This detection rule is designed to identify DNS requests made to domains used in phishing attempts that utilize the EvilGinx toolset for website mimicking. The rule searches through DNS logs to find queries directed towards specific known phishing domains related to popular online services such as Amazon, Facebook, GitHub, Office 365, AWS, and Google. It filters out legitimate domains to minimize false positives. By leveraging the datamodel for network resolution in Splunk, this rule aggregates DNS query information, correlates it with the potential phishing domains, and presents a summary of any suspicious activity. If integrated with Splunk Phantom, it can trigger investigation workflows upon detection of such activity.