FoilSuite Blog
Deep dives into phishing detection, DNS forensics, password security, and browser threat analysis.
Phishing Infrastructure Analysis — Mapping Campaigns Through Passive DNS and WHOIS
Phishing campaigns rarely use a single domain. This post explains how analysts pivot from one suspicious registration to an entire infrastructure cluster using registrar data, nameserver patterns, and WHOIS correlation.
read more →FoilGuard Detection Architecture — Multi-Signal Scoring and False Positive Analysis
A technical walkthrough of how FoilGuard detects domain impersonation: signal architecture, scoring weights, benchmark results against 60+ labeled domains, and the false positive tradeoffs that shaped design decisions.
read more →TTL Covert Channels — Encoding Data in DNS Time-to-Live Fields
A TTL covert channel hides binary data inside a field nobody watches — the Time-to-Live value in DNS responses. This post explains how it works, why it bypasses most detection, and how to find it in a pcap.
read more →C2 Beacon Analysis — Recognising Command-and-Control Traffic in Packet Captures
After initial compromise, malware phones home on a schedule. This post explains beaconing patterns, how to measure jitter and interval consistency, and how to find a beacon hiding in normal HTTP traffic.
read more →DNS Exfiltration — How Attackers Tunnel Data Through Name Queries
DNS was designed to translate names to IPs — not to carry stolen data. This post explains how attackers encode files in DNS queries, why firewalls miss it, and how to detect it in a pcap.
read more →How attackers spoof email — and how to catch them
SMTP was built without authentication. We explain how spoofing works, what SPF, DKIM, and DMARC actually protect against, and walk through the FoilLab mail-trap challenge to show email forensics in practice.
read more →How Typosquatting Works — and How FoilGuard Catches It
Attackers register domains one character away from brands you trust. We walk through the techniques — character substitution, homoglyphs, combosquatting — and explain exactly how FoilGuard's heuristic engine detects each one.
read more →Password Manager Threat Models — and Why Local-First Wins
Cloud-synced vaults and local-first encryption solve different threat models. We break down what LastPass got wrong, how PBKDF2 iteration counts matter, and why FoilVault keeps your credentials off the network entirely.
read more →