5 May, 2026

Credential Harvesting Risk Defeated as Michelin Secures Six Infringing Domains

UDRP Cases

Compagnie Générale des Etablissements Michelin successfully obtained the transfer of six disputed domain names, including adminmichelinguide.com, from respondent Phil Howard. Five of the domains hosted a deceptive, shared interface mimicking an official MICHELIN login screen, while one remained inactive. Sole Panelist Leo (Yi) Liu ruled that the domains were registered and operated in bad faith, ordering a full transfer of the portfolio.

Case Snapshot

Case Number D2025-4529
Complainant Compagnie Générale des Etablissements Michelin
Respondent Kithcen 47, Phil Howard
Disputed Domain
adminmichelinguide.comgomichelinstars.commichelinfoodtaste.commichelinfoodtaste.netmichelinguidedish.commichelinguidedish.net
Threat Tactic Corporate Impersonation
Decision Date 2025-12-29
Panelist Leo (Yi) Liu
OutcomeTransfer
Official Source https://www.wipo.int/amc/en/domains/search/text.jsp?case=D2025-4529

Credential Harvesting and Trust Erosion via Unauthorized Brand Login Portals

The deployment of a highly deceptive, shared login interface across five of the registered domains—specifically gomichelinstars.com, michelinfoodtaste.com, michelinfoodtaste.net, michelinguidedish.com, and michelinguidedish.net—presents a severe commercial and technical risk. By displaying the complainant’s MICHELIN trademark on a webpage designed to mimic an official portal, the respondent engaged in corporate impersonation optimized for credential harvesting. This setup targets restaurant partners and culinary professionals who routinely access official guides, creating an environment where sensitive administrative access keys and personal data could easily be compromised under the guise of legitimate portal operations.

Furthermore, the strategic registration of adminmichelinguide.com introduces a distinct risk of administrative spoofing and targeted phishing, despite remaining in an inactive state prior to the dispute. Under the doctrine of passive holding, the inactive status of this administrative-themed domain does not mitigate its threat. In the hands of an unauthorized third party, such a domain remains a latent threat that can be activated at any moment, creating potential vulnerabilities where internal personnel or external business partners might be misled by communications originating from an address closely aligned with brand administration.

The use of highly relevant culinary terms and trademark-associated keywords like "stars", "foodtaste", and "guidedish" directly targets the core goodwill and reputation of the MICHELIN brand. This deliberate association erodes consumer and business trust, as partners and users may struggle to distinguish authentic Michelin Guide digital services from fraudulent look-alikes. The presence of these deceptive portals not only threatens the digital security of the brand’s ecosystem but also jeopardizes the trusted relationships Michelin has built with the culinary community.

Evidentiary Demonstration of Coordinated Impersonation and Passive Holding

The Complainant’s strategy succeeded by combining clear technical evidence of active digital impersonation with established passive holding doctrines. For the five active domains—gomichelinstars.com, michelinfoodtaste.com, michelinfoodtaste.net, michelinguidedish.com, and michelinguidedish.net—the Complainant presented screenshot evidence showing they resolved to an identical, unauthorized webpage displaying the MICHELIN trademark as a login interface. This technical proof of a coordinated server setup directly demonstrated that the Respondent, Phil Howard of Kithcen 47, registered and used the domains to intentionally mislead users. Presenting this clear visual and structural evidence of brand mimicking left no doubt regarding the bad faith attempt at corporate impersonation.

For the remaining inactive domain, adminmichelinguide.com, the Complainant successfully applied the passive holding doctrine to establish bad faith. Even though this administrative-themed domain did not resolve to an active webpage, its registration alongside the active login-impersonation domains in October 2025 proved a unified pattern of brand targeting. By framing the inactive domain within this broader, highly malicious portfolio, the Complainant persuaded the sole panelist, Leo (Yi) Liu, that the lack of active use did not prevent a bad faith finding. This dual approach allowed the Complainant to secure the transfer of the entire portfolio, neutralizing both active traffic diversion setups and passive reserves before they could be utilized for administrative spoofing.

Practical Recommendations

  • Consolidate multi-domain registration clusters (such as parallel .com and .net extensions) into a single, comprehensive UDRP complaint to reduce overall legal expenditures and prevent fragmented defenses from coordinated bad actors.
  • Implement proactive keyword monitoring targeting core brands combined with administrative, operational, or access-related modifiers (e.g., ‘admin’, ‘login’, ‘portal’, ‘guide’) to intercept credential-harvesting infrastructures before they go live.
  • Apply the passive holding doctrine aggressively against inactive, administrative-themed domains (such as ‘adminmichelinguide.com’) when registered alongside active spoofing targets, ensuring they are swept into enforcement actions without waiting for them to resolve.
  • Document and submit technical proof of shared infrastructure—such as duplicated landing page assets, identical destination servers, and concurrent registration dates—to establish strong evidence of a unified bad-faith campaign.
  • Develop expedited internal procedures to rapidly transition from threat detection to UDRP filing when active brand-impersonation login interfaces are identified, minimizing the threat window for partners and consumers.

Frequently Asked Questions (FAQ)

Why were domains like ‘gomichelinstars.com’ and ‘michelinguidedish.com’ considered confusingly similar to the Michelin brand?

The WIPO panel determined that these domains incorporate the famous ‘MICHELIN’ trademark in its entirety, coupled with descriptive terms related to the complainant’s culinary services. This creates a high likelihood of confusion, as users would likely perceive these sites as official, authorized extensions of the Michelin guide and restaurant rating brand.

How did the panel address the fact that ‘adminmichelinguide.com’ was not actively displaying content?

Despite the domain remaining in an inactive state, the panel applied the doctrine of passive holding. Because the domain was part of a larger portfolio used for credential harvesting and the respondent failed to provide any evidence of legitimate interest, the panel concluded it was registered and held in bad faith as part of the broader infringing strategy.

What evidence proved the respondent’s bad faith in this UDRP case?

The primary evidence was the deployment of a shared, unauthorized login interface across five of the six domains. By mimicking an official MICHELIN portal and displaying the complainant’s trademark, the respondent demonstrated an intent to deceive internet users into providing credentials, thereby attempting to commercially exploit the complainant’s goodwill.

What was the practical outcome for the six disputed domains?

Following the WIPO decision on December 29, 2025, the panelist Leo (Yi) Liu ordered the immediate transfer of all six domains—including the administrative-themed and food-related variants—to Compagnie Générale des Etablissements Michelin, effectively neutralizing the threat of ongoing credential harvesting.

Facing corporate impersonation through a domain?

Protect your brand from unauthorized login portals and credential harvesting tactics like those used in the Michelin case. Contact our experts to discuss a proactive domain monitoring and enforcement strategy.

Assess impersonation threat

Contact us
We will find the best solution for your business

    Thank you for your request!
    We will contact you within 5 hours!
    Image
    This site uses cookies to improve your experience. By continuing, you agree to our Privacy Policy.

    Privacy settings

    When you visit websites, they may store or retrieve data in your browser. This storage is often required for basic website functionality. Storage may be used for marketing, analytics and site personalization purposes, such as storing your preferences. Privacy is important to us, so you can disable certain types of storage that may not be necessary for the basic functioning of the website. Blocking categories may affect the performance of the website.

    Manage settings


    Necessary

    Always active

    These cookies are necessary for the website to function and cannot be disabled in our systems. They are usually only set in response to actions you take that constitute a request for services, such as adjusting your privacy settings, logging in, or filling out forms. You can set your browser to block these cookies or notify you about them, but some parts of the site will not work. These cookies do not store any personal information.

    Marketing

    These elements are used to show you advertising that is more relevant to you and your interests. They can also be used to limit the number of ad views and measure the effectiveness of advertising campaigns. Advertising networks usually place them with the permission of the site operator.

    Personalization

    These elements allow the website to remember your choices (such as your username, language or region you are in) and provide enhanced, more personalized features. For example, a website may provide you with local weather forecasts or traffic news by storing data about your current location.

    Analytics

    These elements help the website operator understand how their website works, how visitors interact with the site and whether there may be technical problems. This type of storage usually does not collect information that identifies the visitor.