Protected Domains
Protected domains are the corporate and brand login pages you explicitly ask Surface Security to defend. Where domain scopes declare which domains you own and monitor, protected domains go a step further: Surface captures a trusted fingerprint ("baseline") of each protected page and then actively hunts for anything that imitates it — cloned login pages, lookalike domains, and pages that borrow your brand to steal employee credentials.
Every browser in your fleet participates. Baselines captured from the genuine page are distributed to all enrolled extensions, so when any employee lands on a counterfeit copy of your sign-in page — even on a domain no one has ever seen before — the extension can recognize the imitation locally and respond in real time.
[SCREENSHOT PLACEHOLDER: The Protected Domains page (Attack Surface > Protected Domains) showing the summary cards (Total Domains, Baseline Captured, Pre-built) and the table with Domain, URL Pattern, Collector, Status, and Last Updated columns]
How it works
1. Baseline capture
When you add a protected domain, its Status starts as Pending. The next time an enrolled browser visits the genuine page, the extension records a baseline fingerprint: the page's structure, visual appearance, branding elements, security headers, and related characteristics. No page content or credentials are collected — the baseline is a set of one-way fingerprints used only for comparison. Once recorded, the status changes to Captured.
You can optionally restrict which URLs are fingerprinted (a URL Pattern such as /login/*)
and designate a specific Collector Endpoint — a single trusted browser that is responsible
for capturing the baseline — instead of allowing any enrolled endpoint to do it.
2. Distribution
Captured baselines are synced from the server to every enrolled extension on a regular schedule, so the entire fleet shares the same reference picture of what your genuine pages look like.
3. Detection
With baselines in place, protected domains feed several detection layers described in detail in the Phishing Detection guide:
- Lookalike (typosquatting) detection — the extension alerts when a user navigates to a domain that visually or structurally impersonates a protected domain (character swaps, homoglyph characters, keyboard-adjacent typos). As the add dialog notes, non-wildcard domains are used for this matching.
- Cloned-page detection — a page hosted elsewhere whose structure and content closely match a protected page's baseline is flagged as a probable clone of your login page.
- Visual similarity — pages that look like a protected page (branding, layout, logos) but live on the wrong domain are flagged, even when the attacker rewrites the underlying code.
- Brand impersonation — your protected domains teach the extension what your brand's legitimate home looks like, so pages rendering your brand from an unrelated hostname stand out.
4. Credential-reuse protection
Protected domains work hand in hand with Surface's credential monitoring. As employees sign in
on your corporate domains, the extension learns privacy-preserving fingerprints of those
credentials on the device (passwords themselves never leave the endpoint). If a user later types
a known corporate credential into a site outside the domains where that credential legitimately
belongs — for example, a lookalike of a protected domain — Surface raises a critical alert with
evidence of the form "credential belongs to login.example.com but was entered on
examp1e-login.com". Depending on your enforcement mode, the user is also warned or the page is
blocked before the credential is submitted. See
Credential & Alert Controls for tuning options.
Using the page
Navigate to Attack Surface > Protected Domains in the dashboard sidebar.
The page shows three summary cards — Total Domains, Baseline Captured, and Pre-built — above a table with the columns:
| Column | Meaning |
|---|---|
| Domain | The protected domain. A Pre-built badge marks entries that ship with Surface (widely-targeted services); these cannot be deleted. |
| URL Pattern | Optional pattern restricting baseline capture to matching URLs. |
| Collector | The specific endpoint designated to capture the baseline, if any. |
| Status | Captured (baseline recorded) or Pending (waiting for a visit to the genuine page). |
| Last Updated | When the entry or its baseline last changed. |
Adding a protected domain
- Click Add Protected Domain.
- Enter the Domain (for example
login.example.com). The dialog reminds you that non-wildcard domains are also used for typosquatting detection — the extension will alert when users navigate to look-alike domains that impersonate this domain. - Optionally set a URL Pattern (for example
/login/*) to restrict baseline capture to URLs matching this pattern. - Optionally choose a Collector Endpoint from the list of active devices. The default is None — any endpoint can capture.
- Click Add Domain.
[SCREENSHOT PLACEHOLDER: The Add Protected Domain dialog with a domain entered, showing the URL Pattern field and the Collector Endpoint dropdown with its helper text]
Editing and deleting
Use Edit on a row to change the URL pattern or collector endpoint. Use Delete to remove a domain you added yourself; pre-built domains cannot be deleted. Deletion cannot be undone.
Exporting baselines
Click Export Baselines to download the captured baseline set as a JSON file — useful for audits, support cases, or reviewing exactly what reference data your fleet is matching against. The button is available once at least one baseline has been captured.
Configuration tips
- Protect the login page, not just the apex domain. If employees sign in at
sso.example.com, protect that host. Baselines are captured per page, and the sign-in page is what attackers clone. - Use a URL pattern for multi-purpose hosts. If the protected host serves many pages, a
pattern like
/login/*keeps the baseline anchored to the authentication flow. - Use a collector endpoint in controlled rollouts. Designating one trusted machine to capture baselines gives you a predictable, reviewable capture instead of first-visitor-wins.
- Re-capture after redesigns. If you significantly redesign a protected login page, expect the baseline to refresh on subsequent visits; check that Status and Last Updated reflect the new design.
Worked example
Acme Corp's employees sign in through sso.acmecorp.com.
- An administrator adds
sso.acmecorp.comas a protected domain with the URL pattern/login/*. Status shows Pending. - An employee signs in as usual the next morning. The extension records the baseline from the genuine page, and the dashboard status flips to Captured.
- Weeks later, a phishing campaign registers
sso-acmecorp.comand hosts a pixel-perfect copy of the Acme login page. An employee clicks the link from an email. - The extension recognizes the threat on two independent fronts: the domain is a lookalike of a
protected domain, and the page's structure and appearance match the captured baseline of
sso.acmecorp.comwhile being served from somewhere else. - In warn mode the employee sees an in-page warning; in block mode the page is blocked outright. An alert with the supporting evidence appears in the dashboard either way. If the employee had begun typing their corporate password, a critical credential-on-untrusted-site alert would fire as well.
[SCREENSHOT PLACEHOLDER: A phishing alert in the dashboard generated by a lookalike of a protected domain, showing the detection evidence and the impersonated target domain]
Troubleshooting
Status stays Pending. A baseline is captured when an enrolled browser visits the genuine page. Visit the page from an enrolled endpoint — or, if you set a Collector Endpoint, from that specific device. Also check that your URL Pattern actually matches the sign-in URL; a pattern that is too narrow prevents capture.
Can I use wildcards in the domain?
Enter a specific host (for example login.example.com). The dialog validates for a plain domain
name. Note that lookalike detection applies to non-wildcard domains.
Why can't I delete some entries? Entries with the Pre-built badge ship with the product and cannot be deleted.
A legitimate site keeps getting flagged as a lookalike of my protected domain. Resolve the alert as a false positive, or add the domain on the Phishing Domain Whitelist page under Settings — see Phishing Detection for how the whitelist works.
Do protected domains block anything on their own? The response (warn versus block versus silent telemetry) follows your extension mode and security policies. Protected domains supply the detection signal; policies decide the action.