AI-Assisted Workflow for Validating and Blocking Impersonating Domains

Introduction

This article outlines the design and implementation of an Impersonating Domain Response System, which automatically retrieves suspected domains from threat intelligence feeds, validates them through visual and semantic analysis, and enforces blocking actions when confirmed malicious, significantly reducing response time and improving operational efficiency.

What is Impersonating Domain Detection?

The Impersonating Domain Response System is an AI-assisted automation framework designed to validate and respond to potential domain impersonation threats. It ingests suspected domains from threat intelligence feeds such as SOC Radar, analyzes their visual and behavioral attributes, and determines the likelihood of impersonation using AI-driven analysis. When a domain is confirmed as malicious, the system automatically triggers a blocking action on the firewall. Once blocked by the FortiGate firewall, the domain can no longer be accessed from the Halodoc office network. Its goal is to protect Halodoc’s brand identity and users from phishing, spoofing, and domain impersonation campaigns by accelerating validation and response workflows.

How Does This System Work?

The Impersonating Domain Detection functions through a combination of several integrated technologies:

• Threat Intelligence Feed (SOC Radar): Acts as the external threat intelligence provider, making a list of suspected impersonating domains available for retrieval via an API.
• Automation Script (Python): Serves as the backend engine that runs a scheduled task every 5 minutes to retrieve the latest list of suspected domains from the SOC Radar API. It then enriches this data with information from VirusTotal and orchestrates the entire analysis and response workflow.
• Analytic Tools (Playwright & VirusTotal): Playwright is used as a headless browser to safely visit suspicious domains, then extracts visual and textual characteristics such as logo design, color schemes, and the presence of login forms. This data is then enriched with a reputation score from VirusTotal.
• AI Layer (OpenAI GPT-4o-mini): Utilizes AI to perform in-depth semantic and visual analysis. The model receives a combination of data (domain metadata, a visual report from Playwright, and a reputation score) to determine whether the domain is genuinely impersonating or not.
• Firewall Integration (FortiGate): If a domain is classified as a Confirmed Threat, the system automatically sends a command to the FortiGate firewall via SSH to apply a blocking rule.
• Logging & Notification (Google Workspace): All activities and decisions are recorded in a Google Sheet for audit purposes, and real-time notifications are sent to the security team via Google Chat.

Advantages and Challenges

Building an AI-Based Impersonating Domain Detection System has its own advantages and challenges:

Advantages:

• Rapid Response: Automates the process from detection to blocking, thereby significantly accelerating the response time to threats.
• Time Efficiency: Reduces the manual analysis workload for the security team, allowing them to focus on more strategic tasks.
• Proactive Protection: The system actively seeks out and neutralizes threats before they can harm employees or customers.
• Accurate Analysis: By combining visual, semantic, and reputation data, the system can make more accurate decisions compared to traditional rule-based analysis.

Challenges:

• Technology Integration: Integrating multiple components such as intelligence APIs, a headless browser, an AI model, and a firewall requires solid technical knowledge. Without proper design, the system may become unstable.
• Credential Management: The system relies on many API keys and credentials (SOC Radar, OpenAI, VirusTotal). Secure management is crucial to prevent misuse.

TECHNICAL IMPLEMENTATION

Prerequisites

Before starting, ensure we have:

• Basic Knowledge: An understanding of Python and how REST APIs work.
• Accounts & API Keys:
  • An active SOC Radar account with an API Key.
  • An active OpenAI account with a valid API Key.
  • A VirusTotal account with an API Key for data enrichment.
  • SSH access to a FortiGate device with configuration privileges.
  • A Google account to create a Google Sheet and a Google Chat Webhook.

Implementation Steps

Step 1: Setting Up the Project Environment

First, let's prepare the working directory and all the libraries we need.

1. Create a new folder for project and navigate into it.
2. Create a requirements.txt file and fill it with the following list of libraries:

3. Install all libraries with a single command:

4. Create a .env file to store all credentials securely.

Step 2: Retrieving the List of Suspicious Domains

Our system needs domain input to analyze. We will retrieve it from SOC Radar. Create a Python function to call the SOC Radar API using the requests library.

Step 3: Capturing "Visual Evidence" with Playwright

To be analyzed by the AI, we need to "see" what the site looks like. We will use Playwright to take a screenshot and extract text.

Step 4: Smart Analysis with OpenAI

This is the core of our system. We will send visual evidence (the screenshot) and other data to the GPT-4o-mini model to get a classification.

Step 5: Automated Blocking Action on FortiGate

If the AI confirms a threat, we need to act fast. This function will connect to the FortiGate via SSH and add the domain to the block list.

Step 6: Putting It All Together & Scheduling

Now we combine all functions into one main workflow and use the schedule library to run it periodically.

RESULTS AND IMPACT

After being implemented and running for some time, the Impersonating Domain Detection system has delivered measurable results and a significant positive impact on the company's security posture.

Key Metrics and Achievements

Here are some of the key quantitative and qualitative results that have been achieved:

• High Detection Accuracy: Of the total domains analyzed, the system successfully achieved an accuracy rate of over 98% in classifying impersonation threats, which was manually validated by the cybersecurity team.
• Reduction in Response Time: The time required from when a domain is detected until it is successfully blocked on the firewall has been reduced from an average of 1-2 hours (manual process) to 5 minutes (automated process).
• Enhanced Visibility and Auditing: All AI decisions and actions are automatically recorded in Google Sheets, providing a transparent audit trail and simplifying the reporting process.

Example of Results in Practice

1. Activity Log in Google Sheets Every analyzed domain, along with the AI's decision and its blocking status, is recorded in real-time. This provides full visibility to the team.

2. Alert Notifications in Google Chat When a domain is confirmed as a threat and successfully blocked, the system automatically sends a notification to the security team's Google Chat space.

Error Handling

• Failed to Retrieve Domain Data: If no data is pulled, check the SOC Radar API token and available quota. Also, ensure the scheduler is running correctly.
• Invalid API Key: An invalid API key for OpenAI will cause analysis failures. Ensure all keys are active and stored correctly.
• Failed to Block on Firewall: Review the firewall SSH call logs. Ensure the policy ID or filter profile used is correct and the account used has the appropriate permissions.
• Logging and Debugging: Proper logging is essential. Use Logger.log() or save logs to a file to create a traceable history of errors and actions.

Conclusion

Building an AI-assisted Impersonating Domain Response System represents a practical step toward modernizing brand protection operations. By integrating external threat intelligence, AI-driven validation, and automated enforcement, organizations can drastically reduce response times and improve accuracy when handling impersonating domain threats. While challenges such as feed reliability, API credential management, and false positives need careful handling, the long-term benefits, faster decision-making, reduced analyst workload, and stronger protection against phishing and spoofing. Make this a valuable enhancement to existing security processes.

About Halodoc

Halodoc is the number one all-around healthcare application in Indonesia. Our mission is to simplify and deliver quality healthcare across Indonesia, from Sabang to Merauke. 

Since 2016, Halodoc has been improving health literacy in Indonesia by providing user-friendly healthcare communication, education, and information (KIE). In parallel, our ecosystem has expanded to offer a range of services that facilitate convenient access to healthcare, starting with Homecare by Halodoc as a preventive care feature that allows users to conduct health tests privately and securely from the comfort of their homes; My Insurance, which allows users to access the benefits of cashless outpatient services in a more seamless way; Chat with Doctor, which allows users to consult with over 20,000 licensed physicians via chat, video or voice call; and Health Store features that allow users to purchase medicines, supplements and various health products from our network of over 4,900 trusted partner pharmacies. To deliver holistic health solutions in a fully digital way, Halodoc offers Digital Clinic services including Haloskin, a trusted dermatology care platform guided by experienced dermatologists.

We are proud to be trusted by global and regional investors, including the Bill & Melinda Gates Foundation, Singtel, UOB Ventures, Allianz, GoJek, Astra, Temasek, and many more. With over USD 100 million raised to date, including our recent Series D, our team is committed to building the best personalized healthcare solutions — and we remain steadfast in our journey to simplify healthcare for all Indonesians.