[Bug]: Domain squatting false positives

[ak47uk]

Required confirmations before submitting

• I can reproduce this issue on the latest released version of Check.
• I have searched existing issues (both open and closed) to avoid duplicates.
• I am not requesting general support; this is an actual bug report.

Issue Description

Since yesterday, several legit sites are triggering "Security threat detected: Domain squatting detected: Domain adds prefix/suffix to protected domain", the protected domain is always "unifi.ui.com". There is a banner at the top of the page:

Example sites that trigger the warning:
plugin.intuitcdn.net
entrabackup.dropsuite.uk
qbo.intuit.com
qbo-preload.app.intuit.com
qfp.intuit.com
accounts.intuit.com

Extension Version

1.2.0

Rules Version

1.2.0

Relevant Logs / Stack Trace

{
  "action": "warn",
  "confidence": 0.7,
  "detected": true,
  "protectedDomain": "unifi.ui.com",
  "severity": "medium",
  "techniques": [
    {
      "confidence": 0.7,
      "description": "Domain adds prefix/suffix to protected domain",
      "pattern": "generic_combo",
      "prefix": "drops",
      "suffix": "te",
      "technique": "combosquat"
    }
  ],
  "testDomain": "entrabackup.dropsuite.uk"
}



{
  "browserInfo": {
    "browserType": "edge",
    "browserVersion": "147.0.0.0",
    "extensionId": "knepjpocdagponkonnbggpcnhnaikajg",
    "installType": "admin",
    "language": "en-GB",
    "platform": "Win32",
    "version": "1.2.0"
  },
  "isManaged": true,
  "profileId": "removed",
  "timestamp": "2026-04-15T07:13:46.657Z",
  "userInfo": {
    "accountType": "work-school",
    "email": "removed",
    "emailNotAvailable": false,
    "id": "removed",
    "provider": "unknown",
    "reason": null
  }
}

[Zacgoose]

Please mark squatting as disabled in the mean time

[ak47uk]

It looks like it is just ultra sensitive and is treating *.*ui*.* as squatting of unifi.ui.com.

[homotechsual]

Also seeing this:

Page URL: https://sanctuarystartswithus.good.do/act/write-to-your-Senedd/?embedded=
Hostname: sanctuarystartswithus.good.do
Timestamp (UTC): 2026-04-15T08:28:39.287Z
Banner Title: ⚠️ Suspicious Domain Detected
Displayed Reason: This website's domain looks similar to "zoom.us" but is NOT the legitimate site. Be careful entering any credentials.
Detection Score: N/A

Detected Indicators:
Domain squatting techniques detected:
levenshtein: Domain differs by 2 character(s) from protected domain

[Zacgoose]

Make sure you update your rules as those extra domains have been removed.

…

On Wed, Apr 15, 2026 at 17:57 homotechsual ***@***.***> wrote: *homotechsual* left a comment (CyberDrain/Check#145) <#145 (comment)> Also seeing this: Page URL: https://sanctuarystartswithus.good.do/act/write-to-your-Senedd/?embedded= Hostname: sanctuarystartswithus.good.do Timestamp (UTC): 2026-04-15T08:28:39.287Z Banner Title: ⚠️ Suspicious Domain Detected Displayed Reason: This website's domain looks similar to "zoom.us" but is NOT the legitimate site. Be careful entering any credentials. Detection Score: N/A Detected Indicators: Domain squatting techniques detected: levenshtein: Domain differs by 2 character(s) from protected domain — Reply to this email directly, view it on GitHub <#145 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AZUCTBB4MQAIODIUWYP3D4T4V5MIBAVCNFSM6AAAAACXZ2HPY2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHM2DENJRGA3DANRZGM> . You are receiving this because you commented.Message ID: ***@***.***>

[erikvdberg86]

We can reproduce this on 1.2.0 / rules 1.2.0 with a legitimate Citrix/NetScaler login page:

URL REDACTED

Blocked as:
Domain Squatting: This site closely resembles "office.com"

Additional notes:

Reproduced in both Chrome and Edge
Extension is managed
URL allowlist is present in registry/policy
Tested with wildcard and exact URL allowlist entries, but the site is still blocked