Manual homograph & suspicious domain inspection toolkit with optional SOC-style intelligence enrichment.

PhishEye Recon is a browser extension designed to help security analysts, developers, and everyday users quickly analyze domains, URLs, and emails for phishing indicators. It focuses on visual deception (homograph attacks), brand impersonation, and risk scoring, with optional integrations for deeper threat intelligence.

---

🚀 Features

🔍 Core Detection Engine

• Detects homograph attacks (rn → m, vv → w, etc.)
• Identifies Unicode confusables (Cyrillic, Greek lookalikes)
• Flags punycode domains (xn--)
• Detects typosquatting & brand impersonation
• Checks:
  • Suspicious keywords (login, verify, secure, etc.)
  • Suspicious TLDs (.xyz, .ru, .tk, etc.)
  • Long or deeply nested domains

---

📊 Risk Scoring

• Score from 0–100
• Levels:
  • LOW
  • MEDIUM
  • HIGH
• Clear explanation of findings for fast triage

---

🧠 Intelligence Panel

• ASCII vs Unicode detection
• Punycode visibility
• Pattern hits
• Keyword hits
• Brand detection
• Input classification (URL, email, domain)

---

🖥️ SOC Mode (Advanced)

• VirusTotal enrichment
• urlscan.io integration
• Remote screenshot preview
• Threat context + detection summary
• SOC-style dashboard UI

---

🧩 How It Works

1. Visual Analysis
   Detects characters that visually mimic others

2. Normalization Engine
   Converts domains into comparable formats

3. Brand Matching
   Detects spoofed or near-match brands

4. Heuristic Scoring
   Combines multiple signals into a final risk score

---

⚙️ Installation

Load Unpacked Extension (Chrome / Brave / Edge)

1. Download or clone this repository
2. Open your browser and go to:
   chrome://extensions/
3. Enable Developer Mode
4. Click Load unpacked
5. Select the extension folder

---

🧪 Usage

1. Click the PhishEye Recon icon
2. Enter:
   • Domain (example.com)
   • URL (https://example.com)
   • Email (user@example.com)
3. Click SCAN

Optional

• Use USE TAB to scan current page
• Enable SOC Mode for deeper analysis

---

🔐 API Integrations (Optional)

VirusTotal

• Add API key in settings
• Provides reputation and detection stats

urlscan.io

• Add API key
• Enables:
  • Remote scan
  • Screenshot preview
  • IP + infrastructure data

---

🖼️ UI Overview

• Standard Mode → Fast, lightweight scanning
• SOC Mode → Full analyst dashboard

Includes:

• Risk badges
• Structured findings
• Expandable intel panels

---

📁 Project Structure

├── manifest.json   # Extension configuration
├── popup.html      # UI layout
├── popup.css       # Styling (SOC + standard)
├── popup.js        # Detection engine + logic
└── icons/          # Extension icons

---

🛠️ Permissions

• activeTab → Read current tab URL
• tabs → Access tab info
• storage → Save settings

External APIs:

• VirusTotal
• urlscan.io

---

⚠️ Security Notes

• No automatic browsing unless triggered
• urlscan runs in a remote sandbox
• API keys stored locally
• Built for analysis, not exploitation

---

🎯 Use Cases

• SOC analysts triaging phishing
• Blue team investigations
• Cybersecurity learners
• Developers validating domains
• Everyday users checking suspicious links

---

🔮 Roadmap

• Full-page screenshot stitching
• Passive scanning (no open tab)
• Export reports (PDF / JSON)
• More threat intel integrations
• Context menu scanning

---

👤 Author

Aaron Zajicek
Cybersecurity & Automation Builder

---

⭐ Support

If you find this useful:

• Star the repo
• Share it
• Contribute ideas

---

Expose what hides in plain sight.