{"report_id":"db6d4983-6302-47ef-8ed2-cb4acd81fda7","version":6,"status":"done","tags":["meta","facebook","phishing","social"],"date":"2026-03-25T13:08:04Z","url":{"schema":"https","addr":"sso-auth.com/0MP1E16Ph1zRaQ","fqdn":"sso-auth.com","domain":"sso-auth.com","tld":"com"},"ip":{"addr":"212.104.128.3","port":0,"asn":0,"as":"","country":"Finland","country_code":"FI"},"final":{"url":{"schema":"https","addr":"sso-auth.com/0MP1E16Ph1zRaQ","fqdn":"sso-auth.com","domain":"sso-auth.com","tld":"com"},"title":"Facebook - Log In or Sign Up","dom":{"size":14278,"mime_type":"text/html; charset=utf-8","magic":"HTML document, Unicode text, UTF-8 text","md5":"9e7a1744d3fc781238db69ffaada359a","sha1":"e3abdbbf72a60a475974d901a368c58ce3d6accb","sha256":"3fd31e7a8e632cd404b0eb299c28c5a30a084cf88dcaca85e3334cf1ee09a35f","sha512":"22a09f9fc7885df51c7c59c936145d9897e26adf50b082410e9242c316f1f6ea6d47e2353dafd8b84ece2662e7581629a0d91aa41882fa833e7b8119322d9fef","ssdeep":"192:xT+FGMuMfHxGyzzaZKvYBtZhxHL3WSFIpkU+67lk5Zv47j:xaeNr3V67l+Zvu","tlshash":"ea5280477af700076a13623a7fa627651b638053830fdd143a6c6a4edf91a824da379f","dom_hash":"domhash91d9221244ad93294345ec5db704f78a","first_seen":"","last_seen":"","times_seen":0,"resource_available":false,"data":null}},"submit":{"url":{"schema":"https","addr":"sso-auth.com/0MP1E16Ph1zRaQ","fqdn":"sso-auth.com","domain":"sso-auth.com","tld":"com"},"ip":{"addr":"212.104.128.3","port":0,"asn":0,"as":"","country":"Finland","country_code":"FI"},"tags":["openphish"],"meta":null},"settings":{"access":"public","device_type":"desktop","expires_at":"2027-04-29T13:08:04Z","useragent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0","referer":"","cookies":null,"exit_node":"z0yflva4pidy47h"},"stats":{"alert_count":{"ids":0,"urlquery":2,"analyzer":5}},"detection":{"ids":null,"analyzer":[{"sensor_name":"opendns","sensor_type":"DNS","title":"OpenDNS","description":"OpenDNS","scan_date":"2026-03-25","alert":"Phishing Block","trigger":"sso-auth.com","verdict":"phishing","severity":"medium","comment":"","link":"https://www.opendns.com/","meta":null},{"sensor_name":"cloudflare_dns","sensor_type":"DNS","title":"Cloudflare DNS","description":"Cloudflare DNS","scan_date":"2026-03-25","alert":"Sinkholed","trigger":"sso-auth.com","verdict":"malicious","severity":"medium","comment":"","link":"https://www.cloudflare.com/application-services/products/dns/","meta":null},{"sensor_name":"dns4eu","sensor_type":"DNS","title":"DNS4EU","description":"DNS4EU","scan_date":"2026-03-25","alert":"Sinkholed","trigger":"sso-auth.com","verdict":"malicious","severity":"medium","comment":"","link":"https://www.joindns4.eu/","meta":null},{"sensor_name":"hagezi","sensor_type":"DNS","title":"Hagezi Threat Feed","description":"Hagezi Threat Feed","scan_date":"2026-03-25","alert":"Sinkholed","trigger":"sso-auth.com","verdict":"malicious","severity":"medium","comment":"","link":"https://github.com/hagezi/dns-blocklists","meta":null},{"sensor_name":"ultradns","sensor_type":"DNS","title":"DigiCert UltraDNS","description":"DigiCert UltraDNS","scan_date":"2026-03-25","alert":"Sinkholed","trigger":"sso-auth.com","verdict":"malicious","severity":"medium","comment":"","link":"https://vercara.digicert.com/ultra-dns-public","meta":null}],"urlquery":[{"sensor_name":"urlquery","alert":"Phishing - Facebook","verdict":"phishing","severity":"medium","comment":"Resource associated with Facebook phishing","tags":["meta","facebook","phishing","social"],"meta":null},{"sensor_name":"urlquery","alert":"Phishing - Facebook","verdict":"phishing","severity":"medium","comment":"Resource associated with Facebook phishing","tags":["meta","facebook","phishing","social"],"meta":null}]},"summary":[{"fqdn":"sso-auth.com","ip":{"addr":"212.104.128.0","port":443,"asn":0,"as":"","country":"Finland","country_code":"FI"},"domain_registered":"2025-04-01","domain_rank":0,"first_seen":"2025-04-22T11:44:56.568925Z","last_seen":"2026-03-23T13:40:57.351361Z","alert_count":6,"request_count":1,"received_data":15727,"sent_data":495,"comment":"","tags":null,"fingerprints":[{"name":"HSTS","description":"HTTP Strict Transport Security (HSTS) informs browsers that the site should only be accessed using HTTPS.","website":"https://www.rfc-editor.org/rfc/rfc6797#section-6.1","common_platform_enumeration":"","icon":"","categories":["Security"]},{"name":"Cloudflare","description":"Cloudflare is a web-infrastructure and website-security company, providing content-delivery-network services, DDoS mitigation, Internet security, and distributed domain-name-server services.","website":"https://www.cloudflare.com","common_platform_enumeration":"","icon":"CloudFlare.svg","categories":["CDN"]}]},{"fqdn":"res.cloudinary.com","ip":{"addr":"151.101.65.137","port":443,"asn":54113,"as":"FASTLY","country":"United States","country_code":"US"},"domain_registered":"2011-05-24","domain_rank":21175,"first_seen":"2012-10-03T08:31:44Z","last_seen":"2026-03-23T09:48:49.080795Z","alert_count":0,"request_count":1,"received_data":5933,"sent_data":514,"comment":"","tags":null,"fingerprints":[{"name":"HSTS","description":"HTTP Strict Transport Security (HSTS) informs browsers that the site should only be accessed using HTTPS.","website":"https://www.rfc-editor.org/rfc/rfc6797#section-6.1","common_platform_enumeration":"","icon":"","categories":["Security"]}]}],"files":null,"artifacts":{"windows_shortcuts":null,"files":null,"telegram":null,"pdfs":null,"clipboard":null},"sensors":{"ids":null,"analyzer":null,"urlquery":[{"sensor_name":"urlquery","alert":"Phishing - Facebook","verdict":"phishing","severity":"medium","comment":"Resource associated with Facebook phishing","tags":["meta","facebook","phishing","social"],"meta":null}]},"javascript":{"script":[{"url":{"schema":"https","addr":"sso-auth.com/0MP1E16Ph1zRaQ","fqdn":"sso-auth.com","domain":"sso-auth.com","tld":"com"},"ip":{"addr":"212.104.128.0","port":443,"asn":0,"as":"","country":"Finland","country_code":"FI"},"introduction_type":"scriptElement","is_inline":true,"md5":"eda5ceae83987757512e0252cf96aa67","sha1":"9ef48f9a835403c48e0f336a3534c0473520fa3b","sha256":"d8c8620aac5bf6d44c63359b8c1e82889a33e4176e2b42888aec45823043b39f","sha512":"dd11187c3941c396636b010bc00333940a1535db579b8e5fbccd5c4a46531d4f82f8ae46d10bd91f481a7431f564a1dd784b3170bc17caa0cdefbb590beb2eba","ssdeep":"","tlshash":"4731dc64b3193b65922331334adf94e216b940b75e011c0049383d191863e2932fefbf","size":1787,"data":"","first_seen":"2026-03-25T13:08:05.63682Z","last_seen":"2026-03-25T13:08:05.63682Z","times_seen":1,"alerts":{"ids":null,"analyzer":null,"urlquery":null}}],"eval":null,"write":null},"http":[{"url":{"schema":"https","addr":"sso-auth.com/0MP1E16Ph1zRaQ","fqdn":"sso-auth.com","domain":"sso-auth.com","tld":"com"},"ip":{"addr":"212.104.128.0","port":443,"asn":0,"as":"","country":"Finland","country_code":"FI"},"is_navigation_request":true,"resource_type":"document","requested_by":"","date":"2026-03-25T13:07:42.165Z","timestamp":0,"http_version":"","security_state":"secure","security_info":{"cipher_suite":"TLS_AES_128_GCM_SHA256","key_group_name":"x25519","signature_name":"ECDSA-P256-SHA256","protocol":"TLSv1.3","cert":{"subject":{"commonName":"sso-auth.com","organization":""},"issuer":{"commonName":"WE1","organization":"Google Trust Services"},"validity":{"start":"Wed, 28 Jan 2026 14:28:46 GMT","end":"Tue, 28 Apr 2026 15:28:43 GMT"},"fingerprint":{"sha1":"4F:FA:3C:82:94:70:6A:F1:4E:CD:75:70:EA:4E:BE:E1:20:27:A3:B6","sha256":"8C:45:E6:92:0E:C8:79:B3:D3:7F:64:7A:7B:08:44:D2:09:11:C0:C9:BB:C4:9A:62:93:81:97:A6:CD:B7:7C:59"}}},"request":{"raw":"GET /0MP1E16Ph1zRaQ HTTP/1.1\r\nHost: sso-auth.com\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br\r\nDNT: 1\r\nConnection: keep-alive\r\nUpgrade-Insecure-Requests: 1\r\nSec-Fetch-Dest: document\r\nSec-Fetch-Mode: navigate\r\nSec-Fetch-Site: cross-site\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/2 200 OK\r\ndate: Wed, 25 Mar 2026 13:07:43 GMT\r\ncontent-type: text/html\r\ncf-cache-status: DYNAMIC\r\nreferrer-policy: origin-when-cross-origin\r\nserver: cloudflare\r\nset-cookie: INGRESSCOOKIE=1774444063.412.47.875755|112633931b9d22736a011431493af478; Expires=Wed, 25-Mar-26 13:37:42 GMT; Max-Age=1800; Path=/quest/attachment/; Secure; HttpOnly\r\nstrict-transport-security: max-age=31536000\r\nx-content-type-options: nosniff\r\nx-hox-trace-id: aaa8b27fda58f660f13473edfcada372\r\nx-xss-protection: 1; mode=block\r\ncontent-encoding: gzip\r\ncf-ray: 9e1e23dd4c7211e7-CPH\r\nX-Firefox-Spdy: h2\r\n\r\n","headers":null,"cookies":null,"status_code":"200","status_text":"OK","fingerprints":[{"name":"HSTS","description":"HTTP Strict Transport Security (HSTS) informs browsers that the site should only be accessed using HTTPS.","website":"https://www.rfc-editor.org/rfc/rfc6797#section-6.1","common_platform_enumeration":"","icon":"","categories":["Security"]},{"name":"Cloudflare","description":"Cloudflare is a web-infrastructure and website-security company, providing content-delivery-network services, DDoS mitigation, Internet security, and distributed domain-name-server services.","website":"https://www.cloudflare.com","common_platform_enumeration":"","icon":"CloudFlare.svg","categories":["CDN"]}],"data":{"size":15145,"size_decoded":0,"mime_type":"text/html","magic":"HTML document, Unicode text, UTF-8 text, with CRLF line terminators","md5":"742d96cab232dc05fd1ec06d1f7b7c08","sha1":"5bc9dd3a53a069e81a37e6a549926d96424c7259","sha256":"afbe3c0753d60146f21713dbaa32bb84c4557ec68d64ac9040f248f5bbefad8b","sha512":"45f28b98708a434667e3a0512c36c2e33e0395b318c0bcdb1b6d5ebed874bee7422959bff80aee86b14dc610f577ecdd6baf68eaf117bed863a9641c4471d109","ssdeep":"192:l1TQ1//HKri5gEc7l0t9ViThvQ7L3q4gsmtmV+xxFTTd:2RzRf3dExHTR","tlshash":"e4623202b7c8114762775328afb22768ef53806343064d947eac6b4f9f71a054aa3bdf","first_seen":"2026-03-25T13:08:05.633297Z","last_seen":"2026-03-25T13:08:05.633297Z","times_seen":1,"resource_available":true,"data":null}},"time_used":1071,"timings":{"blocked":103,"dns":29,"connect":27,"send":0,"wait":858,"receive":0,"ssl":51},"alerts":{"ids":null,"analyzer":[{"sensor_name":"opendns","sensor_type":"DNS","title":"OpenDNS","description":"OpenDNS","scan_date":"2026-03-25","alert":"Phishing Block","trigger":"sso-auth.com","verdict":"phishing","severity":"medium","comment":"","link":"https://www.opendns.com/","meta":null},{"sensor_name":"cloudflare_dns","sensor_type":"DNS","title":"Cloudflare DNS","description":"Cloudflare DNS","scan_date":"2026-03-25","alert":"Sinkholed","trigger":"sso-auth.com","verdict":"malicious","severity":"medium","comment":"","link":"https://www.cloudflare.com/application-services/products/dns/","meta":null},{"sensor_name":"dns4eu","sensor_type":"DNS","title":"DNS4EU","description":"DNS4EU","scan_date":"2026-03-25","alert":"Sinkholed","trigger":"sso-auth.com","verdict":"malicious","severity":"medium","comment":"","link":"https://www.joindns4.eu/","meta":null},{"sensor_name":"hagezi","sensor_type":"DNS","title":"Hagezi Threat Feed","description":"Hagezi Threat Feed","scan_date":"2026-03-25","alert":"Sinkholed","trigger":"sso-auth.com","verdict":"malicious","severity":"medium","comment":"","link":"https://github.com/hagezi/dns-blocklists","meta":null},{"sensor_name":"ultradns","sensor_type":"DNS","title":"DigiCert UltraDNS","description":"DigiCert UltraDNS","scan_date":"2026-03-25","alert":"Sinkholed","trigger":"sso-auth.com","verdict":"malicious","severity":"medium","comment":"","link":"https://vercara.digicert.com/ultra-dns-public","meta":null}],"urlquery":[{"sensor_name":"urlquery","alert":"Phishing - Facebook","verdict":"phishing","severity":"medium","comment":"Resource associated with Facebook phishing","tags":["meta","facebook","phishing","social"],"meta":null}]}},{"url":{"schema":"https","addr":"res.cloudinary.com/hoxhunt/image/upload/v1624260897/questTemplates/Social%20Media/Facebook/facebook-logo.png","fqdn":"res.cloudinary.com","domain":"cloudinary.com","tld":"com"},"ip":{"addr":"151.101.65.137","port":443,"asn":54113,"as":"FASTLY","country":"United States","country_code":"US"},"is_navigation_request":false,"resource_type":"img","requested_by":"https://sso-auth.com/0MP1E16Ph1zRaQ","date":"2026-03-25T13:07:43.322Z","timestamp":0,"http_version":"","security_state":"secure","security_info":{"cipher_suite":"TLS_AES_128_GCM_SHA256","key_group_name":"x25519","signature_name":"RSA-PSS-SHA256","protocol":"TLSv1.3","cert":{"subject":{"commonName":"*.cloudinary.com","organization":""},"issuer":{"commonName":"GlobalSign Atlas R3 DV TLS CA 2025 Q3","organization":"GlobalSign nv-sa"},"validity":{"start":"Tue, 23 Sep 2025 16:30:27 GMT","end":"Sun, 25 Oct 2026 16:30:26 GMT"},"fingerprint":{"sha1":"77:6B:7C:56:E5:E7:51:42:ED:61:04:B9:D9:26:38:05:21:1C:F9:06","sha256":"F7:5C:28:39:1D:C1:7D:92:F0:E1:D7:3B:EF:A5:AD:B3:36:CD:F3:E5:AA:BE:EF:53:D9:F3:D5:47:D1:F3:4D:75"}}},"request":{"raw":"GET /hoxhunt/image/upload/v1624260897/questTemplates/Social%20Media/Facebook/facebook-logo.png HTTP/1.1\r\nHost: res.cloudinary.com\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0\r\nAccept: image/avif,image/webp,*/*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br\r\nDNT: 1\r\nConnection: keep-alive\r\nReferer: https://sso-auth.com/\r\nSec-Fetch-Dest: image\r\nSec-Fetch-Mode: no-cors\r\nSec-Fetch-Site: cross-site\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/2 200 OK\r\ncontent-type: image/png\r\netag: \"d312674b87fd720f10adfa658f95abfd\"\r\nlast-modified: Mon, 21 Jun 2021 07:34:58 GMT\r\ndate: Wed, 25 Mar 2026 13:07:43 GMT\r\nstrict-transport-security: max-age=604800\r\ncache-control: public, no-transform, immutable, max-age=2592000\r\nserver-timing: cld-fastly;dur=1;cpu=0;start=2026-03-25T13:07:43.464Z;desc=hit,rtt;dur=15,content-info;desc=\"width=600,height=119,owidth=600,oheight=600,obytes=14265\"\r\nserver: Cloudinary\r\ntiming-allow-origin: *\r\naccess-control-allow-origin: *\r\naccept-ranges: bytes\r\nx-content-type-options: nosniff\r\naccess-control-expose-headers: Content-Length,ETag,Server-Timing,X-Content-Type-Options\r\ncontent-length: 5229\r\nX-Firefox-Spdy: h2\r\n\r\n","headers":null,"cookies":null,"status_code":"200","status_text":"OK","fingerprints":[{"name":"HSTS","description":"HTTP Strict Transport Security (HSTS) informs browsers that the site should only be accessed using HTTPS.","website":"https://www.rfc-editor.org/rfc/rfc6797#section-6.1","common_platform_enumeration":"","icon":"","categories":["Security"]}],"data":{"size":5229,"size_decoded":0,"mime_type":"image/png","magic":"PNG image data, 600 x 119, 8-bit colormap, non-interlaced","md5":"d312674b87fd720f10adfa658f95abfd","sha1":"c1bc326073ce6642ba4aeb9a97fd31816a88e228","sha256":"fabf4ef6c1462469c45c918005f3bbed5bcf9c92c33ff8585a0193d75d957fba","sha512":"42a5c807b3fafc6ccad54faadbdc10d9d992b8b377399bd3e80a2d8b8534a01cf51146f6cfe92fe83f46e9b3de226a9576679e7a6de503f339ef3f4fc24b65b1","ssdeep":"96:Hz47ehC3t13vizOXz8wHQgn8KIpu7vCUBwA52OlFjnXVDZIizkfiMlAhGhQp0T:T47eY1fUUz8k0KlBwA52OV5BzkffAqQ+","tlshash":"94b16ee874a367e8cf57174fa1c23055d90318381fd75d32aa1fc261de175a82dac752","first_seen":"2025-03-31T16:57:44.998839Z","last_seen":"2026-04-03T21:19:41.361504Z","times_seen":496,"resource_available":false,"data":null}},"time_used":287,"timings":{"blocked":135,"dns":25,"connect":13,"send":0,"wait":15,"receive":1,"ssl":95},"alerts":{"ids":null,"analyzer":null,"urlquery":null}}]}