🔗

Integrations

Connect SpoofChecker to your existing security tools to receive threat alerts wherever your team already works. Both integrations are configured from your Account → Integrations page.

Slack — Incoming Webhook

Get a real-time Slack message every time SpoofChecker detects a new threat domain targeting your brand.

  1. 1

    Create or open a Slack App

    Go to api.slack.com/apps and click Create New App → From scratch. Give it a name (e.g. "SpoofChecker Alerts") and pick your workspace. If you already have an app you want to reuse, just select it from the list.

  2. 2

    Enable Incoming Webhooks

    In the left sidebar of your app settings, click Incoming Webhooks. Toggle the switch to On.

  3. 3

    Add a webhook to your workspace

    Scroll down and click Add New Webhook to Workspace. Choose the channel where you want threat alerts to appear (e.g. #security-alerts) and click Allow.

    💡 Create a dedicated #spoofchecker-alerts channel to keep threat notifications separate from other team traffic.
  4. 4

    Copy the webhook URL

    Slack will generate a URL that looks like:

    https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX

    Copy this — you'll need it in the next step.

  5. 5

    Paste it into SpoofChecker

    Go to Account → Integrations → Slack, paste your webhook URL into the Webhook URL field, and click Save Changes. You can then click Send Test Message to confirm everything is working.

What a Slack alert looks like

When a threat is detected, SpoofChecker posts a message to your channel containing:

  • The suspicious domain name and risk level (e.g. Critical / High / Medium)
  • Which of your monitored domains it is targeting
  • Active threats detected (lookalike logo, phishing keywords, active MX, etc.)
  • Hosting information and SSL issuer
  • A direct link to the full threat report in your dashboard
⚠️ Webhook URLs give anyone who has them the ability to post into your channel. Treat them like a password — do not share them publicly or commit them to source control.

Splunk — HTTP Event Collector (HEC)

Forward every threat event and new-domain discovery directly into your Splunk SIEM for correlation, dashboards, and automated playbooks.

  1. 1

    Enable HTTP Event Collector in Splunk

    In Splunk Web, go to Settings → Data Inputs → HTTP Event Collector. If HEC is disabled, click Global Settings and set All Tokens to Enabled. Make sure the HEC port (8088 by default) is reachable from the internet, or from Splunk Cloud's ingestion pipeline.

  2. 2

    Create a new HEC token

    Click New Token and fill in the wizard:

    • Name: SpoofChecker
    • Source type: spoofchecker (or leave as automatic)
    • Index: main (or a dedicated security index)

    Complete the wizard and copy the generated token — it looks like a UUID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

  3. 3

    Find your HEC endpoint URL

    The URL format depends on your Splunk deployment:

    Self-hosted / on-prem:

    https://your-splunk-host:8088/services/collector/event

    Splunk Cloud (trial/free tier):

    https://prd-p-xxxxx.splunkcloud.com:8088/services/collector/event

    Splunk Cloud (Enterprise):

    https://http-inputs-xxxxx.splunkcloud.com/services/collector/event
    💡 For Splunk Cloud, your HEC hostname is shown in Settings → Data Inputs → HTTP Event Collector → Global Settings.
  4. 4

    Enter your credentials in SpoofChecker

    Go to Account → Integrations → Splunk, fill in both the HEC URL and HEC Token, and click Save Changes. Use Send Test Event to verify the connection before relying on it in production.

Event schema

SpoofChecker sends two types of events to Splunk. Both use sourcetype = spoofchecker and index = main.

Threat detected

"event_type": "threat_detected", "target_domain": "yourcompany.com", "typo_domain": "yourcompany-login.com", "risk_label": "Critical", "risk_score": 95, "threats": ["Lookalike logo", "Phishing keywords detected", "Active MX"], "registrar": "Namecheap, Inc.", "hosting": "AS13335 Cloudflare", "ssl_issuer": "Let's Encrypt", "mx_active": true, "screenshot_url": "https://storage.googleapis.com/...", "created": "2026-01-15"

New domains discovered

"event_type": "new_domains_detected", "domain_count": 3, "domains": ["yourcompany-verify.net", "yourcompany.xyz", "yourcornpany.com"]

Searching in Splunk

Use these SPL queries to get started:

index=main sourcetype=spoofchecker event_type=threat_detected | table _time, target_domain, typo_domain, risk_label, threats index=main sourcetype=spoofchecker | timechart count by event_type
⚠️ Self-signed certificates: If your on-prem Splunk uses a self-signed TLS certificate, SpoofChecker will still connect — SSL verification is relaxed for Splunk endpoints to support common enterprise deployments. For production, we recommend using a valid certificate from a trusted CA.

Microsoft Teams — Incoming Webhook

Route SpoofChecker threat alerts directly into any Teams channel using the built-in Incoming Webhook connector. No app installation required.

  1. 1

    Open your Teams channel

    Navigate to the channel where you want to receive alerts. Click the (More options) button next to the channel name and select Connectors.

  2. 2

    Configure Incoming Webhook

    In the connector list, find Incoming Webhook and click Configure. Give it a name (e.g. SpoofChecker Alerts), optionally upload a logo, then click Create.

    💡 If you don't see Connectors, your Teams admin may need to enable them under Teams Admin Center → Org-wide app settings.
  3. 3

    Copy the webhook URL

    Teams will generate a unique URL that looks like:

    https://outlook.office.com/webhook/xxxxxxxx-xxxx.../IncomingWebhook/...

    Copy this — you'll need it in the next step.

  4. 4

    Paste it into SpoofChecker

    Go to Account → Integrations → Teams, paste the webhook URL into the Webhook URL field, and click Save Changes. Then click Send Test Message to confirm it's working.

What a Teams alert looks like

When a threat is detected, SpoofChecker posts a card to your channel containing:

  • The suspicious domain name and the target domain it is spoofing
  • Risk level (e.g. Critical / High / Medium)
  • Active heuristics that triggered the alert (lookalike logo, phishing keywords, active MX, etc.)
  • New-domain alerts when newly registered typosquat domains are discovered
⚠️ Webhook URLs give anyone who has them the ability to post into your channel. Treat them like a password — do not share them publicly or commit them to source control.

Generic Webhook

Send alerts to any HTTP endpoint — Zapier, Make (Integromat), n8n, Tines, a custom SIEM, or your own API. SpoofChecker POSTs a JSON payload every time a threat is detected.

  1. 1

    Get your webhook URL

    Create a webhook trigger in your platform of choice — for example, a Zapier Catch Hook step, a Make HTTP module, or your own API endpoint — and copy the URL.

  2. 2

    Get your Authorization header (optional)

    If your endpoint requires authentication, get the full header value. Common formats:

    Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9... Token abc123
    💡 Leave this field blank if your endpoint is publicly reachable or uses IP allowlisting instead of a token.
  3. 3

    Paste into SpoofChecker

    Go to Account → Integrations → Webhook, enter the URL and optional Authorization header, then click Save Changes.

  4. 4

    Send a test request

    Click Send Test Request to verify the connection. Any 2xx response code means everything is working.

Event schema

SpoofChecker sends two types of events. Both use Content-Type: application/json.

Threat detected

"source": "spoofchecker", "event_type": "threat_detected", "timestamp": 1718000000, "typo_domain": "paypa1.com", "target_domain": "paypal.com", "risk_level": "HIGH", "threats": ["Full email spoofing setup: SPF+DKIM", "Newly registered domain (< 30 days)"]

New domains discovered

"source": "spoofchecker", "event_type": "new_domains_detected", "timestamp": 1718000000, "domain_count": 2, "domains": ["paypa1.com", "paypall.net"]
⚠️ HTTP 2xx required. SpoofChecker considers any 2xx response a success. Non-2xx responses are logged as failed deliveries. Ensure your endpoint responds within 10 seconds to avoid timeouts.
Ready to configure your integration?

Go to your account settings to connect Slack, Splunk, Teams, or a custom webhook in under two minutes.

Go to Integrations →