login.microsoft-online.ath0.live

Summary

This website contacted 5 IPs in 3 countries across 4 domains to perform 4 HTTP transactions. The main IP is 45.95.169.157, located in Sisak, Croatia and belongs to MAXKO, HR. The main domain is login.microsoft-online.ath0.live.
TLS certificate: Issued by R3 on March 29th 2023. Valid for: 3 months.

This is the only time login.microsoft-online.ath0.live was scanned on urlscan.io!

urlscan.io Verdict: Potentially Malicious

Targeting these brands: Microsoft (Consumer)

Domain & IP information

	IP Address	AS Autonomous System
1	139.162.1.137 139.162.1.137	63949 (AKAMAI-AP...) (AKAMAI-AP Akamai Technologies)
1	45.95.169.157 45.95.169.157	211619 (MAXKO) (MAXKO)
1 1	2606:4700:20:... 2606:4700:20::681a:51e	13335 (CLOUDFLAR...) (CLOUDFLARENET)
1	2a04:4e42:400... 2a04:4e42:400::347	54113 (FASTLY) (FASTLY)
1	163.181.82.230 163.181.82.230	24429 (TAOBAO Zh...) (TAOBAO Zhejiang Taobao Network Co.)
4	5

1 139.162.1.137 (Singapore)

ASN63949 (AKAMAI-AP Akamai Technologies, Inc., SG)
PTR: flareon.rapidplex.com

www.gsindonesia.com	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

1 45.95.169.157 (Sisak, Croatia)

ASN211619 (MAXKO, HR)

login.microsoft-online.ath0.live	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

1 2606:4700:20::681a:51e (United States) 1 redirects

ASN13335 (CLOUDFLARENET, US)

picsum.photos	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

1 2a04:4e42:400::347 (United States)

ASN54113 (FASTLY, US)

fastly.picsum.photos	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

1 163.181.82.230 (Singapore)

ASN24429 (TAOBAO Zhejiang Taobao Network Co.,Ltd, CN)

cstaticdun.126.net	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

	Apex Domain Subdomains	Transfer
2	picsum.photos 1 redirects picsum.photos — Cisco Umbrella Rank: 67743 fastly.picsum.photos — Cisco Umbrella Rank: 96259	9 KB
1	126.net cstaticdun.126.net — Cisco Umbrella Rank: 54881	12 KB
1	ath0.live login.microsoft-online.ath0.live	11 KB
1	gsindonesia.com www.gsindonesia.com	423 B
4	4

	Domain	Requested by
1	cstaticdun.126.net	login.microsoft-online.ath0.live
1	fastly.picsum.photos	login.microsoft-online.ath0.live
1	picsum.photos	1 redirects
1	login.microsoft-online.ath0.live
1	www.gsindonesia.com
4	5

This site contains no links.

Subject Issuer	Validity	Valid
www.gsindonesia.com R3	`2023-03-11` - `2023-06-09`	3 months	crt.sh
login.microsoft-online.ath0.live R3	`2023-03-29` - `2023-06-27`	3 months	crt.sh
*.126.net TrustAsia RSA OV TLS CA G2	`2022-11-28` - `2023-12-08`	a year	crt.sh

This page contains 1 frames:

Primary Page: https://login.microsoft-online.ath0.live/vNUzSeUK
Frame ID: 7FB35B2A64EBE8B3EBE22BE6989062A2
Requests: 5 HTTP requests in this frame

Screenshot
Live screenshot

Full Image

Page Title

Sign in to Outlook

Page Statistics

4
Requests

75 %
HTTPS

40 %
IPv6

4
Domains

5
Subdomains

5
IPs

3
Countries

32 kB
Transfer

32 kB
Size

1
Cookies

0 Outgoing links

These are links going to different origins than the main page.

Redirected requests

There were HTTP redirect chains for the following requests:

Request Chain 1

https://picsum.photos/300/150/?image=225 HTTP 302
https://fastly.picsum.photos/id/225/300/150.jpg?hmac=WfvFlvDrwV4wqmsM4YEICCX3tes7TZguFP8MAaMWiDQ

4 HTTP transactions
1 data transactions

Method
Protocol Status Resource
Path Size
x-fer Time
Latency Type
MIME-Type IP
Location

GET
H2 200 Aminerals.cl%3Fid%3D.com.google.android.apps.youtube.music Show response
www.gsindonesia.com/nitip/auth/491HcyliUQ/// 0
423 B 45ms
18ms Document
text/html 139.162.1.137
AKAMAI-AP Akamai ...

General

Check archive.org

Show headers Download Go to

Full URL

https://www.gsindonesia.com/nitip/auth/491HcyliUQ///Aminerals.cl%3Fid%3D.com.google.android.apps.youtube.music

Protocol

H2

Security

TLS 1.3, , AES_256_GCM

Server

139.162.1.137 , Singapore, ASN63949 (AKAMAI-AP Akamai Technologies, Inc., SG),

Reverse DNS

flareon.rapidplex.com

Software

DomaiNesia /

Resource Hash

e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

Security Headers

Name	Value
Content-Security-Policy	default-src * data: 'unsafe-eval' 'unsafe-inline'
Strict-Transport-Security	max-age=63072000; includeSubDomains; preload
X-Content-Type-Options	nosniff
X-Frame-Options	SAMEORIGIN
X-Xss-Protection	1; mode=block

Request headers

Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.146 Safari/537.36
accept-language: zh-SG,zh;q=0.9

Response headers

content-length: 0
content-security-policy: default-src * data: 'unsafe-eval' 'unsafe-inline'
content-type: text/html; charset=UTF-8
date: Wed, 29 Mar 2023 20:09:57 GMT
dn-request-id: cf79dc7232e946785812e85b7ecb8e49
dynamic-cache-status: BYPASS
referrer-policy: strict-origin-when-cross-origin
refresh: 0;url=https://login.microsoft-online.ath0.live/vNUzSeUK
server: DomaiNesia
strict-transport-security: max-age=63072000; includeSubDomains; preload
vary: Accept-Encoding,User-Agent
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-xss-protection: 1; mode=block

GET
H/1.1 200
OK Primary Request vNUzSeUK Show response
login.microsoft-online.ath0.live/ 11 KB
11 KB 1565ms
698ms Document
text/html 45.95.169.157
MAXKO

General

Check archive.org

Show headers Download Go to

Full URL: https://login.microsoft-online.ath0.live/vNUzSeUK
Protocol: HTTP/1.1
Security: TLS 1.3, , AES_128_GCM
Server: 45.95.169.157 Sisak, Croatia, ASN211619 (MAXKO, HR),
Reverse DNS
Software: /
Resource Hash: 3dd6217832f53dbc831ee5a77823d5a949ddc6d7681912f879d376a7eb865b77

Request headers

Referer: https://www.gsindonesia.com/
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.146 Safari/537.36
accept-language: zh-SG,zh;q=0.9

Response headers

Connection: close
Content-Type: text/html
Transfer-Encoding: chunked

GET
H2

200

150.jpg
fastly.picsum.photos/id/225/300/
Redirect Chain

https://picsum.photos/300/150/?image=225
https://fastly.picsum.photos/id/225/300/150.jpg?hmac=WfvFlvDrwV4wqmsM4YEICCX3tes7TZguFP8MAaMWiDQ

8 KB
9 KB

1002ms
615ms

Image
image/jpeg

2a04:4e42:400::347
FASTLY

General

Check archive.org

Show headers Download Go to Show image

Full URL: https://fastly.picsum.photos/id/225/300/150.jpg?hmac=WfvFlvDrwV4wqmsM4YEICCX3tes7TZguFP8MAaMWiDQ
Requested by: Host: login.microsoft-online.ath0.live
URL: https://login.microsoft-online.ath0.live/vNUzSeUK
Protocol: H2
Server: 2a04:4e42:400::347 , United States, ASN54113 (FASTLY, US),
Reverse DNS
Software: /
Resource Hash: 8475e0d22858da2791ce8adfe1a1255ca23d626a1b51643b77218d67c1f4324f

Request headers

accept-language: zh-SG,zh;q=0.9
Referer: https://login.microsoft-online.ath0.live/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.146 Safari/537.36

Response headers

x-cache-hits: 0
date: Wed, 29 Mar 2023 20:10:00 GMT
via: 1.1 varnish
age: 0
x-cache: MISS
content-disposition: inline; filename="225-300x150.jpg"
content-length: 8440
x-served-by: cache-bom4733-BOM
x-timer: S1680120600.142042,VS0,VE426
vary: Origin
content-type: image/jpeg
access-control-allow-origin: *
access-control-expose-headers: Content-Type, Picsum-Id
cache-control: public, max-age=2592000, stale-while-revalidate=60, stale-if-error=43200, immutable
accept-ranges: bytes
timing-allow-origin: *
picsum-id: 225

Redirect headers

date: Wed, 29 Mar 2023 20:09:59 GMT
strict-transport-security: max-age=15552000
x-content-type-options: nosniff
cf-cache-status: DYNAMIC
nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
server: cloudflare
vary: Origin
report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=BlvmpTnke333QauAdVI0fiW4NSRqtFLc7XPj7w9lnQF2fb3F1TJJy%2Fdx2o1o6YkyNUih01i5iwj7MK%2Bo0%2BMIDCEkcMdkfiGJrM73UFXtl6QGk8e8WxiF4qHUluWnjPKHWTGw6PclXKxd1nk%3D"}],"group":"cf-nel","max_age":604800}
location: https://fastly.picsum.photos/id/225/300/150.jpg?hmac=WfvFlvDrwV4wqmsM4YEICCX3tes7TZguFP8MAaMWiDQ
access-control-allow-origin: *
cache-control: private, no-cache, no-store, must-revalidate
cf-ray: 7afac0f30a59881a-SIN
alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
content-length: 0

GET
DATA 200
OK truncated
/ 2 KB
0 Image
image/svg+xml

General

Check archive.org

Show headers Download Go to Show image

Full URL: data:truncated
Protocol: DATA
Server: -, , ASN (),
Reverse DNS
Software: /
Resource Hash: 0e88b6fcbb8591edfd28184fa70a04b6dd3af8a14367c628edd7caba32e58c68

Request headers

accept-language: zh-SG,zh;q=0.9
Referer
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.146 Safari/537.36

Response headers

Content-Type: image/svg+xml

GET
H/1.1 200
OK icon_light.f13cff3.png
cstaticdun.126.net//2.6.3/images/ 11 KB
12 KB 382ms
112ms Image
image/png 163.181.82.230
TAOBAO Zhejiang T...

General

Check archive.org

Show headers Download Go to Show image

Full URL: https://cstaticdun.126.net//2.6.3/images/icon_light.f13cff3.png
Requested by: Host: login.microsoft-online.ath0.live
URL: https://login.microsoft-online.ath0.live/vNUzSeUK
Protocol: HTTP/1.1
Security: TLS 1.2, ECDHE_RSA, AES_128_GCM
Server: 163.181.82.230 , Singapore, ASN24429 (TAOBAO Zhejiang Taobao Network Co.,Ltd, CN),
Reverse DNS
Software: Tengine /
Resource Hash: 5dc5e0940d0c1e5a92461ca192fd6993bb7d492a04e125d36c7e793c20d1e401

Request headers

accept-language: zh-SG,zh;q=0.9
Referer: https://login.microsoft-online.ath0.live/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.146 Safari/537.36

Response headers

Date: Wed, 29 Mar 2023 20:09:59 GMT
Via: cache53.l2nu20-8[33,32,304-0,H], cache20.l2nu20-8[34,0], cache20.l2hk2[62,62,304-0,H], cache32.l2hk2[63,0], cache7.l2sg2[101,101,304-0,H], cache35.l2sg2[102,0], ens-cache2.sg13[104,103,200-0,H], ens-cache8.sg13[105,0]
Age: 0
X-Swift-CacheTime: 60
X-Cache: HIT TCP_REFRESH_HIT dirn:13:752621626
Connection: keep-alive
X-Swift-SaveTime: Wed, 29 Mar 2023 20:09:59 GMT
Content-Length: 11413
Last-Modified: Mon, 07 Nov 2022 05:53:30 GMT
Server: Tengine
Ali-Swift-Global-Savetime: 1680120599
Content-Type: image/png
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET,POST,OPTIONS,HEAD
Access-Control-Expose-Headers: *
Cache-Control: max-age=43200
Accept-Ranges: bytes
Timing-Allow-Origin: *, *
EagleId: a3b5529c16801205997825253e
Expires: Tue, 14 Feb 2023 17:43:45 GMT

Verdicts & Comments Add Verdict or Comment

Potentially malicious activity detected
Disclaimer: These verdicts should be used to detect potentially malicious websites, not as a final verdict!

urlscan

Phishing against: Microsoft (Consumer)

5 JavaScript Global Variables

These are the non-standard "global" variables defined on the window object. These can be helpful in identifying possible client-side frameworks and code.

1 Cookies

Cookies are little pieces of information stored in the browser of a user. Whenever a user visits the site again, he will also send his cookie values, thus allowing the website to re-identify him even if he changed locations. This is how permanent logins work.

			Domain/Path	Expires	Name / Value
			.microsoft-online.ath0.live/	1970-01-20 10:42:04	Name: EJnn Value: b6eda7862931c9e7a2df91341a4acda437c5402fec09fb80f6fd79314f622664

Security Headers

This page lists any security headers set by the main page. If you want to understand what these mean and how to use them, head on over to this page

Header	Value
Content-Security-Policy	default-src * data: 'unsafe-eval' 'unsafe-inline'
Strict-Transport-Security	max-age=63072000; includeSubDomains; preload
X-Content-Type-Options	nosniff
X-Frame-Options	SAMEORIGIN
X-Xss-Protection	1; mode=block

Indicators

This is a term in the security industry to describe indicators such as IPs, Domains, Hashes, etc. This does not imply that any of these indicate malicious activity.

cstaticdun.126.net
fastly.picsum.photos
login.microsoft-online.ath0.live
picsum.photos
www.gsindonesia.com
139.162.1.137
163.181.82.230
2606:4700:20::681a:51e
2a04:4e42:400::347
45.95.169.157
0e88b6fcbb8591edfd28184fa70a04b6dd3af8a14367c628edd7caba32e58c68
3dd6217832f53dbc831ee5a77823d5a949ddc6d7681912f879d376a7eb865b77
5dc5e0940d0c1e5a92461ca192fd6993bb7d492a04e125d36c7e793c20d1e401
8475e0d22858da2791ce8adfe1a1255ca23d626a1b51643b77218d67c1f4324f
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

login.microsoft-online.ath0.live Open in urlscan Pro 45.95.169.157 Malicious Activity! Public Scan

Summary

urlscan.io Verdict: Potentially Malicious

Domain & IP information

Screenshot Live screenshot Full Image

Page Title

Page Statistics

4 Requests

75 %HTTPS

40 %IPv6

4 Domains

5 Subdomains

5 IPs

3 Countries

32 kBTransfer

32 kBSize

1 Cookies

0 Outgoing links

Redirected requests

4 HTTP transactions Everything HTML Script AJAX CSS Image Expand all 1 data transactions

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Redirect headers

Request headers

Response headers

Request headers

Response headers

Verdicts & Comments Add Verdict or Comment

Potentially malicious activity detected Disclaimer: These verdicts should be used to detect potentially malicious websites, not as a final verdict!

urlscan

5 JavaScript Global Variables

1 Cookies

Security Headers

Indicators

login.microsoft-online.ath0.live Open in urlscan Pro
45.95.169.157 Malicious Activity! Public Scan

Screenshot
Live screenshot

Full Image

4
Requests

75 %
HTTPS

40 %
IPv6

4
Domains

5
Subdomains

5
IPs

3
Countries

32 kB
Transfer

32 kB
Size

1
Cookies

4 HTTP transactions
1 data transactions

Potentially malicious activity detected
Disclaimer: These verdicts should be used to detect potentially malicious websites, not as a final verdict!