Methods and systems for detecting malicious domains. The method comprises storing domain data for a plurality of domains and selecting a relationship parameter which represents a relationship between at least two of the domains. The method further comprises generating a graph for the domains by identifying a plurality of domain nodes, connecting the domain nodes with a plurality of edges and calculating an edge weight for each edge. The method further comprises identifying at least one domain node as a known malicious domain node and the other domain nodes as candidate domain nodes, calculating a malicious score for each candidate domain node based on the edge weights and identifying a domain in the plurality of domains as malicious if the malicious score is within a predetermined range.