← Back to Blog
Technical April 1, 2026 7 min read

Using Certificate Transparency Logs to Catch Phishing Early

Every SSL certificate issued is recorded in a public ledger. If you know where to look, you can detect phishing infrastructure before it goes live.

When an attacker sets up a phishing site, one of the first things they do is obtain an SSL certificate. The padlock icon in the browser gives their site an appearance of legitimacy. Without it, modern browsers display warnings that most victims would notice.

But that certificate issuance leaves a trail. Every certificate issued by a public Certificate Authority is recorded in a public, append-only ledger called a Certificate Transparency (CT) log. And those logs are searchable.

How Certificate Transparency Works

CT is a framework originally created by engineers at Google in 2013. It requires Certificate Authorities to submit every certificate they issue to one or more public log servers before the certificate is considered valid. The logs are append-only, meaning entries cannot be modified or deleted after submission.

The original goal was accountability: if a CA issues a certificate it should not have (for a domain the requester does not own, for example), the evidence is permanently recorded and auditable. But CT logs have a powerful secondary use case: threat detection.

When an attacker requests a certificate for your-brand-login.com from Let's Encrypt, that issuance appears in CT logs within minutes. If you are watching those logs for certificates containing your brand name, you learn about the threat before the phishing page is even deployed.

The Detection Window

Traditional domain monitoring detects threats at the DNS level: a domain is registered, it resolves to an IP, it serves HTTP content. But there is often a gap between registration and activation. An attacker may register a domain and leave it parked for days or weeks before setting up the phishing page.

CT monitoring fills that gap. The typical attack timeline looks like this:

  1. Domain registered
  2. Domain sits dormant
  3. Attacker requests SSL certificate (CT log entry created)
  4. Phishing page deployed
  5. Phishing emails sent to targets

Without CT monitoring, detection typically happens at step 4 or 5. With CT monitoring, you catch the activity at step 3, often hours or days before the phishing campaign launches.

Querying CT Logs

The most widely used search interface is crt.sh, a free service operated by Sectigo. A wildcard search for certificates containing your brand name looks like this:

https://crt.sh/?q=%25yourbrand%25

The %25 characters are URL-encoded wildcards. This returns every certificate ever issued for a domain containing the string "yourbrand," including subdomains and variations.

For a quick investigation, this is sufficient. For ongoing protection, manual queries are not practical. CT logs ingest millions of new certificates daily. By the time you run a manual search, a phishing site could have been live for hours.

Scaling CT Monitoring

Effective CT monitoring requires automation. A monitoring system polls CT log servers on a schedule (typically every few hours), filters results against a list of protected brand names, eliminates known-good entries (your own certificates, legitimate subdomains), and triggers alerts for anything suspicious.

The filtering step is important. A search for "amazon" in CT logs returns thousands of results daily, most of them legitimate (Amazon's own infrastructure, AWS services, third-party integrations). Without filtering, the signal-to-noise ratio makes the data unusable.

Responding to a CT Alert

When a suspicious certificate is detected, the response should follow this sequence:

First, check whether the domain resolves and serves content. A certificate for a domain that does not resolve is suspicious but not yet active. A certificate for a domain that is already serving a cloned version of your login page requires immediate action.

Second, assess the broader infrastructure. Does the domain have MX records (can it send and receive email)? Is it hosted behind a CDN like Cloudflare? What registrar was used? These details inform both the risk level and the takedown strategy.

Third, report it. File abuse reports with the registrar, the hosting provider, and browser-based blocklists (Google Safe Browsing, Microsoft SmartScreen). If the site is behind Cloudflare, you will also need to file a separate report through their abuse portal.

CT log monitoring is one of the most effective early warning systems available for brand protection. The data is free, public, and comprehensive. The challenge is not access; it is building the automation and filtering required to act on it before your customers are targeted.

Protect your brand from lookalike domains

PhishFence monitors your domain for typosquats, homoglyphs, and phishing sites — and alerts you before your customers are targeted.

Start Free Monitoring