Improved techniques of identifying a malicious communication involve a lightweight evaluator obtaining a domain name directly from a network transmission. The lightweight evaluator performs a query of the domain name on a database of known network transactions. Results of the query include IP addresses to which the domain name has resolved in prior transactions and Time To Live (TTL) values for each of those IP addresses. To such results of the query, the lightweight evaluator applies a set of heuristics which are arranged to determine whether the domain name could plausibly be a FFDN. Based on the result of the application of the heuristics to the domain name, the lightweight evaluator sends to a backend evaluator the domain name and a command to confirm whether the domain name is a FFDN.