Most phishing detection happens too late — after a user clicks, after a credential is stolen, after someone in finance wires money to the wrong account. By that point, the damage is done and the response is cleanup, not prevention.
The frustrating part is that the infrastructure for most phishing attacks is visible before the first victim clicks anything. Attackers have to get a TLS certificate for their lookalike domain. Getting that certificate creates a public, permanent record. If you know where to look and set up alerts, you can often detect a phishing site targeting your brand within minutes of it going live.
How phishing infrastructure gets set up
A typical phishing campaign targeting an organisation follows a predictable sequence:
- The attacker registers a lookalike domain — something like
mycompany-secure.com,mycompany.net, or a typosquatted variant with a transposed character. - They deploy a web server and copy the target organisation's login page or brand assets.
- They obtain a TLS certificate — most commonly a free Let's Encrypt certificate — so the site shows a padlock and appears legitimate to users.
- They run the phishing campaign via email, SMS, or social media.
Steps 1 through 3 happen quickly. Domain registration takes minutes. Let's Encrypt certificates are issued in seconds. The phishing site can be operational and serving users within an hour of the attacker starting work.
Step 3 is the one that creates a public record you can monitor.
Why certificate issuance is a reliable signal
Since 2018, all publicly trusted TLS certificates must be logged in Certificate Transparency (CT) logs before browsers will accept them. This means that the moment Let's Encrypt — or any other CA — issues a certificate for mycompany-secure.com, that certificate is written to a public, append-only log that anyone can query.
CT log aggregation services like crt.sh index these logs in near real-time. A new certificate typically appears in search results within a few minutes of issuance.
This is the window you have to act. If you are monitoring CT logs for certificates that contain your brand name, your domain, or common phishing variants, you can be alerted to a new phishing infrastructure before the campaign launches — or at minimum within minutes of the first phishing email going out.
What to look for in CT logs
When monitoring CT logs for phishing infrastructure, the most useful patterns to watch for are:
- Your brand name in unfamiliar domains — certificates for domains like
brand-login.com,brand-support.net, orbrand-secure.iothat you did not issue. - Typosquatted variants — single character substitutions (
cornpanyforcompany), homoglyph attacks (Cyrillic characters that look like Latin ones), or transpositions (compnay). - Unexpected subdomains on your own domains — if a certificate is issued for
login.yourdomain.comby a CA you do not use, something is wrong. - Wildcard certificates on lookalike domains — attackers sometimes issue wildcard certificates (
*.mycompany-portal.com) to cover all their phishing subpages with a single certificate.
Not every match will be malicious. Monitoring will surface legitimate third-party services, CDN providers, and other organisations with similar names. The goal is to bring new issuances to human attention quickly enough to investigate and respond, not to automate takedowns blindly.
What to do when you find a phishing certificate
When you identify a certificate that suggests active phishing infrastructure targeting your brand, the response typically involves a few parallel tracks:
Verify the threat. Check whether the domain is resolving, whether the site is active, and whether it is impersonating your brand. Screenshot the content and note the hosting provider and registrar.
Report to the CA. All major Certificate Authorities have a mechanism for reporting certificate mis-use. Let's Encrypt, DigiCert, and others can revoke certificates issued to phishing sites. Revocation will not instantly stop the attack — browsers have varying OCSP/CRL checking behaviour — but it removes the trust indicator and may disrupt automated campaign tooling.
Report to the hosting provider and registrar. Most providers have abuse reporting processes. Registrars can suspend domain delegation. This is often the fastest way to take a phishing site offline.
Alert your users. If a campaign appears to be active, notify affected user groups through internal channels. Do not wait for confirmed victims before issuing a warning.
Document for legal action. Certificate logs, WHOIS records, and screenshot evidence create the paper trail needed for domain seizure requests or legal action against repeat offenders.
The gap between knowing and acting
The challenge with manual CT log monitoring is the volume. Thousands of certificates are issued every minute across the public internet. Manually searching crt.sh on a regular basis is not a realistic defence at any scale. What makes this practical is automated monitoring with alerting — a system that continuously watches CT logs for your defined patterns and notifies you when something matches.
This is a meaningful difference. A team that manually checks once a week will often find phishing infrastructure after the campaign has already run. A team with automated monitoring can be notified within minutes and begin investigation while the infrastructure is still being set up.
How CertControl monitors for this
CertControl's CT monitoring feature watches Certificate Transparency logs continuously for new certificates matching your monitored domains. When a new certificate is issued for a domain you are tracking — or for a pattern you have configured — the platform surfaces it immediately with the full certificate details: issuing CA, SANs, validity period, and the domain it was issued for.
This covers both the defensive case (monitoring your own domains for unauthorised issuances) and the brand protection case (watching for lookalike domains that suggest phishing preparation). The same infrastructure that gives you visibility into your certificate inventory gives you an early warning system for attacks against your brand.
Combined with CertControl's external attack surface scanner — which actively resolves and inspects domains found in CT logs — the platform can tell you not just that a certificate exists, but whether the site is live, what it is serving, and what TLS configuration it is using.