What is a spoofing attack using lookalike domains?

Lookalike domain attacks use domains visually similar to legitimate ones. Attackers register domains like paypa1.com (using number 1 for letter l) or arnazon.com (rn looks like m) and send authenticated email from them.

These attacks bypass domain authentication completely. The message is technically legitimate: properly authenticated from the lookalike domain. DMARC doesn't help because the attacker controls the sending domain.

Defense requires: monitoring for lookalike domain registrations, user awareness training to verify domains carefully, and browser/client features that highlight suspicious domains. BIMI helps by showing verified logos only for legitimate domains.