Phishing Detection
Surface Security detects phishing in the browser itself, at the moment an employee lands on a page — not hours later when a blocklist catches up. The extension layers several independent detection techniques on every page it evaluates, so a phishing site has to defeat all of them at once: the domain, the page's appearance, its structure, its behavior, its reputation, and what it asks the user to do. Detection runs locally on the endpoint; a page never needs to be on a known blocklist to be caught.
This guide covers the detection layers, what employees see when something fires, and the four settings pages administrators use to tune detection: Phishing Signatures, ClickFix Signatures, Phishing Domain Whitelist, and OAuth Threat Detection.
[SCREENSHOT PLACEHOLDER: The Settings page "Threats" section showing the Phishing Signatures, ClickFix Signatures, OAuth Threat Detection, Phishing Domain Whitelist, and Threat Intelligence cards]
Detection layers
Domain lookalikes (typosquatting)
The extension analyzes the domain of every candidate page for impersonation of your
protected domains and of widely-targeted brands. It
combines several techniques: edit-distance similarity, homoglyph detection (visually identical
characters from other alphabets, such as a Cyrillic "а" replacing a Latin "a"), keyboard-proximity
typos, and common character-substitution tricks. A domain like examp1e.com or
exаmple.com (with a Cyrillic character) is flagged before the page even finishes loading.
Visual page similarity
The extension compares what a suspicious page looks like — using perceptual comparison of the rendered page — against known brand templates and the baselines captured from your protected domains. This catches clones that rewrite all of the underlying code but keep the pixel-level appearance employees would recognize.
Cloned-page detection
Beyond appearance, the extension fingerprints page structure and content and compares it against the trusted baselines of your protected login pages. A page whose structure closely matches your genuine sign-in page while being served from a different domain is flagged as a probable clone. Brand-impersonation checks add further corroboration: brand logos and brand text rendered on a hostname that does not belong to the brand.
Adversary-in-the-Middle (AiTM) detection
AiTM kits (such as reverse-proxy phishing frameworks) relay the real login page through an attacker-controlled server to steal session tokens, so the page looks perfectly genuine. The extension detects these attacks through protocol, timing, and page-integrity characteristics that a relay cannot fully preserve. AiTM detections are among the highest-severity alerts Surface raises, because they can defeat MFA.
Phishing-kit signatures
Known phishing kits leave recognizable traces in a page — characteristic markup, scripts, infrastructure patterns, and evasion tricks. The extension ships with built-in kit signatures and hot-syncs additional signature data from your server (see Phishing Signatures below), so coverage for new kits reaches your fleet without an extension update.
ClickFix and fake-fix social engineering
ClickFix-style attacks skip credential forms entirely: the page shows a fake CAPTCHA, error, or "verification step" that instructs the user to copy a command and run it on their own machine. The extension counters this on two fronts — a clipboard guard that inspects content written to the clipboard programmatically, and a page detector that recognizes the instruction patterns on the page itself. Related variants (FileFix, ConsentFix, pastejacking) are covered by the same engine. Signatures are managed on the ClickFix Signatures page.
Threat-intelligence reputation
When configured, Surface enriches detection with domain reputation from URLScan.io and VirusTotal, with results cached to stay within API limits. Reputation is a corroborating signal layered on top of local detection, not a prerequisite for it. Configure API keys and see usage details in the Threat Intelligence guide.
Cross-organization campaign intelligence
Optionally, anonymized threat fingerprints can be matched against campaigns observed at other participating organizations, so a brand-new phishing domain can be flagged with high confidence the first time one of your users encounters it. This is opt-in and privacy-preserving — see Campaign Intelligence.
OAuth-based phishing
Not all phishing steals passwords. Device-code phishing and malicious OAuth consent grants trick users into handing over tokens on the legitimate provider's site. Surface detects these separately — see OAuth Threat Detection below and the OAuth Consent Grants guide.
What users see
The response to a detection follows the extension mode and your security policies ("most restrictive wins"):
| Mode | User experience |
|---|---|
| Learning | Nothing visible. Detections are recorded as alerts for administrators only — used during rollout to tune before enforcing. |
| Warn | An in-page warning card appears over the page, explaining the suspected impersonation. The user can also report the page, which submits it for analysis and creates an alert with page evidence attached. |
| Block | A full-page Page Blocked interstitial replaces the page immediately, showing the reason, then redirects to a security page with the technical details and the available options (such as going back or requesting access). |
In every mode, an alert is sent to the dashboard so administrators have visibility — including, where applicable, a screenshot of the offending page and the list of indicators that fired.
[SCREENSHOT PLACEHOLDER: The full-page "Page Blocked" interstitial shown to an employee in block mode, with the block reason and Surface Security branding visible]
Settings > Phishing Signatures
Settings > Phishing Signatures (the card is under the "Threats" section) manages the phishing kit detection signatures synced to browser extensions.
How signature sync works
- Manage signatures on this page — add individual signatures or upload packs.
- Browser extensions check for updates approximately every 4 hours using version-based sync; updates are cryptographically signed and verified by the extension before they are applied.
- Only enabled signatures are synced, and server signatures merge with the built-in set.
- The current signature set version is shown next to the page description.
Using the page
The page shows Total Signatures, Enabled, and Categories cards, a search box, a category filter, and the signatures table (Signature, Category, Confidence, Source, Status toggle, Edit/Delete actions). Sources are builtin, custom, and pack.
- Add Signature opens an editor where you set a Signature ID, Name, Category, a Confidence slider, an Enabled checkbox, the detection indicators (patterns matched against the page's DOM, scripts, HTML, URL, subdomains, TLDs, cookies, and evasion behaviors), and optional reference URLs. A help button on the page explains the indicator types and matching logic in detail.
- Upload Pack imports a ZIP file of JSON signature files, for distributing curated signature sets.
- Categories include AiTM (Adversary-in-the-Middle), Credential Harvesting, Browser-in-Browser, OAuth Impersonation, SSO Phishing, QR Code Phishing, and Generic.
A practical rollout pattern: create a new signature with a lower confidence first (it alerts without blocking), confirm it produces no false positives in your environment, then raise the confidence so it can contribute to blocking decisions. Use the Status toggle to temporarily disable a signature rather than deleting it.
[SCREENSHOT PLACEHOLDER: The Phishing Signatures page with the signature table, category filter, and the Add Signature / Upload Pack buttons]
Settings > ClickFix Signatures
Settings > ClickFix Signatures manages the detection patterns for clipboard-based social engineering (the page is titled ClickFix/FileFix Signatures).
Each signature defines a pattern with:
- Kind — Pattern (regex) or Keyword (literal substring), matched case-insensitively.
- Applies To — the Clipboard guard, the Page detector, or Both.
- Signal Type — what the pattern indicates (for example PowerShell commands, encoded commands, download-and-execute behavior, fake CAPTCHA context, run-dialog instructions).
- Weight — how strongly a match counts toward the combined score. Matching weights are summed, and a sufficiently high combined score triggers a block.
- Threat Category — ClickFix, FileFix, ConsentFix, or Pastejacking.
The editor includes a built-in Test Pattern panel so you can verify a regex against sample text before saving, and unsafe regex constructions are rejected automatically. Like phishing signatures, ClickFix signatures sync to extensions approximately every 4 hours, and only enabled signatures are sent.
Settings > Phishing Domain Whitelist
Settings > Phishing Domain Whitelist is the false-positive control. Domains on this list skip all phishing detection checks — including typosquatting, reputation, and blocklist checks.
Two ways entries get here:
- Manual — add a domain with an optional reason (for example a legitimate security tool that resembles phishing tooling).
- False Positive — when a phishing alert is resolved as a false positive in the alert workflow, the domain is added automatically and labeled accordingly.
Whitelisting uses exact matching: adding gchq.github.io whitelists only that specific
subdomain, not all of github.io. Enter a bare domain, not a URL. The whitelist syncs to browser
extensions during the next policy sync.
Because a whitelisted domain bypasses every phishing check, keep this list short and reviewed — prefer resolving individual alerts over broad entries.
[SCREENSHOT PLACEHOLDER: The Phishing Domain Whitelist page showing the Add Domain form and a list with both Manual and False Positive entries]
Settings > OAuth Threat Detection
Settings > OAuth Threat Detection controls device code flow policy and OAuth phishing detection.
Device-code phishing abuses the OAuth device authorization flow to bypass passwords and MFA: the attacker generates a device code and tricks the user into entering it on the legitimate provider's login page, which grants the attacker access tokens.
- Device Code Flow toggle — when allowed, the extension alerts on device code pages reached from external referrers (such as a phishing email link) or without referrer context. When blocked, any visit to a device code entry page raises a high-confidence alert regardless of context. Changing this setting requires re-entering your password.
- Detection Coverage on the page lists what is monitored: device code entry pages across major providers, external-referrer arrivals, first-party client-ID abuse on unrelated domains, and OAuth callbacks redirected to localhost or raw IP addresses.
For visibility into which third-party applications employees have granted access to — and rules to warn on or block risky consent grants — see OAuth Consent Grants.
Worked example
An employee receives an email linking to acmecorp-sso-verify.com, hosting a proxied copy of
the real Acme sign-in page behind a fake CAPTCHA:
- The lookalike layer flags the domain as impersonating the protected
sso.acmecorp.com. - The page's structure and appearance match the captured baseline of the genuine page — clone detection corroborates.
- The fake CAPTCHA instructs the user to paste a command; the ClickFix clipboard guard intercepts the copied command and blocks it.
- With the tenant in block mode, the user sees the Page Blocked interstitial before entering anything. An alert with a screenshot, the matched indicators, and the impersonated target arrives in the dashboard — enriched with campaign context if Campaign Intelligence is enabled.
FAQ
A legitimate site was flagged. What is the fastest fix? Resolve the alert as a false positive (which whitelists the domain automatically) or add the domain manually on the Phishing Domain Whitelist page. The whitelist syncs to extensions on the next policy sync.
How quickly do new signatures reach browsers? Extensions check for signature updates approximately every 4 hours. Updates are versioned and signed; an extension that cannot verify an update will not apply it.
Do employees lose protection when the server is unreachable? No. Detection runs locally in the extension with built-in signatures and the last-synced data. Server sync adds freshness; it is not a dependency for protection.
Why did a page get blocked when no signature matched? Signatures are only one layer. Lookalike domains, clone detection, visual similarity, AiTM indicators, credential-entry protection, and reputation can each raise or contribute to a detection independently.
Can I tune how aggressively users are warned or blocked? Yes — the extension mode and per-domain rules are governed by security policies, and alert-level controls are described in Credential & Alert Controls.