Stopping Domain Impersonation with AI

Sherrod DeGrippo: Welcome to the "Microsoft Threat Intelligence Podcast." I'm Sherrod DeGrippo. Ever wanted to step into the shadowy realm of digital espionage, cybercrime, social engineering, fraud? Well, each week, dive deep with us into the underground. Come here for Microsoft's elite threat intelligence researchers. Join us as we decode mysteries, expose hidden adversaries, and shape the future of cybersecurity. It might get a little weird. But don't worry, I'm your guide to the back alleys of the threat landscape. [ Music ] Welcome back to the "Microsoft Threat Intelligence Podcast." I am Sherrod DeGrippo, director of threat intelligence strategy here at Microsoft. Today we're diving in to one of the most insidious threats shaping our world, domain impersonation and typosquatting. Think about it. You've seen it. A single domain, just one letter off. Tricks people into handing over their credentials, wiring money, or just trusting the wrong thing. These are not small-time scams. They trigger major breaches, data theft, and big damage. That ripples across industries, and threat actors know it. We've seen an increase in these attacks, with adversaries leaning hard into the art of online deception. But here's a twist, we aren't standing still. Defenders are working on this. Microsoft recently launched a new AI-powered fraud protection model designed to detect and stop these impersonation attacks in real-time. We've got global threat intelligence, heuristics, and cutting edge artificial intelligence, and some real intelligence too, all coming together to shift the balance back toward defenders. Joining me to unpack all of this is someone who lives at the very center of this fight and is an old friend of the "Microsoft Threat Intelligence Podcast," Kelly Bissell, corporate vice president at Microsoft. Kelly, welcome to the podcast.

Kelly Bissell: Sure, and thanks for having me back again.

Sherrod DeGrippo: Kelly has spent over 30 years in cybersecurity. You've led teams that stopped billions in fraud. You've advised governments across NATO, Five Eyes. You've shaped organizations worldwide, how they defend against crime and all kinds of threat actors. Let's talk about how AI is changing the game in fraud, how defenders can stay one step ahead, and why we've seen this surge in domain impersonation and typosquatting, because you're tracking those numbers.

Kelly Bissell: Right. Okay, so you're absolutely right. It's been around of this problem for a long time, but let me give you a couple of stats that might help. Last year we found over 91,000 root domains with impersonation attacks. Okay, so that's a year ago. Only in March alone, according to Cyber Security News, just in March, 26,000-plus domains impersonating companies and government services. Now -

Sherrod DeGrippo: So that's 5000 more? That's a big increase.

Kelly Bissell: Well, that's just in one month.

Sherrod DeGrippo: Oh my gosh.

Kelly Bissell: The other number was a year ago.

Sherrod DeGrippo: Oh my gosh.

Kelly Bissell: And so the question is, how and why? And I think there's so much change going on in the marketplace, that's the why, but the how is, attackers are using AI and bots and other things to create these impersonated domains.

Sherrod DeGrippo: So you mentioned bots. Let me ask you, are you familiar with this dead internet theory?

Kelly Bissell: [Laughter], tell me more.

Sherrod DeGrippo: [Laughter], so the theory sort of goes that the majority of interactions that you see online are actually some kind of bot or automated script, and you're reading social media, and you, you know, think it's a stay-at-home dad in Youngstown, Ohio, and it's actually just AI-generated social media content. What do you think about that when you see stuff like bots and AI?

Kelly Bissell: Well, we see, like, 500 million bots just on one targeted area. So I do believe that bots play a big part in the internet today.

Sherrod DeGrippo: And the production of content, right? Like, they're producing and publishing posts, and comments, and all of these things, so you never really know if the social media personality that is posting something that you're interacting with is actually a person.

Kelly Bissell: That's right. You don't know. And that's why this impersonation is such a big problem for us.

Sherrod DeGrippo: So, what do you think is the uniqueness that threat actors are seeing? Like, why do they like this tactic so much? I assume it's easy and cheap.

Kelly Bissell: Well, it's easy, it's cheap, and it's more tailored than ever. Because in the old days, you know, you would have something generic, but it wasn't applied. It wasn't specific to that individual. But now, using AI and other tools, they - like, gleaning from social media and other things, they can actually tailor a phishing attack or other thing directly to that one individual at scale. So now they can do this.

Sherrod DeGrippo: Are you saying that threat actors are registering domains, like, to specifically target one person or a small group of people?

Kelly Bissell: Maybe not domains, but they're definitely tailoring the message to that one person.

Sherrod DeGrippo: Okay, the message. And so, at that point, it starts into, I assume, a sort of social engineering attack chain, where there's fake webpages? How does that work?

Kelly Bissell: That's right. Webpages that look like a legitimate site, right, so that we trick the user to be able to trust that domain. But remember, the domain is just one part of a bigger story for the threat actor. Because now they create emails for that fake domain or other things.

Sherrod DeGrippo: So it almost creates, like the pedigree or the foundation where they can launch the rest of the attack. It's sort of that anchor.

Kelly Bissell: Right, they're trying to anchor trust.

Sherrod DeGrippo: So tell me, from Microsoft's point of view, we have a significant amount of visibility. We pull these numbers out all the time. 84 trillion security signals a day, 1.5 billion endpoints, at least 300 cheeseburgers.

Kelly Bissell: Yep.

Sherrod DeGrippo: 2700 chicken nuggets, whatever it takes, but how does that visibility help us identify, track the domains, scale this work that you're doing?

Kelly Bissell: Alright, now this is what I'm super duper excited about, because we used real AI, and if I could nerd out just for a second, we adopted this thing called a Siamese neural network.

Sherrod DeGrippo: Whoa.

Kelly Bissell: And what it does is basically compare identical sub networks to process inputs and measure similarity, and that's basically how we compare a legitimate domain from an impersonation.

Sherrod DeGrippo: I want to get back to that, but I want to let our listeners know.

Kelly Bissell: [Laughter].

Sherrod DeGrippo: Kelly Bissell is a corporate vice president at Microsoft, and I am not joking, many, many corporate vice presidents at Microsoft are this nerdy. Like, this is not - like, they're all kind of like this, with the nerd stuff, which I also love, but that's something you should know about Microsoft. All the way up it's a bunch of nerds. So, tell me about the Siamese neural network. What is that about?

Kelly Bissell: Alright. Before that, since you talked about Microsoft, can I just tell you, my very first call with Satya ever.

Sherrod DeGrippo: Okay, yes. Satya story. Satya story time.

Kelly Bissell: I thought we were going to talk about strategy, and dynamics of markets, and so forth. No, he got into the guts of, [laughter], authentication and authorization within a cloud environment. I was blown away.

Sherrod DeGrippo: He's an IAM nerd, apparently.

Kelly Bissell: Yes, [laughter].

Sherrod DeGrippo: Genuinely, that's one of the things that I really love about working at Microsoft, is that you can go way up, and you run into people who really have very passionate, deep feelings about Base64. I mean, it's all over the place, but we're really lucky at Microsoft, because we have people like you, who are in those big leadership roles, that truly are nerds who want to talk about their AI models.

Kelly Bissell: We love nerds. That's why, like, I love working with you, because we tackle problems together, and we nerd out and solve the world's problems, so -

Sherrod DeGrippo: Yeah, it - so it, like - so you've got the visibility of Microsoft, which is huge.

Kelly Bissell: Yeah, yeah.

Sherrod DeGrippo: And how did you leverage that to get to a place where you're able to find these domains?

Kelly Bissell: Okay. So here's what we did. We took that model that's been out for about, maybe a year or two, and we said, okay, how do we apply this capability to Microsoft? So whenever anyone signs up at Microsoft and creates a new domain, a subdomain, or we get domains from registrars. How do we compare those to determine fraudulent domains? That's our mission. And we've been live for a month, and let me just tell you, we -

Sherrod DeGrippo: Okay.

Kelly Bissell: Yeah, let me tell you, we reviewed 259,000 domains, we blocked 1700, and only 1 had to be rechecked.

Sherrod DeGrippo: And do you have a human recheck that?

Kelly Bissell: We had a human recheck that one, just to confirm. And so our false positive rate is incredible, and our detection rate is real-time, not some batch process afterwards. And why I'm super excited about this is, we can stop the impersonations coming on to Microsoft, but we won't stop there. How do we share that with our peers and others so we can stop it at the registrar domain side and other areas, so we can be more systematic or holistic in our approach to protecting the network?

Sherrod DeGrippo: This is very much like, as many of you may know, if you listen to the podcast, I have the heart of a detection engineer, because I spent so much of my career crying at night.

Kelly Bissell: [Laughter].

Sherrod DeGrippo: But this sounds very much like dynamic, real-time detection engineering in a non-static, nonbinary way, where you're able to examine exactly what that domain is, and then how do you decide if it's a typosquatting domain, some kind of impersonation? What are the, like, hallmarks of that?

Kelly Bissell: Ah, yeah. So, okay, so not only do we - do we look at the text, which is what everybody would think about in comparing text A versus text B to find those spelling issues or the hyperglyph problems. We don't stop there. We look at the behavior of that domain, the ownership of that domain, when it was created, and many, many other factors to determine, is this a true, legitimate domain or is it not?

Sherrod DeGrippo: And when you say you look at the ownership, do you mean you're actually pulling the registrar information to see if there's a commonality amongst, oh, when it's this registrar information, it's generally bad stuff. When it's this registrar information, it's generally unknown or good?

Kelly Bissell: Yeah, we look at all kinds of data within that registrar, as well as the corporate ownership. Like, who - if they're saying that here are the corporate owners of this company, how do we look at that.

Sherrod DeGrippo: And I know - correct me if I'm wrong, I think, recently for 2025, or coming up in 2026, the Error Rules now require that the owner of the domain is the corporate organization org ID, not an individual anymore. So they've done some changes there to, I think, probably secure domains better, I would imagine.

Kelly Bissell: I mean, I think this is an important change, where it used to be, there were no controls around the domain admin. And so, anybody could put any email or any name there. But I want to do is ensure that matches with a corporate domain, [laughter], and the ownership of that domain all the way through, so it can determine what's real and what's not.

Sherrod DeGrippo: It's so interesting because I think another thing that's very common with detection engineering is, we are working off a very legacy culture of the internet, right? Like, domain registration, if you've never registered your own domain, just go do it right now. It's like $10. You can go get one. Just, you know, search up domain registration cheapos, go get a cheapie. And it really still is a kind of wild west tech out there, in terms of domain registration, right? Are you sort of - when you go into that world and you start pulling who has records, and looking at digs at the root servers and stuff like that, are you feeling like, wow, this is a technology of a time gone by, in a way?

Kelly Bissell: Well, I think what you said before was right. It was the wild, wild west for so long, and now we're applying good rigor and controls across the marketplace, not only at Microsoft but through the ecosystem of how you create something and use it. And so, we're actually finally maturing in this market, and the defenders, the good guys, are actually using AI to their advantage. And I think this is where we can truly get ahead of the game, finally.

Sherrod DeGrippo: So if you're a defender at an organization, what are some things that you would say are, like, an indicator of an impersonation domain or a typosquatting domain? Like, a zero instead of an O in degrippo.com, or something like that?

Kelly Bissell: Well, that's right. So the misspellings are still the most common.

Sherrod DeGrippo: Okay.

Kelly Bissell: But there are other things like gibberish, where the domain is actually - and that's not a typosquatting problem or impersonations, but it made be a fraudulent domain. And when I say gibberish, it's just characters that you can't really make a word out of. We've also seen domains that were set up that were hundreds and hundreds of characters long. And it was maybe even the scam message itself, [laughter], in the domain name, because they used that domain name to send messages. And so, there's a whole lot of analysis done around the domain itself, both ownership, when it was created, and a bunch of other attributes, as well as the name itself. And that is what we're excited about, because the Siamese engram model, is what we call it, not only does it help us determine those subtle patterns, but also real-time and language-agnostic. So it could be in Mandarin, it could be in, you know, English. It could be in French. It doesn't matter.

Sherrod DeGrippo: That's really fascinating. I also think that - is it possible, too, that you're seeing these character string-type domains are coming from domain generation algorithms that have, like, a seed in malware potentially?

Kelly Bissell: Yeah, that's right. I think - and why I think that the - we are seeing much more fraudulent domains being created, because it's cheap, as you mentioned, but it's also being generated by systems, not manual.

Sherrod DeGrippo: So, for those of you who don't do a lot of malware analysis, the DGA, or the domain generation algorithm, it is a sort of tool or plug-in within a piece of malware, where the threat actor and the malware, instead of hardcoding a single domain into that malware, like maybe baddomain123.com, the malware itself has an algorithm and a seed within it that automatically generates thousands of potential domains, and uses different domains every single time. So they have an advantage knowing that it's harder to block these series of thousands of different domains that work with that particular malware. It allows for a lot of stealth, it allows for a lot of resilience. This is something that, if you've followed Qakbot, their DGA was pretty solid, and they were able to stay ahead of detection for a really long time because nobody could figure out the seed for a while, and then they would change it. So Kelly, you're finding not just impersonation and fraud, I would imagine, but, like, straight malware domains too.

Kelly Bissell: Yeah, that's right. So what you described is exactly right, and one way that they would be able to get past detections is they would have a short-time life of that domain, to create one particular scam, and then they would be off somewhere else. So the market didn't have enough time or data to be able to perform the analysis. Now, very different. We can stop it at creation, at scale. Mm hmm.

Sherrod DeGrippo: From your perspective, it sounds to me like part of what you're excited about is that this is a balance shift toward defenders that we've never really had before.

Kelly Bissell: That is exactly right. We have an upper hand at creation.

Sherrod DeGrippo: As Obi Wan said to Anakin, I have the higher ground.

Kelly Bissell: [Laughter].

Sherrod DeGrippo: We're trying to get there, people, okay?

Kelly Bissell: That's exactly right.

Sherrod DeGrippo: So, what is the exciting thing here for you in terms of the heuristics piece? I saw you posted on LinkedIn, and you were very excited about it, which is yet another indicator of sort of your nerdiness when it comes to this AI detection capability.

Kelly Bissell: [Laughter].

Sherrod DeGrippo: What is the most exciting thing here for you, when you're working with this every day?

Kelly Bissell: What I'm most excited about is, we have an advantage, just like you say, we have the higher ground. And I think what it means to all of our customers is they can have a lot more confidence in operating on the Microsoft platform because they can be protected against domain typosquatting, in this case. So, our AI model, instead of calling the long name, you know, Siamese engram model, we call it Typos Shield, and so that's the name of the model.

Sherrod DeGrippo: Okay. I'm trying to think of which one I like better. They're both good. Maybe Siamese Shield, maybe combine them.

Kelly Bissell: That was one of the options. Siamese Shield, yeah.

Sherrod DeGrippo: I like that one. I could see that on a sticker.

Kelly Bissell: We could change it, you know.

Sherrod DeGrippo: Yeah.

Kelly Bissell: I will give you rights and privileges, Sherrod, to that name. How's that?

Sherrod DeGrippo: I'm registering the domain right now, and all variations for typosquatting and every single TLD that I can possibly think of.

Kelly Bissell: [Laughter], I'm sorry, but I might have to block you on that, you know - for our tool, [laughter].

Sherrod DeGrippo: No - oh no, I trademarked it. You're too late. So let me understand, if you're a defender and you're, you know, at work, you're in security, what can you tell your CISO? What can tell your boss? Hey, we need to do something about this. What's something that defenders out there can start doing?

Kelly Bissell: Yeah. So one, you don't have to be a super data scientist to be able to use this AI agent like we talked about. So yes, we did all the hard work, but what I want to do is not solve just Microsoft's problem, but how do we work within the ecosystem? So, I've already started sharing some of this information with key customers that have the same issue, and again, we're much more interested in how we make the world safer, not just Microsoft, and so that's what we're doing today.

Sherrod DeGrippo: I love that. Tell me a little bit about your success metrics, because I've talked to you in the past about how you judge success, and you've been really instrumental. Great stories that you've told me have involved crypto miners, where you've been able to stop millions of dollars of fraud on single tenants by finding malicious crypto miners and things. So give me an idea, is it - what do you use for metrics? Is it dollars saved? Is it number of, you know, domains that you've found? What's that number that you're chasing all the time? What's your score system?

Kelly Bissell: Yeah, so the score system is a little different for each thing, what I'm trying to solve for. So in this case, for this domain typosquatting, what I'm measuring is, how many domains am I blocking with the appropriate false positive rate.

Sherrod DeGrippo: Okay.

Kelly Bissell: And that's how we know how effective the model is. And then what I'm doing is if some have slipped through, for whatever reason, that's my false negative rate, then I'm able to figure out, again, how effective that is. So that's very different from my crypto mining block, which I've blocked 98% of all crypto mining an Azure, which is awesome.

Sherrod DeGrippo: Incredible. Don't crypto mine on my cloud, people.

Kelly Bissell: And then there's the different - [laughter], that's right.

Sherrod DeGrippo: Stay off. Crypto mine at home. Run up your own electric bills.

Kelly Bissell: That's right. But then, look, I have - I'm not quite ready, but I've got some great things going on with spam, which we all hate, right? So --

Sherrod DeGrippo: Ugh, you're cooking up something with spam, oh no.

Kelly Bissell: Yes, yes. Cooking with spam, so -

Sherrod DeGrippo: Cooking with spam. So, that's another thing, deep in my background is I spent almost 10 years doing only email, and wow, I'm traumatized from it, but I loved when people would talk about spam, and I would say, hmm, if it's RFC822-complaint, it's simply unsolicited commercial email, [laughter], and people would be like, whoa, what?

Kelly Bissell: Yeah, there's a difference between unwanted email versus malicious email.

Sherrod DeGrippo: Uh huh, absolutely.

Kelly Bissell: And so, I am laser-focused on blocking malicious email, because the unwanted marketing, I don't know if I can -

Sherrod DeGrippo: That's reality, that's - you know, that's a billboard on your way to work. That's a flyer in your mailbox. We run, unfortunately for all of us, we are in a capitalist society, and we work at a corporation, so these are generally things that we have to tolerate. But, I completely agree, malicious activity, malicious emails that have malware, credential phishing, any kind of harmful code or content involved in them, those have to go. That's not what we want. We want to stop those, and occasionally I like to get the Sephora email sale ad. Like, I'm fine with that.

Kelly Bissell: Yep. And so, look, maybe in the future I can give you a little update on where we are on spam.

Sherrod DeGrippo: Okay.

Kelly Bissell: I can give you a little update on deepfakes.

Sherrod DeGrippo: Oh, deepfakes.

Kelly Bissell: And, if you're ever interested, we have a cool case that we're working on called Trash Panda.

Sherrod DeGrippo: Oh, Trash Panda. I've heard about this. Trash Panda, this is a spoiler.

Kelly Bissell: [Laughter].

Sherrod DeGrippo: Kelly Bissell, everyone, gave us a spoiler alert on the "Microsoft Threat Intelligence Podcast." We're going to have some people from DCU come on about that.

Kelly Bissell: Oh, look, DCU? Those are my friends. We work together hand-in-hand all the time, and they're the masters of Trash Panda.

Sherrod DeGrippo: The mas - [laughter], I'm - okay, I'm writing that down for when we record the episode. I'll be like so, I'm here with the masters of Trash Panda.

Kelly Bissell: [Laughter], yes.

Sherrod DeGrippo: That sounds like an episode of KPop Demon Hunters.

Kelly Bissell: [Laughter].

Sherrod DeGrippo: Like, the masters of Trash Panda, here they are, everyone. What else do we need to know about domain squatting, fraud, any of this kind of stuff that you're seeing out there? Any other things we want to mention?

Kelly Bissell: Well, you know, the only thing that I think is important to know is, we're in a different game today than we were yesterday, I mean, just a month ago. Because truly, the Siamese neural network has actually changed the game for defenders. And as we integrate with registrars and some others in the marketplace, this is really helping us across the board. So I'm excited about what it means to keep the world a little safer for all of our customers around the world.

Sherrod DeGrippo: I love that, and you know, something I'm really pretty open about, I've worked in security for 21 years. I came to Microsoft two and a half years ago. My mind is still trying to piece itself back together with the incredible things that I was exposed to and am still every day, but Microsoft just is so broad and so big that the impact is outsized every time. And so having somebody like Kelly really looking at how can we better secure Microsoft's customers, how can we make a dent in these problems that really, while they are Microsoft problems, I got to be honest here, if Microsoft has a problem, most of the world probably has that problem too. The impact and scale is just so big.

Kelly Bissell: Agreed.

Sherrod DeGrippo: So we've got Kelly Bissell on the case, one of the defender nerds at Microsoft, [laughter].

Kelly Bissell: [Laughter].

Sherrod DeGrippo: It doesn't matter how high you rise in the company, we are probably still nerding out. Kelly, thank you so much for joining us. This has been fantastic, learning about all the cool things that you're doing. Hope to have you back again.

Kelly Bissell: Sherrod, thanks for having me on. I'm really grateful. [ Music ]

Sherrod DeGrippo: Thanks for listening to the "Microsoft Threat Intelligence Podcast." We'd love to hear from you. Email us with your ideas at tipodcast@microsoft.com. Every episode will decode the threat landscape and arm you with the intelligence you need to take on threat actors. Check us out, msthreatintelpodcast.com for more, and subscribe on your favorite podcast app. [ Music ]