Before analyzing the domain, let's first understand what comprises an email address: it consists of two parts, the username and the domain. Attackers often manipulate both the username and domain to resemble trusted sources. Among the domain manipulation methods, three are most common:

• Exploiting expired domains.
• Substituting the top-level domain; for instance, replacing .org with .com.
• Introducing variations or misspellings:
• Common misspellings: goggle.com instead of google.com.
• Adding a dot or another character: go.gle.com instead of google.com.
• Replacing letters with numbers: g00gle.com instead of google.com.
• Using plurals or singulars interchangeably: googles.com instead of google.com.
• Adding extra words: googleresults.com instead of google.com.
• Substituting letters with similar or identical characters from other scripts, which may appear similar to the human eye but are read differently by computers; for example, using the letter "a" from the Latin script in place of the "a" from the Cyrillic keyboard.