Skip to content

[Bug]: Domain squatting false positive - Google Domains #151

Open
Open
[Bug]: Domain squatting false positive - Google Domains#151
Labels
bugSomething isn't workingnot-assigned
@amastellone-ict

Description

@amastellone-ict
amastellone-ict
opened on Apr 24, 2026

Required confirmations before submitting

  • I can reproduce this issue on the latest released version of Check.
  • I have searched existing issues (both open and closed) to avoid duplicates.
  • I am not requesting general support; this is an actual bug report.

Issue Description

Domain squatting detected: Domain adds prefix/suffix to protected domain"
doc-04-68-apps-viewer.googleusercontent.com
google.com

{
      "event": {
        "action": "warned",
        "clientId": null,
        "origin": "https://doc-04-68-apps-viewer.googleusercontent.com",
        "reason": "Domain squatting detected: Domain adds prefix/suffix to protected domain",
        "redirectTo": null,
        "ruleType": "domain_squatting",
        "severity": "medium",
        "squattingDetails": {
          "action": "warn",
          "confidence": 0.7,
          "detected": true,
          "protectedDomain": "google.com",
          "severity": "medium",
          "techniques": [
            {
              "confidence": 0.7,
              "description": "Domain adds prefix/suffix to protected domain",
              "pattern": "generic_combo",
              "prefix": "",
              "suffix": "usercontent",
              "technique": "combosquat"
            }
          ],
          "testDomain": "doc-04-68-apps-viewer.googleusercontent.com"
        },
        "threatDetected": true,
        "threatLevel": "medium",
        "timestamp": "2026-04-24T17:48:47.294Z",
        "type": "threat_detected",
        "url": "https[:]//doc-04-68-apps-viewer.googleusercontent.com/viewer/secure/pdf/969b0pnr24pqf889lvldb39bq5aqst1e/fdn4t0ftnj4df2dkme3jdrctoiv8bmqm/1777052850000/gmail/<redacted>",
        "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/147.0.0.0 Safari/537.36"
      },
      "profile": {
        "browserInfo": {
          "browserType": "chrome",
          "browserVersion": "147.0.0.0",
          "extensionId": "benimdeioplgkhanklclahllklceahbe",
          "installType": "admin",
          "language": "en-US",
          "platform": "Win32",
          "version": "1.2.0"
        },
        "isManaged": true,
        "profileId": "c5333b56-eb91-4889-865f-a46ddd908770",
        "timestamp": "2026-04-24T17:48:46.207Z",
        "userInfo": {
          "accountType": "work-school",
          "email": "eliW@<redacted>",
          "emailNotAvailable": false,
          "id": "118293719086173607571",
          "provider": "unknown",
          "reason": null
        }
      },
      "tabId": 540536471,
      "timestamp": "2026-04-24T17:48:47.295Z",
      "type": "security_event"
    },
    {
      "event": {
        "action": "warned",
        "clientId": null,
        "origin": "https://doc-04-68-apps-viewer.googleusercontent.com",
        "reason": "Domain squatting detected: Domain adds prefix/suffix to protected domain",
        "redirectTo": null,
        "ruleType": "domain_squatting",
        "severity": "medium",
        "squattingDetails": {
          "action": "warn",
          "confidence": 0.7,
          "detected": true,
          "protectedDomain": "google.com",
          "severity": "medium",
          "techniques": [
            {
              "confidence": 0.7,
              "description": "Domain adds prefix/suffix to protected domain",
              "pattern": "generic_combo",
              "prefix": "",
              "suffix": "usercontent",
              "technique": "combosquat"
            }
          ],
          "testDomain": "doc-04-68-apps-viewer.googleusercontent.com"
        },
        "threatDetected": true,
        "threatLevel": "medium",
        "timestamp": "2026-04-24T17:49:02.185Z",
        "type": "threat_detected",
        "url": "https[:]//doc-04-68-apps-viewer.googleusercontent.com/viewer/secure/pdf/969b0pnr24pqf889lvldb39bq5aqst1e/fdn4t0ftnj4df2dkme3jdrctoiv8bmqm/1777052850000/gmail/<redacted>?print=true",
        "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/147.0.0.0 Safari/537.36"
      },
      "profile": {
        "browserInfo": {
          "browserType": "chrome",
          "browserVersion": "147.0.0.0",
          "extensionId": "benimdeioplgkhanklclahllklceahbe",
          "installType": "admin",
          "language": "en-US",
          "platform": "Win32",
          "version": "1.2.0"
        },
        "isManaged": true,
        "profileId": "c5333b56-eb91-4889-865f-a46ddd908770",
        "timestamp": "2026-04-24T17:48:46.207Z",
        "userInfo": {
          "accountType": "work-school",
          "email": "eliW@<redacted>",
          "emailNotAvailable": false,
          "id": "118293719086173607571",
          "provider": "unknown",
          "reason": null
        }
      },
      "tabId": 540536474,
      "timestamp": "2026-04-24T17:49:02.185Z",
      "type": "security_event"
    },
    {
      "event": {
        "action": "warned",
        "clientId": null,
        "origin": "https://doc-10-68-apps-viewer.googleusercontent.com",
        "reason": "Domain squatting detected: Domain adds prefix/suffix to protected domain",
        "redirectTo": null,
        "ruleType": "domain_squatting",
        "severity": "medium",
        "squattingDetails": {
          "action": "warn",
          "confidence": 0.7,
          "detected": true,
          "protectedDomain": "google.com",
          "severity": "medium",
          "techniques": [
            {
              "confidence": 0.7,
              "description": "Domain adds prefix/suffix to protected domain",
              "pattern": "generic_combo",
              "prefix": "",
              "suffix": "usercontent",
              "technique": "combosquat"
            }
          ],
          "testDomain": "doc-10-68-apps-viewer.googleusercontent.com"
        },
        "threatDetected": true,
        "threatLevel": "medium",
        "timestamp": "2026-04-24T18:01:24.246Z",
        "type": "threat_detected",
        "url": "https[:]//doc-10-68-apps-viewer.googleusercontent.com/viewer/secure/pdf/969b0pnr24pqf889lvldb39bq5aqst1e/m3niidd00pgc2gucrt7h13ambssgm4hh/1777053600000/gmail/<redacted>",
        "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/147.0.0.0 Safari/537.36"
      },
      "profile": {
        "browserInfo": {
          "browserType": "chrome",
          "browserVersion": "147.0.0.0",
          "extensionId": "benimdeioplgkhanklclahllklceahbe",
          "installType": "admin",
          "language": "en-US",
          "platform": "Win32",
          "version": "1.2.0"
        },
        "isManaged": true,
        "profileId": "c5333b56-eb91-4889-865f-a46ddd908770",
        "timestamp": "2026-04-24T17:58:37.384Z",
        "userInfo": {
          "accountType": "work-school",
          "email": "eliW@<redacted>",
          "emailNotAvailable": false,
          "id": "118293719086173607571",
          "provider": "unknown",
          "reason": null
        }
      },
      "tabId": 540536497,
      "timestamp": "2026-04-24T18:01:24.247Z",
      "type": "security_event"
    },

Extension Version

1.2.0

Rules Version

1.2.0 (customized)

Relevant Logs / Stack Trace

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't workingnot-assigned

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions