[sbr464]

One random idea, not sure how practical - Do a screenshot analysis/pattern matching on all customer login pages. If verbiage or screenshot matches are close enough, it get's flagged for human review. This would only work on the pages at different auth0 domains obviously. Since the login url endpoints are saved in the Auth0 admin console, it could be easy to directly check the page. If that doesn't work, you could require customers store the login url's to make scanning them easier.

[sbr464]

A potential easier approach could be detecting when an existing auth0 user attempts to access an abnormal auth0 subdomain. Even if the user gives up their user/pass accidentally you could send an email warning to review their activity. You can fingerprint the user's browser or ip address to help identify them if you don't have any other info.