{"report_id":"44546c49-996d-45d2-a179-53484e165958","version":6,"status":"done","tags":["zimbra","phishing"],"date":"2026-01-11T08:13:43Z","url":{"schema":"http","addr":"mail.planttel.net/","fqdn":"mail.planttel.net","domain":"planttel.net","tld":"net"},"ip":{"addr":"129.159.96.89","port":0,"asn":31898,"as":"ORACLE-BMC-31898","country":"United States","country_code":"US"},"final":{"url":{"schema":"https","addr":"mail.planttel.net/","fqdn":"mail.planttel.net","domain":"planttel.net","tld":"net"},"title":"Zimbra Web Client Sign In","dom":{"size":23126,"mime_type":"text/html; charset=utf-8","magic":"HTML document, Unicode text, UTF-8 text, with very long lines (643)","md5":"333a3ca09af3d2461dc0ffc81f3fc234","sha1":"2ab1131fab4751dc095bc9c4f98501322c359e48","sha256":"96b802248c3caf9037b2e015c1da2ec762df05c8b7730113d4e22d3bc6cb6d7c","sha512":"e06839a7e0610114bacc02a05845d2ed463fb85151d21400b495dc58e212bcedf9cfc8f4b21e9cf6ec374b0aefb7977fdcdf9e31bdcf03255af7925cf059c933","ssdeep":"384:HdjhRgFO30hk4UT4OZYXhl2Ei0m5HDpupShi4i2iZi5iFieigiMiniHiNJci8i9:9jD30hk4UT4OZ6tc/oVHgA0v9BiCNJRH","tlshash":"9fa2e86a25e5186106a370fc59cf511934b0dc271009ce087dfc92a83fb6e6a56a3bfe","dom_hash":"domhashb65de971afbbd68ea8a62d11d24f98cd","first_seen":"","last_seen":"","times_seen":0,"resource_available":false,"data":null}},"submit":{"url":{"schema":"http","addr":"mail.planttel.net/","fqdn":"mail.planttel.net","domain":"planttel.net","tld":"net"},"ip":{"addr":"129.159.96.89","port":0,"asn":31898,"as":"ORACLE-BMC-31898","country":"United States","country_code":"US"},"tags":null,"meta":null},"settings":{"access":"public","device_type":"desktop","expires_at":"2027-02-15T08:13:43Z","useragent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0","referer":"","cookies":null,"exit_node":"z0yflva4pidy47h"},"stats":{"alert_count":{"ids":0,"urlquery":2,"analyzer":1}},"detection":{"ids":null,"analyzer":[{"sensor_name":"dns4eu","sensor_type":"DNS","title":"DNS4EU","description":"DNS4EU","scan_date":"2026-01-11","alert":"Sinkholed","trigger":"mail.planttel.net","verdict":"malicious","severity":"medium","comment":"","link":"https://www.joindns4.eu/","meta":null}],"urlquery":[{"sensor_name":"urlquery","alert":"Phishing - Zimbra Web Client","verdict":"phishing","severity":"medium","comment":"Asset commenly seen with Zimbra phishing","tags":["zimbra","phishing"],"meta":null},{"sensor_name":"urlquery","alert":"Phishing - Zimbra Web Client","verdict":"phishing","severity":"medium","comment":"Asset commenly seen with Zimbra phishing","tags":["zimbra","phishing"],"meta":null}]},"summary":[{"fqdn":"mail.planttel.net","ip":{"addr":"129.159.96.89","port":443,"asn":31898,"as":"ORACLE-BMC-31898","country":"United States","country_code":"US"},"domain_registered":"unknown","domain_rank":0,"first_seen":"No data","last_seen":"No data","alert_count":10,"request_count":5,"received_data":239493,"sent_data":2475,"comment":"","tags":null,"fingerprints":[{"name":"Java","description":"Java is a class-based, object-oriented programming language that is designed to have as few implementation dependencies as possible.","website":"https://java.com","common_platform_enumeration":"cpe:2.3:a:oracle:jre:*:*:*:*:*:*:*:*","icon":"Java.svg","categories":["Programming languages"]},{"name":"Nginx","description":"Nginx is a web server that can also be used as a reverse proxy, load balancer, mail proxy and HTTP cache.","website":"https://nginx.org/en","common_platform_enumeration":"cpe:2.3:a:f5:nginx:*:*:*:*:*:*:*:*","icon":"Nginx.svg","categories":["Web servers","Reverse proxies"]},{"name":"Zimbra","description":"","website":"https://www.zimbra.com/","common_platform_enumeration":"cpe:2.3:a:zimbra:zimbra:*:*:*:*:*:*:*:*","icon":"Zimbra.png","categories":["Webmail"]}]},{"fqdn":"cas.neonova.net","ip":{"addr":"137.118.7.42","port":443,"asn":6250,"as":"NEONOVA-NET","country":"United States","country_code":"US"},"domain_registered":"1998-06-19","domain_rank":4569396,"first_seen":"2012-07-13T15:31:12Z","last_seen":"2025-12-11T10:24:44.004707Z","alert_count":0,"request_count":1,"received_data":10761,"sent_data":419,"comment":"","tags":null,"fingerprints":[{"name":"Apache HTTP Server:2.2.15","description":"Apache is a free and open-source cross-platform web server software.","website":"https://httpd.apache.org/","common_platform_enumeration":"cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*","icon":"Apache.svg","categories":["Web servers"]},{"name":"CentOS","description":"CentOS is a Linux distribution that provides a free, community-supported computing platform functionally compatible with its upstream source, Red Hat Enterprise Linux (RHEL).","website":"https://centos.org","common_platform_enumeration":"cpe:2.3:o:centos:centos:*:*:*:*:*:*:*:*","icon":"CentOS.svg","categories":["Operating systems"]}]}],"files":null,"artifacts":{"windows_shortcuts":null,"files":null,"telegram":null,"pdfs":null,"clipboard":null},"sensors":{"ids":null,"analyzer":null,"urlquery":[{"sensor_name":"urlquery","alert":"Phishing - Zimbra Web Client","verdict":"phishing","severity":"medium","comment":"Asset commenly seen with Zimbra phishing","tags":["zimbra","phishing"],"meta":null}]},"javascript":{"script":[{"url":{"schema":"https","addr":"mail.planttel.net/","fqdn":"mail.planttel.net","domain":"planttel.net","tld":"net"},"ip":{"addr":"129.159.96.89","port":443,"asn":31898,"as":"ORACLE-BMC-31898","country":"United States","country_code":"US"},"introduction_type":"eventHandler","is_inline":false,"md5":"8330d67045d053b17fa969ef2bdb5e54","sha1":"041174325b27a7b4d2d1b1a0e353fa82d1cb6431","sha256":"ceecf99c8bd1f6e5f89a26d3b40e009d48860d674231297254ff75d817b9a883","sha512":"74d90352264865f9903b3845c8d7c001ae7efeee02016907f39d1726f12a1f33903ebeeed1d3643de50ff4919cd819a4e419a918b584a3950f2a4ff9ca7bb1f3","ssdeep":"","tlshash":"e7500000030030c00300000c3000000c000000c30003c000000000003c300000030030","size":9,"data":"","first_seen":"2023-04-11T04:37:13Z","last_seen":"2026-04-15T19:29:01.217558Z","times_seen":3725,"alerts":{"ids":null,"analyzer":null,"urlquery":null}},{"url":{"schema":"https","addr":"mail.planttel.net/","fqdn":"mail.planttel.net","domain":"planttel.net","tld":"net"},"ip":{"addr":"129.159.96.89","port":443,"asn":31898,"as":"ORACLE-BMC-31898","country":"United States","country_code":"US"},"introduction_type":"scriptElement","is_inline":true,"md5":"afd5b9b517cdf1b3108e0c4b87ccb154","sha1":"95de1d0d0ad4f14f75e847ac984a873f089f9bfa","sha256":"26c3a96d127a230206cb4844fb957d029f2cc6e8511a65a79942922a7feac67b","sha512":"35052c7fdd0332044465aeea0e44ac024e90fa932158f3c3abeeb7e195a24332143d2c3d33f761ed927add9cf031e4e443e94a6ea21dbcf09345ca2810b8187c","ssdeep":"384:R4UT4OZYXhl2Ei0m5HDpupShi4i2iZi5iFieigiMiniHiNJci8ii:R4UT4OZ6tc/oVHgA0v9BiCNJRxi","tlshash":"337286ba35ea14500aa770bc89df511834b098171009df047dfc91a87f79e7a16a7bfe","size":16538,"data":"","first_seen":"2026-01-11T08:13:53.878393Z","last_seen":"2026-01-11T08:13:53.878393Z","times_seen":1,"alerts":{"ids":null,"analyzer":null,"urlquery":null}}],"eval":null,"write":null},"http":[{"url":{"schema":"https","addr":"mail.planttel.net/","fqdn":"mail.planttel.net","domain":"planttel.net","tld":"net"},"ip":{"addr":"129.159.96.89","port":443,"asn":31898,"as":"ORACLE-BMC-31898","country":"United States","country_code":"US"},"is_navigation_request":true,"resource_type":"document","requested_by":"","date":"2026-01-11T08:13:19.543Z","timestamp":0,"http_version":"","security_state":"secure","security_info":{"cipher_suite":"TLS_AES_256_GCM_SHA384","key_group_name":"x25519","signature_name":"RSA-PSS-SHA256","protocol":"TLSv1.3","cert":{"subject":{"commonName":"*.planttel.net","organization":""},"issuer":{"commonName":"R13","organization":"Let's Encrypt"},"validity":{"start":"Thu, 27 Nov 2025 09:34:21 GMT","end":"Wed, 25 Feb 2026 09:34:20 GMT"},"fingerprint":{"sha1":"76:DB:E3:35:68:56:F7:2D:24:F2:B0:86:C6:65:A0:C8:C3:BA:DE:39","sha256":"6F:C9:8D:1C:0A:63:96:CD:DF:9A:30:B3:96:C5:19:B3:8C:30:72:74:C4:F2:09:E6:1E:95:FD:62:A9:D7:85:71"}}},"request":{"raw":"GET / HTTP/1.1\r\nHost: mail.planttel.net\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br\r\nDNT: 1\r\nUpgrade-Insecure-Requests: 1\r\nConnection: keep-alive\r\nSec-Fetch-Dest: document\r\nSec-Fetch-Mode: navigate\r\nSec-Fetch-Site: cross-site\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/1.1 200 OK\r\nServer: nginx\r\nDate: Sun, 11 Jan 2026 08:13:20 GMT\r\nContent-Type: text/html;charset=utf-8\r\nTransfer-Encoding: chunked\r\nConnection: keep-alive\r\nX-Content-Type-Options: nosniff\r\nX-Robots-Tag: noindex\r\nReferrer-Policy: no-referrer\r\nX-Frame-Options: SAMEORIGIN\r\nExpires: -1\r\nCache-Control: no-store, no-cache, must-revalidate, max-age=0\r\nPragma: no-cache\r\nContent-Language: en-US\r\nSet-Cookie: ZM_TEST=true\nZM_LOGIN_CSRF=3b7612a0-bfec-4a9b-a3b7-62820051703b; HttpOnly\r\nX-UA-Compatible: IE=edge\r\nVary: User-Agent, Accept-Encoding\r\nContent-Encoding: gzip\r\n\r\n","headers":null,"cookies":null,"status_code":"200","status_text":"OK","fingerprints":[{"name":"Java","description":"Java is a class-based, object-oriented programming language that is designed to have as few implementation dependencies as possible.","website":"https://java.com","common_platform_enumeration":"cpe:2.3:a:oracle:jre:*:*:*:*:*:*:*:*","icon":"Java.svg","categories":["Programming languages"]},{"name":"Nginx","description":"Nginx is a web server that can also be used as a reverse proxy, load balancer, mail proxy and HTTP cache.","website":"https://nginx.org/en","common_platform_enumeration":"cpe:2.3:a:f5:nginx:*:*:*:*:*:*:*:*","icon":"Nginx.svg","categories":["Web servers","Reverse proxies"]},{"name":"Zimbra","description":"","website":"https://www.zimbra.com/","common_platform_enumeration":"cpe:2.3:a:zimbra:zimbra:*:*:*:*:*:*:*:*","icon":"Zimbra.png","categories":["Webmail"]}],"data":{"size":23303,"size_decoded":0,"mime_type":"text/html; charset=utf-8","magic":"HTML document, Unicode text, UTF-8 text, with very long lines (631)","md5":"542d37a365fae48224f0b60ff3da2eab","sha1":"56caddb4384c2d81dfd71716a755b308315501e5","sha256":"b42babc7a9df2bda9c6004661ccefb01a5aed001db6b023dc678b5728dc1277d","sha512":"0644fbc34ddabcd05a9fbcbd5c77b6b063abfd4331604870607a2a9bb97bc1955f825709ec160632d798aa3c8f19fdc3da273b38d18ea828e17224911840bbf1","ssdeep":"384:KBTkwmMO7Yhk4UT4OZYXhl2Ei0m5HDpupShi4i2iZi5iFieigiMiniHiNJci8ir:ETm7Yhk4UT4OZ6tc/oVHgA0v9BiCNJR1","tlshash":"94a2e86625e518610aa370bc59cf511934f4dc270009ce087dfc92ac3fb6e6a56a3bfe","first_seen":"2026-01-11T08:13:53.866708Z","last_seen":"2026-01-11T08:13:53.866708Z","times_seen":1,"resource_available":false,"data":null}},"time_used":2359,"timings":{"blocked":1119,"dns":922,"connect":93,"send":0,"wait":118,"receive":3,"ssl":102},"alerts":{"ids":null,"analyzer":[{"sensor_name":"dns4eu","sensor_type":"DNS","title":"DNS4EU","description":"DNS4EU","scan_date":"2026-01-11","alert":"Sinkholed","trigger":"mail.planttel.net","verdict":"malicious","severity":"medium","comment":"","link":"https://www.joindns4.eu/","meta":null}],"urlquery":[{"sensor_name":"urlquery","alert":"Phishing - Zimbra Web Client","verdict":"phishing","severity":"medium","comment":"Asset commenly seen with Zimbra phishing","tags":["zimbra","phishing"],"meta":null}]}},{"url":{"schema":"https","addr":"mail.planttel.net/css/common,login,zhtml,skin.css?skin=harmony\u0026v=251013124436","fqdn":"mail.planttel.net","domain":"planttel.net","tld":"net"},"ip":{"addr":"129.159.96.89","port":443,"asn":31898,"as":"ORACLE-BMC-31898","country":"United States","country_code":"US"},"is_navigation_request":false,"resource_type":"stylesheet","requested_by":"https://mail.planttel.net/","date":"2026-01-11T08:13:20.950Z","timestamp":0,"http_version":"","security_state":"secure","security_info":{"cipher_suite":"TLS_AES_256_GCM_SHA384","key_group_name":"x25519","signature_name":"RSA-PSS-SHA256","protocol":"TLSv1.3","cert":{"subject":{"commonName":"*.planttel.net","organization":""},"issuer":{"commonName":"R13","organization":"Let's Encrypt"},"validity":{"start":"Thu, 27 Nov 2025 09:34:21 GMT","end":"Wed, 25 Feb 2026 09:34:20 GMT"},"fingerprint":{"sha1":"76:DB:E3:35:68:56:F7:2D:24:F2:B0:86:C6:65:A0:C8:C3:BA:DE:39","sha256":"6F:C9:8D:1C:0A:63:96:CD:DF:9A:30:B3:96:C5:19:B3:8C:30:72:74:C4:F2:09:E6:1E:95:FD:62:A9:D7:85:71"}}},"request":{"raw":"GET /css/common,login,zhtml,skin.css?skin=harmony\u0026v=251013124436 HTTP/1.1\r\nHost: mail.planttel.net\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0\r\nAccept: text/css,*/*;q=0.1\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br\r\nDNT: 1\r\nConnection: keep-alive\r\nCookie: ZM_TEST=true; ZM_LOGIN_CSRF=3b7612a0-bfec-4a9b-a3b7-62820051703b\r\nSec-Fetch-Dest: style\r\nSec-Fetch-Mode: no-cors\r\nSec-Fetch-Site: same-origin\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/1.1 200 OK\r\nServer: nginx\r\nDate: Sun, 11 Jan 2026 08:13:21 GMT\r\nContent-Type: text/css\r\nTransfer-Encoding: chunked\r\nConnection: keep-alive\r\nX-Content-Type-Options: nosniff\r\nX-Robots-Tag: noindex\r\nReferrer-Policy: no-referrer\r\nX-Frame-Options: SAMEORIGIN\r\nExpires: Tue, 10 Feb 2026 09:13:20 GMT\r\nCache-Control: public, max-age=2595600\r\nVary: User-Agent, Accept-Encoding\r\nContent-Encoding: gzip\r\n\r\n","headers":null,"cookies":null,"status_code":"200","status_text":"OK","fingerprints":[{"name":"Nginx","description":"Nginx is a web server that can also be used as a reverse proxy, load balancer, mail proxy and HTTP cache.","website":"https://nginx.org/en","common_platform_enumeration":"cpe:2.3:a:f5:nginx:*:*:*:*:*:*:*:*","icon":"Nginx.svg","categories":["Web servers","Reverse proxies"]}],"data":{"size":65818,"size_decoded":0,"mime_type":"text/css","magic":"ASCII text, with very long lines (751)","md5":"7da153fafb9eddc1e3b432352f734156","sha1":"8dc9181aee96d3569e3e4de6db334bb1d84632ce","sha256":"04d55477c75232eb0854dd2c434d00ef6c8bd9c698adbd76f292a91f3a33b4ce","sha512":"db941face82b1cc540c94f357a7e0b1772138ed639c1f814ef8502a0ff062e38d9e156f8d54f7833136a0268a750f9dc20a8ba1263e6d5f257bb9054e058b663","ssdeep":"384:twGDVYTNgzXv1ZQeZmlucf+TRmyiFEu+jF9a/C/WYlcdBC7h/GZDQIgLq/EtwXs2:tFfv1ZuuLaEu+0C/mDU/twcx9B4jJ","tlshash":"7853c831f342201eb02bc46ee443fad8692a9157c9675f79f937b479eac60dd1a23306","first_seen":"2026-01-11T08:13:53.869772Z","last_seen":"2026-01-11T08:13:53.869772Z","times_seen":1,"resource_available":false,"data":null}},"time_used":170,"timings":{"blocked":-1,"dns":0,"connect":0,"send":0,"wait":169,"receive":1,"ssl":0},"alerts":{"ids":null,"analyzer":[{"sensor_name":"dns4eu","sensor_type":"DNS","title":"DNS4EU","description":"DNS4EU","scan_date":"2026-01-11","alert":"Sinkholed","trigger":"mail.planttel.net","verdict":"malicious","severity":"medium","comment":"","link":"https://www.joindns4.eu/","meta":null}],"urlquery":[{"sensor_name":"urlquery","alert":"Phishing - Zimbra Web Client","verdict":"phishing","severity":"medium","comment":"Asset commenly seen with Zimbra phishing","tags":["zimbra","phishing"],"meta":null}]}},{"url":{"schema":"https","addr":"mail.planttel.net/img/new-back-ground-image.png","fqdn":"mail.planttel.net","domain":"planttel.net","tld":"net"},"ip":{"addr":"129.159.96.89","port":443,"asn":31898,"as":"ORACLE-BMC-31898","country":"United States","country_code":"US"},"is_navigation_request":false,"resource_type":"img","requested_by":"https://mail.planttel.net/","date":"2026-01-11T08:13:21.145Z","timestamp":0,"http_version":"","security_state":"secure","security_info":{"cipher_suite":"TLS_AES_256_GCM_SHA384","key_group_name":"x25519","signature_name":"RSA-PSS-SHA256","protocol":"TLSv1.3","cert":{"subject":{"commonName":"*.planttel.net","organization":""},"issuer":{"commonName":"R13","organization":"Let's Encrypt"},"validity":{"start":"Thu, 27 Nov 2025 09:34:21 GMT","end":"Wed, 25 Feb 2026 09:34:20 GMT"},"fingerprint":{"sha1":"76:DB:E3:35:68:56:F7:2D:24:F2:B0:86:C6:65:A0:C8:C3:BA:DE:39","sha256":"6F:C9:8D:1C:0A:63:96:CD:DF:9A:30:B3:96:C5:19:B3:8C:30:72:74:C4:F2:09:E6:1E:95:FD:62:A9:D7:85:71"}}},"request":{"raw":"GET /img/new-back-ground-image.png HTTP/1.1\r\nHost: mail.planttel.net\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0\r\nAccept: image/avif,image/webp,*/*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br\r\nDNT: 1\r\nConnection: keep-alive\r\nCookie: ZM_TEST=true; ZM_LOGIN_CSRF=3b7612a0-bfec-4a9b-a3b7-62820051703b\r\nSec-Fetch-Dest: image\r\nSec-Fetch-Mode: no-cors\r\nSec-Fetch-Site: same-origin\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/1.1 200 OK\r\nServer: nginx\r\nDate: Sun, 11 Jan 2026 08:13:21 GMT\r\nContent-Type: image/png\r\nContent-Length: 141674\r\nConnection: keep-alive\r\nX-Content-Type-Options: nosniff\r\nX-Robots-Tag: noindex\r\nReferrer-Policy: no-referrer\r\nX-Frame-Options: SAMEORIGIN\r\nExpires: Tue, 10 Feb 2026 09:13:21 GMT\r\nCache-Control: public, max-age=2595600\r\nLast-Modified: Mon, 13 Oct 2025 12:30:42 GMT\r\nAccept-Ranges: bytes\r\n\r\n","headers":null,"cookies":null,"status_code":"200","status_text":"OK","fingerprints":[{"name":"Nginx","description":"Nginx is a web server that can also be used as a reverse proxy, load balancer, mail proxy and HTTP cache.","website":"https://nginx.org/en","common_platform_enumeration":"cpe:2.3:a:f5:nginx:*:*:*:*:*:*:*:*","icon":"Nginx.svg","categories":["Web servers","Reverse proxies"]}],"data":{"size":141674,"size_decoded":0,"mime_type":"image/png","magic":"PNG image data, 1440 x 1024, 8-bit colormap, non-interlaced","md5":"5a09af857512a874f5e2a6e01b80742b","sha1":"8c87bcfd42ee8fab57f08c3664abd1424e608b6a","sha256":"18b729cd6f3dd2b5657c1680e1388b825dc2c2d1e732e03478006714ac7ebc2d","sha512":"0f5a6c382957c3ee0078db97ae58f109e3ecc04d31609cd6047b4904b220bd45ff055e4a6abb058a6e0c760c4a4beba7f114a6d86b5179fccdcd5d334e835a1f","ssdeep":"3072:Xp4eV0s/ltkbEd0U+sl5mk0Xy0X+9uZPkB584B5DMs:Xd/ltka0LXmQw58EDL","tlshash":"00d3122e58f35215dce8e8bc3cbeb8fb295e23b44474dbfa5258c2050e99a36c4d8d11","first_seen":"2023-05-12T19:43:56Z","last_seen":"2026-04-15T09:51:28.376644Z","times_seen":830,"resource_available":false,"data":null}},"time_used":378,"timings":{"blocked":-1,"dns":0,"connect":0,"send":0,"wait":96,"receive":282,"ssl":0},"alerts":{"ids":null,"analyzer":[{"sensor_name":"dns4eu","sensor_type":"DNS","title":"DNS4EU","description":"DNS4EU","scan_date":"2026-01-11","alert":"Sinkholed","trigger":"mail.planttel.net","verdict":"malicious","severity":"medium","comment":"","link":"https://www.joindns4.eu/","meta":null}],"urlquery":[{"sensor_name":"urlquery","alert":"Phishing - Zimbra Web Client","verdict":"phishing","severity":"medium","comment":"Asset commenly seen with Zimbra phishing","tags":["zimbra","phishing"],"meta":null}]}},{"url":{"schema":"https","addr":"cas.neonova.net/zimbra/planttel.net-large.png","fqdn":"cas.neonova.net","domain":"neonova.net","tld":"net"},"ip":{"addr":"137.118.7.42","port":443,"asn":6250,"as":"NEONOVA-NET","country":"United States","country_code":"US"},"is_navigation_request":false,"resource_type":"img","requested_by":"https://mail.planttel.net/","date":"2026-01-11T08:13:21.148Z","timestamp":0,"http_version":"","security_state":"secure","security_info":{"cipher_suite":"TLS_RSA_WITH_AES_128_GCM_SHA256","key_group_name":"none","signature_name":"none","protocol":"TLSv1.2","cert":{"subject":{"commonName":"*.neonova.net","organization":""},"issuer":{"commonName":"Go Daddy Secure Certificate Authority - G2","organization":"GoDaddy.com, Inc."},"validity":{"start":"Thu, 06 Nov 2025 14:39:59 GMT","end":"Tue, 08 Dec 2026 14:39:59 GMT"},"fingerprint":{"sha1":"80:73:A1:F9:62:BD:A4:7C:F0:CC:DF:FD:70:3C:C0:23:B3:9C:E7:BD","sha256":"7A:A3:07:89:9C:92:36:76:E9:AB:F7:7C:C3:1C:27:16:B2:51:FC:19:10:94:6B:2D:CC:A0:24:B3:CA:3C:E1:E4"}}},"request":{"raw":"GET /zimbra/planttel.net-large.png HTTP/1.1\r\nHost: cas.neonova.net\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0\r\nAccept: image/avif,image/webp,*/*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br\r\nDNT: 1\r\nConnection: keep-alive\r\nSec-Fetch-Dest: image\r\nSec-Fetch-Mode: no-cors\r\nSec-Fetch-Site: cross-site\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/1.1 200 OK\r\nDate: Sun, 11 Jan 2026 08:13:22 GMT\r\nServer: Apache/2.2.15 (CentOS)\r\nLast-Modified: Fri, 06 Jun 2025 17:38:49 GMT\r\nETag: \"a5e6d-2908-636eab3ecf413\"\r\nAccept-Ranges: bytes\r\nContent-Length: 10504\r\nConnection: close\r\nContent-Type: image/png\r\n\r\n","headers":null,"cookies":null,"status_code":"200","status_text":"OK","fingerprints":[{"name":"Apache HTTP Server:2.2.15","description":"Apache is a free and open-source cross-platform web server software.","website":"https://httpd.apache.org/","common_platform_enumeration":"cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*","icon":"Apache.svg","categories":["Web servers"]},{"name":"CentOS","description":"CentOS is a Linux distribution that provides a free, community-supported computing platform functionally compatible with its upstream source, Red Hat Enterprise Linux (RHEL).","website":"https://centos.org","common_platform_enumeration":"cpe:2.3:o:centos:centos:*:*:*:*:*:*:*:*","icon":"CentOS.svg","categories":["Operating systems"]}],"data":{"size":10504,"size_decoded":0,"mime_type":"image/png","magic":"PNG image data, 440 x 107, 8-bit/color RGBA, non-interlaced","md5":"fa96e74cd741f6a89830143e0d7785e4","sha1":"5ab7878bc24a2e6b1779f70fcbabbb7c84dd5a83","sha256":"266af46fe7dd47c5549fcb65bbc1dd1b81bea77036ac882a9c58c4e61b8abaf0","sha512":"d26c52f36cb169ee378b4e06637fe5fd095e539754fab7d5ce41bb8bf224a3900ba3ce99aee460a9cc398cb53335def14c0b241c43f6137f47595a016a931c78","ssdeep":"192:wBtcpLV51x/GMi6UhrZHBaQJ3jv5cnQU2R1bzidL6vc2Ya1RaTr9lDqoTrvE9exQ:ytcpJ5zHi66vJ3jhchehiNI1RajDzY99","tlshash":"7b22bfc2ec92c9098cd398e50f431a5585f9fb70ec17461c68a2d3610b71b8b478eebb","first_seen":"2026-01-11T08:13:53.873571Z","last_seen":"2026-01-11T08:13:53.873571Z","times_seen":1,"resource_available":false,"data":null}},"time_used":1937,"timings":{"blocked":907,"dns":539,"connect":121,"send":0,"wait":121,"receive":1,"ssl":244},"alerts":{"ids":null,"analyzer":null,"urlquery":null}},{"url":{"schema":"https","addr":"mail.planttel.net/img/questionMark.png","fqdn":"mail.planttel.net","domain":"planttel.net","tld":"net"},"ip":{"addr":"129.159.96.89","port":443,"asn":31898,"as":"ORACLE-BMC-31898","country":"United States","country_code":"US"},"is_navigation_request":false,"resource_type":"img","requested_by":"https://mail.planttel.net/","date":"2026-01-11T08:13:21.151Z","timestamp":0,"http_version":"","security_state":"secure","security_info":{"cipher_suite":"TLS_AES_256_GCM_SHA384","key_group_name":"x25519","signature_name":"RSA-PSS-SHA256","protocol":"TLSv1.3","cert":{"subject":{"commonName":"*.planttel.net","organization":""},"issuer":{"commonName":"R13","organization":"Let's Encrypt"},"validity":{"start":"Thu, 27 Nov 2025 09:34:21 GMT","end":"Wed, 25 Feb 2026 09:34:20 GMT"},"fingerprint":{"sha1":"76:DB:E3:35:68:56:F7:2D:24:F2:B0:86:C6:65:A0:C8:C3:BA:DE:39","sha256":"6F:C9:8D:1C:0A:63:96:CD:DF:9A:30:B3:96:C5:19:B3:8C:30:72:74:C4:F2:09:E6:1E:95:FD:62:A9:D7:85:71"}}},"request":{"raw":"GET /img/questionMark.png HTTP/1.1\r\nHost: mail.planttel.net\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0\r\nAccept: image/avif,image/webp,*/*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br\r\nDNT: 1\r\nConnection: keep-alive\r\nCookie: ZM_TEST=true; ZM_LOGIN_CSRF=3b7612a0-bfec-4a9b-a3b7-62820051703b\r\nSec-Fetch-Dest: image\r\nSec-Fetch-Mode: no-cors\r\nSec-Fetch-Site: same-origin\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/1.1 200 OK\r\nServer: nginx\r\nDate: Sun, 11 Jan 2026 08:13:21 GMT\r\nContent-Type: image/png\r\nContent-Length: 5359\r\nConnection: keep-alive\r\nX-Content-Type-Options: nosniff\r\nX-Robots-Tag: noindex\r\nReferrer-Policy: no-referrer\r\nX-Frame-Options: SAMEORIGIN\r\nExpires: Tue, 10 Feb 2026 09:13:21 GMT\r\nCache-Control: public, max-age=2595600\r\nLast-Modified: Mon, 13 Oct 2025 12:30:42 GMT\r\nAccept-Ranges: bytes\r\n\r\n","headers":null,"cookies":null,"status_code":"200","status_text":"OK","fingerprints":[{"name":"Nginx","description":"Nginx is a web server that can also be used as a reverse proxy, load balancer, mail proxy and HTTP cache.","website":"https://nginx.org/en","common_platform_enumeration":"cpe:2.3:a:f5:nginx:*:*:*:*:*:*:*:*","icon":"Nginx.svg","categories":["Web servers","Reverse proxies"]}],"data":{"size":5359,"size_decoded":0,"mime_type":"image/png","magic":"PNG image data, 225 x 225, 8-bit/color RGBA, non-interlaced","md5":"5d496d46fe9801cf0e92af8337b3b6af","sha1":"6f9e34028d56b0229759aad8dab4f0c30be30a7e","sha256":"395b89ffffb5b6ea44d2933531396f8d2ae8ff84bae554a1c245d0777af59034","sha512":"1a0c2ff7c5a88ae03d8df8d31473144e969f007ecf4cea45af065770ec3279fb72d3ceb2b28d684becffb65bc60f9681f7c65e503279d8ed4a5aa44132ba9ba0","ssdeep":"96:iDA+MJVudjvxHeroWIEqS9gLNUMvCIRubbiCIdhDdUrEGZ1AkNnlakE:izBjYrdILS0NVtBU11AkrvE","tlshash":"72b18ed0dae8ef886981a95adb2f14e0cb05b15f52fe3cd90b370a0d154f584c53a1be","first_seen":"2023-05-12T15:26:00Z","last_seen":"2026-04-15T09:51:28.364477Z","times_seen":741,"resource_available":false,"data":null}},"time_used":495,"timings":{"blocked":195,"dns":1,"connect":93,"send":0,"wait":104,"receive":1,"ssl":99},"alerts":{"ids":null,"analyzer":[{"sensor_name":"dns4eu","sensor_type":"DNS","title":"DNS4EU","description":"DNS4EU","scan_date":"2026-01-11","alert":"Sinkholed","trigger":"mail.planttel.net","verdict":"malicious","severity":"medium","comment":"","link":"https://www.joindns4.eu/","meta":null}],"urlquery":[{"sensor_name":"urlquery","alert":"Phishing - Zimbra Web Client","verdict":"phishing","severity":"medium","comment":"Asset commenly seen with Zimbra phishing","tags":["zimbra","phishing"],"meta":null}]}},{"url":{"schema":"https","addr":"mail.planttel.net/img/logo/favicon.ico","fqdn":"mail.planttel.net","domain":"planttel.net","tld":"net"},"ip":{"addr":"129.159.96.89","port":443,"asn":31898,"as":"ORACLE-BMC-31898","country":"United States","country_code":"US"},"is_navigation_request":false,"resource_type":"img","requested_by":"https://mail.planttel.net/","date":"2026-01-11T08:13:21.623Z","timestamp":0,"http_version":"","security_state":"secure","security_info":{"cipher_suite":"TLS_AES_256_GCM_SHA384","key_group_name":"x25519","signature_name":"RSA-PSS-SHA256","protocol":"TLSv1.3","cert":{"subject":{"commonName":"*.planttel.net","organization":""},"issuer":{"commonName":"R13","organization":"Let's Encrypt"},"validity":{"start":"Thu, 27 Nov 2025 09:34:21 GMT","end":"Wed, 25 Feb 2026 09:34:20 GMT"},"fingerprint":{"sha1":"76:DB:E3:35:68:56:F7:2D:24:F2:B0:86:C6:65:A0:C8:C3:BA:DE:39","sha256":"6F:C9:8D:1C:0A:63:96:CD:DF:9A:30:B3:96:C5:19:B3:8C:30:72:74:C4:F2:09:E6:1E:95:FD:62:A9:D7:85:71"}}},"request":{"raw":"GET /img/logo/favicon.ico HTTP/1.1\r\nHost: mail.planttel.net\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0\r\nAccept: image/avif,image/webp,*/*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br\r\nDNT: 1\r\nConnection: keep-alive\r\nCookie: ZM_TEST=true; ZM_LOGIN_CSRF=3b7612a0-bfec-4a9b-a3b7-62820051703b\r\nSec-Fetch-Dest: image\r\nSec-Fetch-Mode: no-cors\r\nSec-Fetch-Site: same-origin\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/1.1 200 OK\r\nServer: nginx\r\nDate: Sun, 11 Jan 2026 08:13:21 GMT\r\nContent-Type: image/x-icon\r\nContent-Length: 1150\r\nConnection: keep-alive\r\nX-Content-Type-Options: nosniff\r\nX-Robots-Tag: noindex\r\nReferrer-Policy: no-referrer\r\nX-Frame-Options: SAMEORIGIN\r\nExpires: Tue, 10 Feb 2026 09:13:21 GMT\r\nCache-Control: public, max-age=2595600\r\nLast-Modified: Mon, 13 Oct 2025 12:30:42 GMT\r\nAccept-Ranges: bytes\r\n\r\n","headers":null,"cookies":null,"status_code":"200","status_text":"OK","fingerprints":[{"name":"Nginx","description":"Nginx is a web server that can also be used as a reverse proxy, load balancer, mail proxy and HTTP cache.","website":"https://nginx.org/en","common_platform_enumeration":"cpe:2.3:a:f5:nginx:*:*:*:*:*:*:*:*","icon":"Nginx.svg","categories":["Web servers","Reverse proxies"]}],"data":{"size":1150,"size_decoded":0,"mime_type":"image/x-icon","magic":"MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel","md5":"8c7d1c14e4b9c42f07bd6b800d93b806","sha1":"87e49826ffb3bc1ddac38feebb6bb98eaef568b2","sha256":"1afd891aacc433e75265e3ddc9cb4fc63b88259977811384426c535037711637","sha512":"cd34625876aaf6e8e3cb6da2a9277bab3375cb3515bc701d3a3a05796557c39e442f33c66ae056501c49a810b172a7f6f9c7a32f0b4000ce8472d14ba3e4f41b","ssdeep":"","tlshash":"902152fe66839d2de04c1a7fca7a8a3716cbcd4694e431120b79b209de33c9410e943c","first_seen":"2023-05-02T08:50:11Z","last_seen":"2026-04-14T09:43:16.770176Z","times_seen":3157,"resource_available":false,"data":null}},"time_used":97,"timings":{"blocked":0,"dns":0,"connect":0,"send":0,"wait":96,"receive":1,"ssl":0},"alerts":{"ids":null,"analyzer":[{"sensor_name":"dns4eu","sensor_type":"DNS","title":"DNS4EU","description":"DNS4EU","scan_date":"2026-01-11","alert":"Sinkholed","trigger":"mail.planttel.net","verdict":"malicious","severity":"medium","comment":"","link":"https://www.joindns4.eu/","meta":null}],"urlquery":[{"sensor_name":"urlquery","alert":"Phishing - Zimbra Web Client","verdict":"phishing","severity":"medium","comment":"Asset commenly seen with Zimbra phishing","tags":["zimbra","phishing"],"meta":null}]}}]}