Autopatrol is our automated security monitoring tool, built to monitor online assets and company brands for potential threats. In this post, I’ll focus mostly on its phishing detection capabilities, but it has a ton of other use cases as well.
As its name suggests, Autopatrol monitors different data and intel sources and looks for predefined indicators, such as brand names, domains, IP ranges, and TLS certificate properties. If it finds something suspicious, it will run automated checks against the artifact and raise an incident that a human analyst can efficiently triage.
Table of contents
Open Table of contents
What is it?
In January 2025, I noticed a significant spike in phishing sites targeting Finnish brands. I was already using Autopatrol to monitor my own domains and IP ranges for new assets and certificate activity, but this was a good chance to see how it would perform in a real-world scenario with a high likelihood of actual threats.
I started by adding some major Finnish brand names to Autopatrol’s watchlist and enabling only passive monitoring. Passive monitoring means that Autopatrol would observe the assets without actively probing them. When creating a new asset in Autopatrol, you define a few key details: a name (e.g., “Acme Corp”), a watchlist for grouping and listing specific rules (e.g., “FI-Phishing-Finance”), and a set of indicators, such as brand names, domains, or IP ranges. Each asset can have multiple indicators of any type. You also list the company’s known domains and IP ranges, which Autopatrol will use to build a baseline by analyzing TLS certificates, subdomains, registrars, ASNs, geolocations, and other related metadata tied to those assets. This baseline, called Business Context (BCX), is used to identify anomalies in the monitored assets.
Real life examples
So far, there have been quite a few detections, but I want to highlight a few of them and explain how Autopatrol detected them and handled the incidents.
The incidents are anonymized, and some details have been changed to protect the companies’ identities. Any similarities to real companies are purely coincidental. The incidents are also presented in simplified form, as the actual incident reports contain many more details and indicators.
Example 1: Financial phishing
In this example, Autopatrol detected a phishing site impersonating a Finnish bank, which we will refer to as Acme Corp. The alert was triggered by a newly issued TLS certificate for the domain acmecorp[.]rocks, which matched the bank’s name. Autopatrol detected the new certificate within seconds. And in this case, the domain was registered 5 minutes earlier. Ten minutes from the detection, I had triaged the incident and passed it on to the bank’s security team. The phishing page was taken down a few hours after that. All in, it took roughly 2.5 hours from registration to takedown. But now, let’s go through the incident report and the indicators that Autopatrol used to detect the phishing site.
Autopatrol has observed a previously unseen artifact in watchlist 'FI-Phishing-Finance'.
Domain: acmecorp[.]rocks
Observed: 2025-04-21T18:15:44.512Z
Watchlist: FI-Phishing-Finance - Acme Corp
Report ID: wrTCtMK4wrHCssK5wrbCs8K2
Indicators:
[***] Analysis: Indicator match: Phishing-C
[**] Unusual business TLD: rocks
[**] BCX: Unusual registration time (Europe/Helsinki): Sunday, evening
[*] Newly registered domain: 2025-04-21T18:12:33Z
[*] BCX: Domain contains brand name: acmecorp
[*] BCX: Unusual registrar: GoDaddy.com, LLC
Autopatrol checks for certain default indicators whenever it detects a new domain. In this case, two stood out immediately:
- Unusual business TLD: No legitimate bank is using a .rocks domain and this alone was a strong red flag.
- Newly registered domain: The domain had just been registered minutes earlier, another clear signal.
Beyond these, Autopatrol also uses business context indicators by comparing the new domain against the asset’s baseline. Here’s what stood out:
- Unusual registration time: The domain was registered on a Sunday evening, which didn’t align with the company’s typical pattern. Most of their domains were registered during weekday business hours (8–16).
- Unusual registrar: The company had never used GoDaddy before. This was out of character and flagged as suspicious.
With multiple indicators hitting, Autopatrol triggered an urlcheck scan, which our internal website scanning tool for suspicious domains. In this case, urlcheck flagged the site with the “Phishing-C” ruleset, which targets Finnish banking ID phishing. Interestingly, our system flagged it as phishing, while Google Safe Browsing didn’t detect anything.
Example 2: Subdomain takeover
This is another really cool case that shows how Autopatrol can detect previously forgotten stuff. A Finnish logistics company, Northwind Traders, had a new TLS certificate issued for their subdomain open-beta[.]northwind[.]fi, which was flagged as malicious. At first, I thought that this was a false positive since northwind[.]fi is a legitimate domain, but it quickly turned out to be malicious. Here is the incident report:
Autopatrol has observed a previously unseen artifact in watchlist 'FI-Phishing-General'.
Domain: open-beta[.]northwind[.]fi
Observed: 2025-04-10T23:37:44.102Z
Watchlist: FI-Phishing-General - Northwind Traders
Report ID: wrTCscK0wrbCscK3wrTCsMKxwrY
Indicators:
[***] Analysis: Malicious website
[**] BCX: Unusual IP geolocation: Singapore
DNS record:
open-beta.northwind.fi. 600 IN CNAME mongodbproxybeta.azurewebsites.net.
The company operates only in Finland, and all its other web servers are based in the EU. Yet this domain pointed to a server in Singapore. Also, seeing that urlcheck flagged the site as malicious was odd and unexpected.
Seeing that the DNS record was a CNAME pointing to an Azure site, I started to suspect a possible subdomain takeover1. I opened the urlcheck report and was surprised again as there was no phishing content to be seen. Instead, there was a random football gambling site completely unrelated to the company.
I decided to dig deeper into the subdomain’s history. Passive DNS data2 showed that the subdomain was first seen in 2020, and Archive.org confirmed that the company was still using it as recently as late 2024. So, it hadn’t been abandoned for long.
I contacted the company’s security team and shared my findings as usual. They confirmed the issue and said they had no idea how the domain pointed to a gambling site. They admitted it should’ve been taken down long ago and claimed they had monitoring for incidents like this. At that point, I couldn’t help but think it might be worth checking if that monitoring is doing anything. In the end, the company didn’t seem too bothered—they never took the subdomain down, and it’s still pointing to the gambling site.