{"report_id":"f2384db4-487c-4b22-bc97-a00a029925b6","version":6,"status":"done","tags":["microsoft","phishing"],"date":"2026-03-25T13:04:23Z","url":{"schema":"https","addr":"sso-security.com/rLHtKokqEBcygQ","fqdn":"sso-security.com","domain":"sso-security.com","tld":"com"},"ip":{"addr":"212.104.128.0","port":0,"asn":0,"as":"","country":"Finland","country_code":"FI"},"final":{"url":{"schema":"https","addr":"sso-security.com/rLHtKokqEBcygQ","fqdn":"sso-security.com","domain":"sso-security.com","tld":"com"},"title":"Sign in to your Microsoft account","dom":{"size":77469,"mime_type":"text/html; charset=utf-8","magic":"HTML document, Unicode text, UTF-8 text, with very long lines (22967)","md5":"1323e286893b4343cfb6f9b8a9786d8c","sha1":"7f3c9c1014125f16f3e139b187984ba939d3ffd9","sha256":"4de1cb4dbbe27b23bb54ab5cdbaa17eccec7bc099e466d6976b0a5146e140c63","sha512":"d1f85baab2e0bfbbd665204cdc7aa61567222fe54e496157f1e8ad7e91e2095f38395f4b33c959307848fb727b66a3ce660e056b51437c3188f3e11e173565be","ssdeep":"768:d9IuXYyi2AduN2BJBX7qgeQ74gQpKsrsoqcbrTf:vxifuN2BORtpRrsoqW/f","tlshash":"0873417a116258be531eb57473e61d012fe0c403d84bc9297bdc5a7ccf8bac09a5e35a","dom_hash":"domhashfd281d2a4fae8a31df3823a65316d42a","first_seen":"","last_seen":"","times_seen":0,"resource_available":false,"data":null}},"submit":{"url":{"schema":"https","addr":"sso-security.com/rLHtKokqEBcygQ","fqdn":"sso-security.com","domain":"sso-security.com","tld":"com"},"ip":{"addr":"212.104.128.0","port":0,"asn":0,"as":"","country":"Finland","country_code":"FI"},"tags":["openphish"],"meta":null},"settings":{"access":"public","device_type":"desktop","expires_at":"2027-04-29T13:04:23Z","useragent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0","referer":"","cookies":null,"exit_node":"z0yflva4pidy47h"},"stats":{"alert_count":{"ids":0,"urlquery":2,"analyzer":5}},"detection":{"ids":null,"analyzer":[{"sensor_name":"cloudflare_dns","sensor_type":"DNS","title":"Cloudflare DNS","description":"Cloudflare DNS","scan_date":"2026-03-25","alert":"Sinkholed","trigger":"sso-security.com","verdict":"malicious","severity":"medium","comment":"","link":"https://www.cloudflare.com/application-services/products/dns/","meta":null},{"sensor_name":"ultradns","sensor_type":"DNS","title":"DigiCert UltraDNS","description":"DigiCert UltraDNS","scan_date":"2026-03-25","alert":"Sinkholed","trigger":"sso-security.com","verdict":"malicious","severity":"medium","comment":"","link":"https://vercara.digicert.com/ultra-dns-public","meta":null},{"sensor_name":"opendns","sensor_type":"DNS","title":"OpenDNS","description":"OpenDNS","scan_date":"2026-03-25","alert":"Phishing Block","trigger":"sso-security.com","verdict":"phishing","severity":"medium","comment":"","link":"https://www.opendns.com/","meta":null},{"sensor_name":"dns4eu","sensor_type":"DNS","title":"DNS4EU","description":"DNS4EU","scan_date":"2026-03-25","alert":"Sinkholed","trigger":"sso-security.com","verdict":"malicious","severity":"medium","comment":"","link":"https://www.joindns4.eu/","meta":null},{"sensor_name":"hagezi","sensor_type":"DNS","title":"Hagezi Threat Feed","description":"Hagezi Threat Feed","scan_date":"2026-03-25","alert":"Sinkholed","trigger":"sso-security.com","verdict":"malicious","severity":"medium","comment":"","link":"https://github.com/hagezi/dns-blocklists","meta":null}],"urlquery":[{"sensor_name":"urlquery","alert":"Phishing - Microsoft","verdict":"phishing","severity":"medium","comment":"Resource associated with Microsoft phishing","tags":["microsoft","phishing"],"meta":null},{"sensor_name":"urlquery","alert":"Phishing - Microsoft","verdict":"phishing","severity":"medium","comment":"Resource associated with Microsoft phishing","tags":["microsoft","phishing"],"meta":null}]},"summary":[{"fqdn":"res.cloudinary.com","ip":{"addr":"104.16.78.6","port":443,"asn":13335,"as":"CLOUDFLARENET","country":"","country_code":"zz"},"domain_registered":"2011-05-24","domain_rank":21175,"first_seen":"2012-10-03T08:31:44Z","last_seen":"2026-03-23T09:48:49.080795Z","alert_count":0,"request_count":1,"received_data":36816,"sent_data":540,"comment":"","tags":null,"fingerprints":[{"name":"HSTS","description":"HTTP Strict Transport Security (HSTS) informs browsers that the site should only be accessed using HTTPS.","website":"https://www.rfc-editor.org/rfc/rfc6797#section-6.1","common_platform_enumeration":"","icon":"","categories":["Security"]},{"name":"Cloudflare","description":"Cloudflare is a web-infrastructure and website-security company, providing content-delivery-network services, DDoS mitigation, Internet security, and distributed domain-name-server services.","website":"https://www.cloudflare.com","common_platform_enumeration":"","icon":"CloudFlare.svg","categories":["CDN"]}]},{"fqdn":"sso-security.com","ip":{"addr":"212.104.128.3","port":443,"asn":0,"as":"","country":"Finland","country_code":"FI"},"domain_registered":"2025-04-01","domain_rank":0,"first_seen":"2025-05-04T14:44:01.01268Z","last_seen":"2026-03-23T13:41:56.874161Z","alert_count":6,"request_count":1,"received_data":81260,"sent_data":499,"comment":"","tags":null,"fingerprints":[{"name":"HSTS","description":"HTTP Strict Transport Security (HSTS) informs browsers that the site should only be accessed using HTTPS.","website":"https://www.rfc-editor.org/rfc/rfc6797#section-6.1","common_platform_enumeration":"","icon":"","categories":["Security"]},{"name":"Cloudflare","description":"Cloudflare is a web-infrastructure and website-security company, providing content-delivery-network services, DDoS mitigation, Internet security, and distributed domain-name-server services.","website":"https://www.cloudflare.com","common_platform_enumeration":"","icon":"CloudFlare.svg","categories":["CDN"]}]}],"files":null,"artifacts":{"windows_shortcuts":null,"files":null,"telegram":null,"pdfs":null,"clipboard":null},"sensors":{"ids":null,"analyzer":null,"urlquery":[{"sensor_name":"urlquery","alert":"Phishing - Microsoft","verdict":"phishing","severity":"medium","comment":"Resource associated with Microsoft phishing","tags":["microsoft","phishing"],"meta":null}]},"javascript":{"script":[{"url":{"schema":"https","addr":"sso-security.com/rLHtKokqEBcygQ","fqdn":"sso-security.com","domain":"sso-security.com","tld":"com"},"ip":{"addr":"212.104.128.3","port":443,"asn":0,"as":"","country":"Finland","country_code":"FI"},"introduction_type":"scriptElement","is_inline":true,"md5":"d993095e344020dd513e9e7355ffcdd2","sha1":"35cee39b9a7d903409169cd7ad94283653033d81","sha256":"e59db18125d2db435282a339847340cafa164e5617d8e80a2c7ca76b3f65aa6b","sha512":"753aa76f9cbed9083078cedd59ec9a55ad6180653c554c1b964d69f2ba4bf080916dd26c6c9cf8024e8e64f491128056866a0cfbab9bfac8ba976cdef5ca1786","ssdeep":"96:2Kkp5rsoLeVqsewqHtRPPA0HI/Ud7T/mSG3GPM87JG:2KsrsoqVqbwq3nA0HI/Ud7K2PFM","tlshash":"389101293166283101b7c5afa7c7404631a1804368c9d9603a7cd70d2fa7d42eef2bdf","size":4504,"data":"","first_seen":"2026-03-25T13:04:24.232782Z","last_seen":"2026-03-25T13:04:24.232782Z","times_seen":1,"alerts":{"ids":null,"analyzer":null,"urlquery":null}}],"eval":null,"write":null},"http":[{"url":{"schema":"https","addr":"sso-security.com/rLHtKokqEBcygQ","fqdn":"sso-security.com","domain":"sso-security.com","tld":"com"},"ip":{"addr":"212.104.128.3","port":443,"asn":0,"as":"","country":"Finland","country_code":"FI"},"is_navigation_request":true,"resource_type":"document","requested_by":"","date":"2026-03-25T13:04:00.259Z","timestamp":0,"http_version":"","security_state":"secure","security_info":{"cipher_suite":"TLS_AES_128_GCM_SHA256","key_group_name":"x25519","signature_name":"ECDSA-P256-SHA256","protocol":"TLSv1.3","cert":{"subject":{"commonName":"sso-security.com","organization":""},"issuer":{"commonName":"WE1","organization":"Google Trust Services"},"validity":{"start":"Thu, 29 Jan 2026 07:09:23 GMT","end":"Wed, 29 Apr 2026 08:09:21 GMT"},"fingerprint":{"sha1":"6E:37:27:BD:61:B1:D9:68:7E:8C:6A:6E:E8:3C:49:BD:DE:2C:6B:85","sha256":"7A:7A:E8:83:49:4E:FB:1A:31:9F:73:52:CA:27:82:31:C8:6C:ED:0D:A4:27:20:85:BB:A2:A1:6D:E0:D3:73:42"}}},"request":{"raw":"GET /rLHtKokqEBcygQ HTTP/1.1\r\nHost: sso-security.com\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br\r\nDNT: 1\r\nConnection: keep-alive\r\nUpgrade-Insecure-Requests: 1\r\nSec-Fetch-Dest: document\r\nSec-Fetch-Mode: navigate\r\nSec-Fetch-Site: cross-site\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/2 200 OK\r\ndate: Wed, 25 Mar 2026 13:04:00 GMT\r\ncontent-type: text/html\r\ncf-cache-status: DYNAMIC\r\nreferrer-policy: origin-when-cross-origin\r\nserver: cloudflare\r\nset-cookie: INGRESSCOOKIE=1774443841.466.46.772491|112633931b9d22736a011431493af478; Expires=Wed, 25-Mar-26 13:34:00 GMT; Max-Age=1800; Path=/quest/attachment/; Secure; HttpOnly\r\nstrict-transport-security: max-age=31536000\r\nx-content-type-options: nosniff\r\nx-hox-trace-id: ac460af3bf94101b3175b18a59a068d5\r\nx-xss-protection: 1; mode=block\r\ncontent-encoding: gzip\r\ncf-ray: 9e1e1e7238ac3f14-CPH\r\nX-Firefox-Spdy: h2\r\n\r\n","headers":null,"cookies":null,"status_code":"200","status_text":"OK","fingerprints":[{"name":"HSTS","description":"HTTP Strict Transport Security (HSTS) informs browsers that the site should only be accessed using HTTPS.","website":"https://www.rfc-editor.org/rfc/rfc6797#section-6.1","common_platform_enumeration":"","icon":"","categories":["Security"]},{"name":"Cloudflare","description":"Cloudflare is a web-infrastructure and website-security company, providing content-delivery-network services, DDoS mitigation, Internet security, and distributed domain-name-server services.","website":"https://www.cloudflare.com","common_platform_enumeration":"","icon":"CloudFlare.svg","categories":["CDN"]}],"data":{"size":80678,"size_decoded":0,"mime_type":"text/html","magic":"HTML document, Unicode text, UTF-8 text, with very long lines (22967), with CRLF line terminators","md5":"22c8ceb1488482bf8f7f0d87a996dce3","sha1":"833b6ca287a1512dca6989f172b6885d7c957082","sha256":"1e1574998590817e1070688d272279d239ca0ec3101fa0128825037e419746d5","sha512":"26297338a94ac2e83a00c3d75728d91e46da42feea3b4097f224b2ba1539f2bc5d0e3d85209eaed3b2f1b7dad5d4fbd6bfa6e9c6eee3bc3fda78fbbd3b19cd16","ssdeep":"384:ut+zocNhJe5ohaJzeMrr9DjVayOFKevVuE/42kGxAqZKAooncMrHU:uUth43J5aJgeQK4gxAqZKAooncMrHU","tlshash":"12737279510158bd533eb774bba21e04ffd18013d50382297bec6a7c8fb69c09a1eb5a","first_seen":"2026-03-25T13:04:24.227713Z","last_seen":"2026-03-25T13:04:24.227713Z","times_seen":1,"resource_available":true,"data":null}},"time_used":416,"timings":{"blocked":80,"dns":1,"connect":27,"send":0,"wait":251,"receive":0,"ssl":54},"alerts":{"ids":null,"analyzer":[{"sensor_name":"cloudflare_dns","sensor_type":"DNS","title":"Cloudflare DNS","description":"Cloudflare DNS","scan_date":"2026-03-25","alert":"Sinkholed","trigger":"sso-security.com","verdict":"malicious","severity":"medium","comment":"","link":"https://www.cloudflare.com/application-services/products/dns/","meta":null},{"sensor_name":"ultradns","sensor_type":"DNS","title":"DigiCert UltraDNS","description":"DigiCert UltraDNS","scan_date":"2026-03-25","alert":"Sinkholed","trigger":"sso-security.com","verdict":"malicious","severity":"medium","comment":"","link":"https://vercara.digicert.com/ultra-dns-public","meta":null},{"sensor_name":"opendns","sensor_type":"DNS","title":"OpenDNS","description":"OpenDNS","scan_date":"2026-03-25","alert":"Phishing Block","trigger":"sso-security.com","verdict":"phishing","severity":"medium","comment":"","link":"https://www.opendns.com/","meta":null},{"sensor_name":"dns4eu","sensor_type":"DNS","title":"DNS4EU","description":"DNS4EU","scan_date":"2026-03-25","alert":"Sinkholed","trigger":"sso-security.com","verdict":"malicious","severity":"medium","comment":"","link":"https://www.joindns4.eu/","meta":null},{"sensor_name":"hagezi","sensor_type":"DNS","title":"Hagezi Threat Feed","description":"Hagezi Threat Feed","scan_date":"2026-03-25","alert":"Sinkholed","trigger":"sso-security.com","verdict":"malicious","severity":"medium","comment":"","link":"https://github.com/hagezi/dns-blocklists","meta":null}],"urlquery":[{"sensor_name":"urlquery","alert":"Phishing - Microsoft","verdict":"phishing","severity":"medium","comment":"Resource associated with Microsoft phishing","tags":["microsoft","phishing"],"meta":null}]}},{"url":{"schema":"https","addr":"res.cloudinary.com/hoxhunt/image/upload/v1764769501/692826c2b293608596f668ee/692826c2b293608596f668ee-norfund.no-light-develop.png","fqdn":"res.cloudinary.com","domain":"cloudinary.com","tld":"com"},"ip":{"addr":"104.16.78.6","port":443,"asn":13335,"as":"CLOUDFLARENET","country":"","country_code":"zz"},"is_navigation_request":false,"resource_type":"img","requested_by":"https://sso-security.com/rLHtKokqEBcygQ","date":"2026-03-25T13:04:00.827Z","timestamp":0,"http_version":"","security_state":"secure","security_info":{"cipher_suite":"TLS_AES_128_GCM_SHA256","key_group_name":"x25519","signature_name":"RSA-PSS-SHA256","protocol":"TLSv1.3","cert":{"subject":{"commonName":"*.cloudinary.com","organization":"Cloudinary Ltd"},"issuer":{"commonName":"Go Daddy Secure Certificate Authority - G2","organization":"GoDaddy.com, Inc."},"validity":{"start":"Thu, 24 Apr 2025 13:45:55 GMT","end":"Tue, 26 May 2026 13:45:55 GMT"},"fingerprint":{"sha1":"8C:61:DB:F4:59:AA:B3:DB:D3:12:E2:66:0A:25:C6:AB:C2:AD:20:6D","sha256":"72:8C:8C:F1:15:FA:11:D0:30:77:C3:1F:DA:FD:AB:28:E6:81:ED:68:D1:8B:B8:E3:EB:B6:58:30:DD:87:8B:C3"}}},"request":{"raw":"GET /hoxhunt/image/upload/v1764769501/692826c2b293608596f668ee/692826c2b293608596f668ee-norfund.no-light-develop.png HTTP/1.1\r\nHost: res.cloudinary.com\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0\r\nAccept: image/avif,image/webp,*/*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br\r\nDNT: 1\r\nConnection: keep-alive\r\nReferer: https://sso-security.com/\r\nSec-Fetch-Dest: image\r\nSec-Fetch-Mode: no-cors\r\nSec-Fetch-Site: cross-site\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/2 200 OK\r\ndate: Wed, 25 Mar 2026 13:04:00 GMT\r\ncontent-type: image/png\r\ncontent-length: 35987\r\nserver: cloudflare\r\ncf-ray: 9e1e1e75df530d07-CPH\r\naccept-ranges: bytes\r\naccess-control-allow-origin: *\r\ncache-control: public, no-transform, immutable, max-age=2592000\r\netag: \"1d9d06c44d105c5e8566e2813e31011c\"\r\nlast-modified: Wed, 03 Dec 2025 13:45:03 GMT\r\nstrict-transport-security: max-age=604800\r\nvary: Accept-Encoding\r\naccess-control-expose-headers: Content-Length,ETag,Server-Timing,Vary,x-content-type-options\r\nserver-timing: cld-cloudflare;dur=32;start=2026-03-25T13:04:00.961Z;desc=hit,rtt;dur=27,content-info;desc=\"width=1079,height=1080,bytes=35987,format=\"png\",o=1,crt=1764769501,ef=(17);\"\r\ntiming-allow-origin: *\r\nx-content-type-options: nosniff\r\nx-request-id: e30421ddde646046f73cc92cce5498db\r\nX-Firefox-Spdy: h2\r\n\r\n","headers":null,"cookies":null,"status_code":"200","status_text":"OK","fingerprints":[{"name":"HSTS","description":"HTTP Strict Transport Security (HSTS) informs browsers that the site should only be accessed using HTTPS.","website":"https://www.rfc-editor.org/rfc/rfc6797#section-6.1","common_platform_enumeration":"","icon":"","categories":["Security"]},{"name":"Cloudflare","description":"Cloudflare is a web-infrastructure and website-security company, providing content-delivery-network services, DDoS mitigation, Internet security, and distributed domain-name-server services.","website":"https://www.cloudflare.com","common_platform_enumeration":"","icon":"CloudFlare.svg","categories":["CDN"]}],"data":{"size":35987,"size_decoded":0,"mime_type":"image/png","magic":"PNG image data, 1079 x 1080, 8-bit/color RGBA, non-interlaced","md5":"1d9d06c44d105c5e8566e2813e31011c","sha1":"838273ba48bbccf472322d3d7959317d2d430150","sha256":"d3db1cc4c8c1422797bdb818eed4edfacea885512e772f05b7deb8b36aeee57b","sha512":"fb997581d6567b59a737967ac234cb573d16503a060984ceb4215ea2e57716e47e1037e96d41c387d2e321bcf4a0ebec5288c0b4dbef33ff6632241f1e3e35e3","ssdeep":"768:DQHviRIYqXsHy3c9Bm70mlzsTEwqIzn8FFRGuGzp/AamV:D0vHs7otlz+EXgqamV","tlshash":"61f2e1ea174d95eda9137f682cf32b0ba6105f6219129c8cb48b1f518b1612b3e24fa4","first_seen":"2026-02-26T01:23:30.375789Z","last_seen":"2026-03-25T13:04:24.231098Z","times_seen":4,"resource_available":false,"data":null}},"time_used":286,"timings":{"blocked":94,"dns":30,"connect":27,"send":0,"wait":92,"receive":5,"ssl":34},"alerts":{"ids":null,"analyzer":null,"urlquery":null}}]}