If it is possible to inspect HTTPS traffic, the captures can be analyzed for connections that appear to be Domain Fronting.