mail.rwtha-achen.de - urlscan.io

Summary

This website contacted 2 IPs in 1 countries across 2 domains to perform 2 HTTP transactions. The main IP is 157.245.138.62, located in North Bergen, United States and belongs to DIGITALOCEAN-ASN, US. The main domain is mail.rwtha-achen.de.
TLS certificate: Issued by R3 on October 17th 2022. Valid for: 3 months.

This is the only time mail.rwtha-achen.de was scanned on urlscan.io!

urlscan.io Verdict: Potentially Malicious

Targeting these brands: German Universities (Education)

Community Verdicts: Malicious — 2 votes Show Verdicts

Domain & IP information

	IP Address	AS Autonomous System
1 1	2607:f1c0:100... 2607:f1c0:100f:f000::2bf	8560 (IONOS-AS ...) (IONOS-AS This is the joint network for IONOS)
3 5	157.245.138.62 157.245.138.62	14061 (DIGITALOC...) (DIGITALOCEAN-ASN)
2	2

1 2607:f1c0:100f:f000::2bf (United States) 1 redirects

ASN8560 (IONOS-AS This is the joint network for IONOS, Fasthosts, Arsys, 1&1 Mail and Media and 1&1 Telecom. Formerly known as 1&1 Internet SE., DE)

heartlandalliance.vazaban.com	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

5 157.245.138.62 (North Bergen, United States) 3 redirects

ASN14061 (DIGITALOCEAN-ASN, US)

mail.rwtha-achen.de	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

	Apex Domain Subdomains	Transfer
5	rwtha-achen.de 3 redirects mail.rwtha-achen.de	106 KB
1	vazaban.com 1 redirects heartlandalliance.vazaban.com	413 B
2	2

	Domain	Requested by
5	mail.rwtha-achen.de	3 redirects mail.rwtha-achen.de
1	heartlandalliance.vazaban.com	1 redirects
2	2

This site contains links to these domains. Also see Links.

Domain
www.itc.rwth-aachen.de
office.com

Subject Issuer	Validity	Valid
mail.rwtha-achen.de R3	`2022-10-17` - `2023-01-15`	3 months	crt.sh

This page contains 1 frames:

Primary Page: https://mail.rwtha-achen.de/owa/auth/logon.aspx?replaceCurrent=1&url=https%3a%2f%2fmail.rwtha-achen.de%2fowa%2f
Frame ID: 9FC7D11AEFD428FF334D56AA3B087016
Requests: 7 HTTP requests in this frame

Screenshot
Live screenshot

Full Image

Page Title

Outlook

Page URL History Show full URLs

http://heartlandalliance.vazaban.com/ HTTP 302
https://mail.rwtha-achen.de/JCvXRmJo HTTP 302
https://mail.rwtha-achen.de/ HTTP 302
https://mail.rwtha-achen.de/owa/ HTTP 302
https://mail.rwtha-achen.de/owa/auth/logon.aspx?url=https%3a%2f%2fmail.rwth-aachen.de%2fowa%2f&reason=0 Page URL
https://mail.rwtha-achen.de/owa/auth/logon.aspx?replaceCurrent=1&url=https%3a%2f%2fmail.rwtha-achen.de%2... Page URL

Detected technologies

Outlook Web App (Web Mail) Expand

Overall confidence: 100%
Detected patterns

/owa/auth/log(?:on|off)\.aspx

Microsoft ASP.NET (Web Frameworks) Expand

Overall confidence: 100%
Detected patterns

\.aspx?(?:$|\?)

Page Statistics

2
Requests

100 %
HTTPS

50 %
IPv6

2
Domains

2
Subdomains

2
IPs

1
Countries

105 kB
Transfer

133 kB
Size

3
Cookies

2 Outgoing links

These are links going to different origins than the main page.

URL: http://www.itc.rwth-aachen.de/cms/IT-Center/Dienste/kompletter-Servicekatalog/IT-Sicherheit/~frnr/Passwort/lidx/1/
Title: Sicherheitshinweis

Search URL Search Domain Scan URL

URL: http://office.com/redir/HA102824601.aspx
Title: Klicken Sie hier.

Search URL Search Domain Scan URL

Page URL History

This captures the URL locations of the websites, including HTTP redirects and client-side redirects via JavaScript or Meta fields.

http://heartlandalliance.vazaban.com/ HTTP 302
https://mail.rwtha-achen.de/JCvXRmJo HTTP 302
https://mail.rwtha-achen.de/ HTTP 302
https://mail.rwtha-achen.de/owa/ HTTP 302
https://mail.rwtha-achen.de/owa/auth/logon.aspx?url=https%3a%2f%2fmail.rwth-aachen.de%2fowa%2f&reason=0 Page URL
https://mail.rwtha-achen.de/owa/auth/logon.aspx?replaceCurrent=1&url=https%3a%2f%2fmail.rwtha-achen.de%2fowa%2f Page URL

Redirected requests

There were HTTP redirect chains for the following requests:

Request Chain 0

http://heartlandalliance.vazaban.com/ HTTP 302
https://mail.rwtha-achen.de/JCvXRmJo HTTP 302
https://mail.rwtha-achen.de/ HTTP 302
https://mail.rwtha-achen.de/owa/ HTTP 302
https://mail.rwtha-achen.de/owa/auth/logon.aspx?url=https%3a%2f%2fmail.rwth-aachen.de%2fowa%2f&reason=0

2 HTTP transactions
5 data transactions

Method Protocol	Status	Resource Path	Size x-fer	Time Latency	Type MIME-Type	IP Location
GET H/1.1	200 OK	logon.aspx mail.rwtha-achen.de/owa/auth/ Redirect Chain http://heartlandalliance.vazaban.com/ https://mail.rwtha-achen.de/JCvXRmJo https://mail.rwtha-achen.de/ https://mail.rwtha-achen.de/owa/ https://mail.rwtha-achen.de/owa/auth/logon.aspx?url=https%3a%2f%2fmail.rwth-aachen.de%2fowa%2f&reason=0	27 KB 28 KB	788ms 328ms	Document text/html	157.245.138.62 DIGITALOCEAN-ASN
General Check archive.org Show headers Download Go to Full URL https://mail.rwtha-achen.de/owa/auth/logon.aspx?url=https%3a%2f%2fmail.rwth-aachen.de%2fowa%2f&reason=0 Protocol HTTP/1.1 Security TLS 1.3, , AES_128_GCM Server 157.245.138.62 North Bergen, United States, ASN14061 (DIGITALOCEAN-ASN, US), Reverse DNS Software Microsoft-IIS/10.0 / ASP.NET Resource Hash Request headers Upgrade-Insecure-Requests 1 User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.119 Safari/537.36 accept-language de-DE,de;q=0.9 Response headers Cache-Control no-cache, no-store Connection close Content-Type text/html; charset=utf-8 Date Tue, 18 Oct 2022 12:10:11 GMT Expires -1 Pragma no-cache Request-Id 99b7ee78-2846-48ad-af08-e6d51212354d Server Microsoft-IIS/10.0 Transfer-Encoding chunked X-Aspnet-Version 4.0.30319 X-Powered-By ASP.NET Redirect headers Connection close Content-Type text/html; charset=utf-8 Date Tue, 18 Oct 2022 12:10:09 GMT Location https://mail.rwtha-achen.de/owa/auth/logon.aspx?url=https%3a%2f%2fmail.rwth-aachen.de%2fowa%2f&reason=0 Request-Id e885c2ad-490c-40ff-a98d-c5700811cb66 Server Microsoft-IIS/10.0 Transfer-Encoding chunked X-Feserver RWTHEX-W1-A X-Owa-Version 15.2.1118.15 X-Powered-By ASP.NET
GET H/1.1	200 OK	Primary Request logon.aspx Show response mail.rwtha-achen.de/owa/auth/	77 KB 77 KB	659ms 448ms	Document text/html	157.245.138.62 DIGITALOCEAN-ASN
General Check archive.org Show headers Download Go to Full URL https://mail.rwtha-achen.de/owa/auth/logon.aspx?replaceCurrent=1&url=https%3a%2f%2fmail.rwtha-achen.de%2fowa%2f Requested by Host: mail.rwtha-achen.de URL: https://mail.rwtha-achen.de/owa/auth/logon.aspx?url=https%3a%2f%2fmail.rwth-aachen.de%2fowa%2f&reason=0 Protocol HTTP/1.1 Security TLS 1.3, , AES_128_GCM Server 157.245.138.62 North Bergen, United States, ASN14061 (DIGITALOCEAN-ASN, US), Reverse DNS Software Microsoft-IIS/10.0 / ASP.NET Resource Hash `f2d66fb253c7edc4600988325e9cb95f91b51b451cd6ee4b4ae572e9da12dc98` Request headers Referer https://mail.rwtha-achen.de/owa/auth/logon.aspx?url=https%3a%2f%2fmail.rwth-aachen.de%2fowa%2f&reason=0 Upgrade-Insecure-Requests 1 User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.119 Safari/537.36 accept-language de-DE,de;q=0.9 Response headers Cache-Control no-cache, no-store Connection close Content-Type text/html; charset=utf-8 Date Tue, 18 Oct 2022 12:10:12 GMT Expires -1 Pragma no-cache Request-Id 7f47577a-cf6a-4335-b278-cadd8ca6c1ae Server Microsoft-IIS/10.0 Transfer-Encoding chunked X-Aspnet-Version 4.0.30319 X-Powered-By ASP.NET
GET DATA	200 OK	truncated /	14 KB 0		Image image/png
General Check archive.org Show headers Download Go to Show image Full URL data:truncated Protocol DATA Server -, , ASN (), Reverse DNS Software / Resource Hash `6a02afba12b105796d99949908c7d0e7c3703e5a9bc1a961aa6662aedffc3277` Request headers accept-language de-DE,de;q=0.9 Referer User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.119 Safari/537.36 Response headers Content-Type image/png
GET DATA	200 OK	truncated /	4 KB 0		Image image/png
General Check archive.org Show headers Download Go to Show image Full URL data:truncated Protocol DATA Server -, , ASN (), Reverse DNS Software / Resource Hash `4de8fc175826d9f78fce9f9f2b71a63fe832fc7507e0394125c823b0909fa54a` Request headers accept-language de-DE,de;q=0.9 Referer User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.119 Safari/537.36 Response headers Content-Type image/png
GET DATA	200 OK	truncated /	1 KB 0		Image image/png
General Check archive.org Show headers Download Go to Show image Full URL data:truncated Protocol DATA Server -, , ASN (), Reverse DNS Software / Resource Hash `6710ee6e22d5e3e82f70554804806c37aac5789b110d944383ea393d93eb627a` Request headers accept-language de-DE,de;q=0.9 Referer User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.119 Safari/537.36 Response headers Content-Type image/png
GET DATA	200 OK	truncated /	9 KB 0		Image image/png
General Check archive.org Show headers Download Go to Show image Full URL data:truncated Protocol DATA Server -, , ASN (), Reverse DNS Software / Resource Hash `88d3fd0d42bd1b600febfabdc4615080cad3d4303b8178aa9bb31f6b23fc1d4c` Request headers accept-language de-DE,de;q=0.9 Referer User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.119 Safari/537.36 Response headers Content-Type image/png
GET DATA	200 OK	truncated /	1 KB 0		Image image/png
General Check archive.org Show headers Download Go to Show image Full URL data:truncated Protocol DATA Server -, , ASN (), Reverse DNS Software / Resource Hash `33b48ac4150f35202a3d3af4f44f9ddd6ffc4e684b1dc1f242aa773cd79559ad` Request headers accept-language de-DE,de;q=0.9 Referer User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.119 Safari/537.36 Response headers Content-Type image/png

Verdicts & Comments Add Verdict or Comment

Malicious page.url
Submitted on October 18th 2022, 12:11:24 pm UTC — From Germany

Threats: Phishing
Comment: SPEICHER-BENACHRICHTIGUNG Seit Montag, dem 17. Oktober 2022, haben Sie Ihren E-Mail-Speicherplatz fast vollständig aufgebraucht. Email: netz-ag@tvk.rwth-aachen.de Leeren Sie den Cache, um zu vermeiden, dass Sie beim Empfangen und Senden von Nachrichten blockiert werden. See it in action Cache leeren Um Ihr Konto zu schützen, leiten Sie diese E-Mail bitte nicht weiter. © 2022

Potentially malicious activity detected
Disclaimer: These verdicts should be used to detect potentially malicious websites, not as a final verdict!

urlscan

Phishing against: German Universities (Education)

39 JavaScript Global Variables

These are the non-standard "global" variables defined on the window object. These can be helpful in identifying possible client-side frameworks and code.

3 Cookies

Cookies are little pieces of information stored in the browser of a user. Whenever a user visits the site again, he will also send his cookie values, thus allowing the website to re-identify him even if he changed locations. This is how permanent logins work.

Domain/Path	Expires	Name / Value
mail.rwtha-achen.de/owa/auth	1969-12-31 23:59:59	Name: cookieTest Value: 1
heartlandalliance.vazaban.com/	1969-12-31 23:59:59	Name: PHPSESSID Value: ddfd88fec96c54537db0b6327d0db2a1
.rwtha-achen.de/	1970-01-20 06:48:18	Name: syuP Value: c53df37615fd69337d25ca6702db6cac2afdb0b2dec478dc68f119ff9b5c3963

Indicators

This is a term in the security industry to describe indicators such as IPs, Domains, Hashes, etc. This does not imply that any of these indicate malicious activity.

heartlandalliance.vazaban.com
mail.rwtha-achen.de
157.245.138.62
2607:f1c0:100f:f000::2bf
33b48ac4150f35202a3d3af4f44f9ddd6ffc4e684b1dc1f242aa773cd79559ad
4de8fc175826d9f78fce9f9f2b71a63fe832fc7507e0394125c823b0909fa54a
6710ee6e22d5e3e82f70554804806c37aac5789b110d944383ea393d93eb627a
6a02afba12b105796d99949908c7d0e7c3703e5a9bc1a961aa6662aedffc3277
88d3fd0d42bd1b600febfabdc4615080cad3d4303b8178aa9bb31f6b23fc1d4c
f2d66fb253c7edc4600988325e9cb95f91b51b451cd6ee4b4ae572e9da12dc98

mail.rwtha-achen.de Open in urlscan Pro 157.245.138.62 Malicious Activity! Public Scan

Summary

urlscan.io Verdict: Potentially Malicious

Community Verdicts: Malicious — 2 votes Show Verdicts

Domain & IP information

Screenshot Live screenshot Full Image

Page Title

Page URL History Show full URLs

Detected technologies

Page Statistics

2 Requests

100 %HTTPS

50 %IPv6

2 Domains

2 Subdomains

2 IPs

1 Countries

105 kBTransfer

133 kBSize

3 Cookies

2 Outgoing links

Page URL History

Redirected requests

2 HTTP transactions Everything HTML Script AJAX CSS Image Expand all 5 data transactions

Request headers

Response headers

Redirect headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Verdicts & Comments Add Verdict or Comment

Malicious page.url Submitted on October 18th 2022, 12:11:24 pm UTC — From Germany

Potentially malicious activity detected Disclaimer: These verdicts should be used to detect potentially malicious websites, not as a final verdict!

urlscan

39 JavaScript Global Variables

3 Cookies

Indicators

mail.rwtha-achen.de Open in urlscan Pro
157.245.138.62 Malicious Activity! Public Scan

Screenshot
Live screenshot

Full Image

2
Requests

100 %
HTTPS

50 %
IPv6

2
Domains

2
Subdomains

2
IPs

1
Countries

105 kB
Transfer

133 kB
Size

3
Cookies

2 HTTP transactions
5 data transactions

Malicious page.url
Submitted on October 18th 2022, 12:11:24 pm UTC — From Germany

Potentially malicious activity detected
Disclaimer: These verdicts should be used to detect potentially malicious websites, not as a final verdict!