Making COVID-19 Threat Intelligence Actionable

Shield Concept Image

Release of NEW COVID-19-Specific Dynamic Blacklist powered by DomainTools

Last week, DomainTools, one of our strategic threat intelligence partners, made available a free, curated list of high-risk COVID-19-related domains. This is an admirable move by DomainTools and their desire “to support the community during the Coronavirus crisis.”  

As a service to our customers and consistent with our vision of making threat intelligence actionable, we have quickly moved to integrate this threat intelligence into the Threater Threat Intelligence Protection Platform. As such, we are pleased to announce that this threat intelligence is now available as an automatic, domain blacklist. We are also pleased to announce that this threat intelligence is available to all Threater customers (note that threat intelligence from DomainTools is typically only available as part of our Enterprise Subscription).

In this blog we will take a look at: 

  • DomainTools COVID-19 threat intelligence findings
  • DomainTools COVID-19 Threat List
  • How you can use this threat intelligence in the Threater Threat Intelligence Gateway to improve network protection and visibility into COVID-19-related threats

DomainTools COVID-19 Threat Intelligence Findings

As highlighted in our recent blog “The Very Real Impact of COVID-19 Cyber Threats”, threat actors are taking advantage of the COVID-19 pandemic to launch cyberattacks, including phishing campaigns. This is validated by data from DomainTools which shows a significant increase in domain name registrations per day related to COVID-19 terms. The data shows a massive uptick in domain registrations that started March 14, with more than 3,500 new domains being registered on a daily basis thereafter. While recent data shows a decline in the volume of daily registrations from peak levels, they remain at elevated levels. According to DomainTools, the list has proven to be quite volatile and immediately responsive to changing news regarding COVID-19.

DomainTools COVID-19 Threat List Details:

In response to the increase in COVID-19-related threats, DomainTools launched a free, curated list of high-risk COVID-19-related domains. These domains have a “high probability” of being associated with COVID-19 related threats. 

In order to identify and categorize threat intelligence specifically related to COVID-19, DomainTools took into account four distinct considerations: 

  • List Criteria
    • Domains registered on or after January 1, 2020
    • Domain names containing one or more terms or term variants related to COVID-19
    • Domains having a Domain Risk Score of 70 or higher
  • Terms and Variants
    • DomainTools generated a list of terms identified and being used in malicious domains related to COVID-19. Some examples include “corona”, “covid19”, and “chineseflu”. They then ran these terms through their PhishEye algorithm to generate potential “phishy” variants of these terms. Some examples of these variants include “c0vid”, “corrona”, and “koronawirus”.
    • DomainTools is actively monitoring the terms used for this list compared to new domain registrations and will make changes and updates to the list over time as needed.
  • Risk Score
    • The DomainTools Risk Score enables a determination of the perceived level of risk associated with listed domains. The COVID-19 Threat List is sorted by both risk score and domain create date. Domains are scored on a 0 to 99 scale, and DomainTools by default recommends that scores of 70 and higher are indications that the domain was registered with malicious intent.
    • Note that this DomainTools COVID-19 threat list is considered “predictive” as many of these domains are not yet operationalized. As such there are not specific indicators of compromise for these domains. Therefore, DomainTools recommend users consider this threat list as a “watchlist for future positives.” 

Using DomainTools’ COVID-19 Threat Intelligence in the Threater Threat Intelligence Gateway (TIG)

Consistent with our mission of making threat intelligence actionable, we’ve made the DomainTools’ COVID-19 threat intelligence available to all Threater customers. Specifically, we’ve made available two automatic domain blacklists.

  • COVID-19-DomainTools-99 is a list of COVID-19-related domains with a Risk Score of 99 and higher. This list currently contains over 50,000 domains
  • COVID-19-DomainTools-70 is a list of COVID-19-related domains with a Risk Score of 70 and higher. This list currently contains over 90,000 domains.

We recommend that customers treat the blacklist with Risk Scores of 99 and higher as a blacklist and treat the broader list with Risk Scores of 70 and higher as more of a “watch” list.

Threater customers can access these lists via Global Management Center by clicking Blacklist on the left menu and then Domains.


Threat actors are clearly looking to take advantage of the COVID-19 pandemic, which is supported by threat intelligence from leading providers like DomainTools. DomainTools move to make COVID-19 threat intelligence freely available is a great move to help organizations improve protection and increase visibility into threats during a time of need. At Threater, our mission is to make threat intelligence actionable and we’re proud that we are able to quickly mobilize to enable our customers to take advantage of COVID-19-related threat intelligence to increase network protection and increase visibility into COVID-19-related threats.

For more information about Threater visit

For more information about DomainTools visit

For more information about how Threater aggregates, integrates, and acts on DomainTools threat intelligence, see our joint solution brief located here.

To start protecting your network with actionable threat intelligence today, call 1.855.765.4925 or email