8 May, 2026

SAFRAN Recovers Double-Hyphen Domain Used in Targeted Email Impersonation

UDRP Cases

SAFRAN successfully recovered the domain safran–group.com after it was used to impersonate the company in fraudulent emails to its partners. The Panelist ordered a transfer, ruling that the configuration of mail servers for deceptive communication constituted clear evidence of bad faith and typosquatting.

Case Snapshot

Case Number D2026-1000
Complainant SAFRAN
Respondent Tom Ten
Disputed Domain
safran–group.com
Threat Tactic Phishing and Email Fraud
Decision Date 2026-05-07
Panelist Taras Kyslyy
OutcomeTransfer
Official Source https://www.wipo.int/amc/en/domains/search/text.jsp?case=D2026-1000

Fraudulent Mail Server Configuration and B2B Trust Erosion

The registration of safran–group.com represents a targeted threat to the integrity of B2B communications for a global high-technology entity. By configuring an active mail server (MX record) specifically for this typosquatted domain, the Respondent moved beyond passive holding into active brand weaponization. This setup allowed for the dissemination of fraudulent emails designed to impersonate Safran’s corporate identity to its business partners. Because the domain name differs from the legitimate safran-group.com by only a single additional hyphen, it exploits the high volume of digital correspondence typical of an organization with over 95,000 employees and EUR 16.5 billion in sales. Such subtle variations are frequently overlooked in standard corporate email clients, which facilitates the deception of recipients who are conditioned to trust the Complainant’s established naming conventions.

The primary commercial risk identified in this case is the unauthorized acquisition of confidential corporate information through deceptive email impersonation. The Panel noted that the Respondent’s configuration was intended to mislead recipients into disclosing sensitive data or carrying out malicious instructions. In the aviation, defense, and space sectors—where Safran operates—the breach of supply chain trust can lead to significant operational disruptions and reputational harm that extends far beyond a single fraudulent transaction. Furthermore, the domain resolved to a registrar parking page that prompted users to verify their emails to get the website back online, suggesting a dual-threat environment where both outbound phishing and inbound credential harvesting were utilized to exploit the brand’s reach.

Strategic Identification of Mail Server Weaponization

Safran’s strategy succeeded by looking beyond the static website content to the underlying technical configuration of the disputed domain. While the domain resolved to a registrar parking page, the Complainant provided evidence that a mail server (MX record) had been specifically configured for the address. This technical setup allowed the Respondent to send fraudulent emails that appeared to originate from the legitimate corporate group. By demonstrating that the domain was weaponized for B2B communication fraud rather than serving as a typical parked asset, Safran established a clear intent to mislead business partners. This approach successfully shifted the legal focus from passive holding to active, malicious impersonation designed to extract confidential information or issue unauthorized instructions.

The Complainant further solidified its case by framing the addition of a second hyphen as a calculated typosquatting tactic targeting the aerospace and defense supply chain. This minute variation from the official safran-group.com domain is a hallmark of sophisticated phishing schemes. Since the Respondent failed to participate or provide any evidence of legitimate rights, the Panel accepted the Complainant’s proof of the Respondent’s awareness of Safran’s global presence and high-technology operations. For IP professionals, the case highlights that documenting the fraudulent use of mail servers is often more persuasive in establishing bad faith than the content of a landing page, especially when the registrant targets a company with 95,000 employees and multi-billion euro sales.

Practical Recommendations

  • Conduct proactive monitoring for punctuation-based typosquatting variants, specifically looking for double-hyphen (‘–‘) substitutions or additions in domains that mirror your core corporate identity.
  • Perform immediate DNS lookups to check for active MX (Mail Exchange) records upon discovering a suspicious domain; evidence of mail server configuration is a powerful indicator of bad faith intent for phishing.
  • Gather and submit direct evidence of fraudulent outbound communications—such as headers from phishing emails sent to partners—to prove the domain is being used for impersonation rather than legitimate commerce.
  • Emphasize the ‘weaponization’ of the domain in UDRP filings by highlighting that the respondent’s configuration of infrastructure (mail servers) outweighs any claims of passive holding or generic registration.
  • Implement a rapid notification protocol for the supply chain and business partners when a look-alike domain with active mail records is identified to prevent the disclosure of confidential corporate information.

Frequently Asked Questions (FAQ)

Why did the Panel determine that the domain ‘safran–group.com’ was confusingly similar to the official Safran brand?

The Panel found that the domain, which adds a second hyphen to the Complainant’s official ‘safran-group.com’, is a classic example of typosquatting. Because ‘Safran’ is an internationally recognized trademark, the slight alteration was intended to mirror the official branding closely enough to deceive users.

How did the respondent attempt to justify their use of the domain, and why did this fail?

The Respondent failed to provide any evidence of rights or legitimate interests in the domain. The Panel noted that the Respondent’s only documented use of the domain—hosting a registrar parking page and sending fraudulent emails to partners—is inherently inconsistent with any legitimate or fair use of the trademark.

What evidence was most critical in proving that the Respondent acted in bad faith?

The most compelling evidence of bad faith was the specific configuration of mail servers (MX records) for the disputed domain. The Panel concluded that this infrastructure was set up explicitly to facilitate email impersonation and phishing campaigns, aimed at tricking business partners into disclosing confidential information.

What is the primary practical takeaway for businesses regarding these types of typosquatting tactics?

This case highlights that bad actors often use subtle domain variations to weaponize email communication. The immediate configuration of mail servers for a newly registered, look-alike domain serves as strong evidence for UDRP panels to order a transfer, as it demonstrates a clear intent to mislead recipients through corporate impersonation.

Concerned about fake email or invoice fraud?

Your partners are the most vulnerable point in your supply chain. Learn how configuring proactive domain monitoring and UDRP strategies can stop attackers from weaponizing typosquatted domains for B2B phishing campaigns.

Request phishing analysis

Contact us
We will find the best solution for your business

    Thank you for your request!
    We will contact you within 5 hours!
    Image
    This site uses cookies to improve your experience. By continuing, you agree to our Privacy Policy.

    Privacy settings

    When you visit websites, they may store or retrieve data in your browser. This storage is often required for basic website functionality. Storage may be used for marketing, analytics and site personalization purposes, such as storing your preferences. Privacy is important to us, so you can disable certain types of storage that may not be necessary for the basic functioning of the website. Blocking categories may affect the performance of the website.

    Manage settings


    Necessary

    Always active

    These cookies are necessary for the website to function and cannot be disabled in our systems. They are usually only set in response to actions you take that constitute a request for services, such as adjusting your privacy settings, logging in, or filling out forms. You can set your browser to block these cookies or notify you about them, but some parts of the site will not work. These cookies do not store any personal information.

    Marketing

    These elements are used to show you advertising that is more relevant to you and your interests. They can also be used to limit the number of ad views and measure the effectiveness of advertising campaigns. Advertising networks usually place them with the permission of the site operator.

    Personalization

    These elements allow the website to remember your choices (such as your username, language or region you are in) and provide enhanced, more personalized features. For example, a website may provide you with local weather forecasts or traffic news by storing data about your current location.

    Analytics

    These elements help the website operator understand how their website works, how visitors interact with the site and whether there may be technical problems. This type of storage usually does not collect information that identifies the visitor.