Web Store
  • AI explanations for every anomaly
Install the extension