One unique honeypot email per vendor. When phishing arrives, you know exactly which company exposed your data. We provide irrefutable digital evidence.
Three steps from zero to evidence
Create one unique honeypot email address per vendor or service. Each address is used exclusively with one provider. When spam or phishing arrives, you instantly know the source of the leak.
Every incoming email is analyzed in real time: SPF, DKIM, DMARC authentication checks, attachment scanning, phishing heuristics. Suspicious emails are flagged and preserved as forensic evidence with full headers.
Trace the phishing infrastructure end-to-end: spoofed domains via DNS records, hosting IPs via Shodan, TLS certificates via crt.sh, geolocation via ipinfo.io, WHOIS data. Identify the breached vendor with high confidence.
How we traced a phishing campaign and identified the breached vendor
A unique email address created solely for a major bank receives a phishing message. The email spoofs the bank's domain with a fake 'legal notification' pretext. SPF and DKIM both fail authentication.
DNS records reveal the spoofed domain resolves to a server in Ukraine. Shodan shows open ports 22, 25, 80, 443 with self-signed TLS. crt.sh exposes the certificate issuer. IP geolocation maps the infrastructure to France.
Multiple phishing waves across 14 days with different pretexts (legal notice, tax authority, fake invoice) are correlated. Same IP range, same domain registrant, identical email headers — proving a single coordinated campaign.
The honeypot email was registered exclusively for this bank. Cross-reference with similar cases confirms the data was exposed through a third-party vendor (credit bureau), not the bank's core systems.
Secure audit report with all evidence: raw email headers, DNS records, IP geolocation maps, TLS certificate chain, WHOIS data, campaign timeline. Protected with 6-digit access code. Delivered to the bank's security team.
Proven intelligence sources used in every investigation
SPF/DKIM/DMARC/MX/CAA lookup for spoofed and target domains. Automated scoring 0-100 with letter grade.
IP intelligence: open ports, services, hostnames, known vulnerabilities, TLS configurations.
crt.sh: full TLS certificate history, subdomain discovery through certificate logs, domain age verification.
ipinfo.io: geographic mapping of attacker servers with ISP, organization, and ASN data.
Domain registration details: registrant name and country, creation date, nameservers, registrar.
Web Key Directory and OPENPGPKEY DNS records to assess encrypted email capabilities of target domains.
Three scenarios where our methodology delivers critical answers
Your company is being targeted by phishing attacks. We trace the origin, identify which vendor or partner leaked customer data, and provide court-admissible evidence.
You suspect your personal data was breached. We deploy honeypot addresses across services. The first phishing email tells you exactly who leaked it.
GDPR, HIPAA, or LGPD requires breach notification within 72 hours. Our forensic audit trail determines scope, affected parties, and remediation steps.
We can trace the origin of any phishing email targeting you or your organization.