outlookloffice365user64k.z19.web.core.windows.net
Open in
urlscan Pro
20.38.96.97
Malicious Activity!
Public Scan
Effective URL: https://outlookloffice365user64k.z19.web.core.windows.net/8f7f2375ba3e2ee3adf67d0e32c683d5/8f7f2375ba3e2ee3adf67d0e32c683d5
Submission: On February 11 via manual from MX
Summary
TLS certificate: Issued by Microsoft IT TLS CA 5 on April 19th 2018. Valid for: 2 years.
This is the only time outlookloffice365user64k.z19.web.core.windows.net was scanned on urlscan.io!
urlscan.io Verdict: Potentially Malicious
Targeting these brands: Microsoft (Consumer)Domain & IP information
IP Address | AS Autonomous System | ||
---|---|---|---|
1 2 | 23.100.82.11 23.100.82.11 | 8075 (MICROSOFT...) (MICROSOFT-CORP-MSN-AS-BLOCK - Microsoft Corporation) | |
1 | 20.38.96.97 20.38.96.97 | 8075 (MICROSOFT...) (MICROSOFT-CORP-MSN-AS-BLOCK - Microsoft Corporation) | |
1 | 2a04:4e42::393 2a04:4e42::393 | 54113 (FASTLY) (FASTLY - Fastly) | |
2 | 23.111.9.35 23.111.9.35 | 33438 (HIGHWINDS2) (HIGHWINDS2 - Highwinds Network Group) | |
1 | 23.45.236.121 23.45.236.121 | 20940 (AKAMAI-ASN1) (AKAMAI-ASN1) | |
1 | 2a02:26f0:6c0... 2a02:26f0:6c00:283::35c1 | 20940 (AKAMAI-ASN1) (AKAMAI-ASN1) | |
1 | 104.16.13.231 104.16.13.231 | 13335 (CLOUDFLAR...) (CLOUDFLARENET - Cloudflare) | |
1 | 151.101.120.193 151.101.120.193 | 54113 (FASTLY) (FASTLY - Fastly) | |
9 | 8 |
ASN8075 (MICROSOFT-CORP-MSN-AS-BLOCK - Microsoft Corporation, US)
ur89-20.azurewebsites.net |
ASN8075 (MICROSOFT-CORP-MSN-AS-BLOCK - Microsoft Corporation, US)
outlookloffice365user64k.z19.web.core.windows.net |
ASN33438 (HIGHWINDS2 - Highwinds Network Group, Inc., US)
use.fontawesome.com |
ASN20940 (AKAMAI-ASN1, US)
PTR: a23-45-236-121.deploy.static.akamaitechnologies.com
plugin.intuitcdn.net |
ASN20940 (AKAMAI-ASN1, US)
secure.aadcdn.microsoftonline-p.com |
ASN13335 (CLOUDFLARENET - Cloudflare, Inc., US)
cdn.discordapp.com |
Apex Domain Subdomains |
Transfer | |
---|---|---|
2 |
fontawesome.com
use.fontawesome.com |
86 KB |
2 |
azurewebsites.net
1 redirects
ur89-20.azurewebsites.net |
1 KB |
1 |
imgur.com
i.imgur.com |
221 KB |
1 |
discordapp.com
cdn.discordapp.com |
5 KB |
1 |
microsoftonline-p.com
secure.aadcdn.microsoftonline-p.com |
2 KB |
1 |
intuitcdn.net
plugin.intuitcdn.net |
30 KB |
1 |
cloudinary.com
res.cloudinary.com |
2 KB |
1 |
windows.net
outlookloffice365user64k.z19.web.core.windows.net |
9 KB |
9 | 8 |
Domain | Requested by | |
---|---|---|
2 | use.fontawesome.com |
outlookloffice365user64k.z19.web.core.windows.net
|
2 | ur89-20.azurewebsites.net | 1 redirects |
1 | i.imgur.com |
outlookloffice365user64k.z19.web.core.windows.net
|
1 | cdn.discordapp.com |
outlookloffice365user64k.z19.web.core.windows.net
|
1 | secure.aadcdn.microsoftonline-p.com |
outlookloffice365user64k.z19.web.core.windows.net
|
1 | plugin.intuitcdn.net |
outlookloffice365user64k.z19.web.core.windows.net
|
1 | res.cloudinary.com |
outlookloffice365user64k.z19.web.core.windows.net
|
1 | outlookloffice365user64k.z19.web.core.windows.net | |
9 | 8 |
This site contains no links.
Subject Issuer | Validity | Valid | |
---|---|---|---|
*.azurewebsites.net Microsoft IT TLS CA 4 |
2017-12-17 - 2019-12-17 |
2 years | crt.sh |
*.web.core.windows.net Microsoft IT TLS CA 5 |
2018-04-19 - 2020-04-19 |
2 years | crt.sh |
*.cloudinary.com Go Daddy Secure Certificate Authority - G2 |
2018-07-01 - 2020-06-22 |
2 years | crt.sh |
*.fontawesome.com DigiCert SHA2 Secure Server CA |
2018-09-17 - 2019-11-21 |
a year | crt.sh |
*.intuitcdn.net DigiCert SHA2 Secure Server CA |
2018-03-12 - 2019-03-12 |
a year | crt.sh |
secure.aadcdn.microsoftonline-p.com Microsoft IT TLS CA 1 |
2017-08-15 - 2019-08-15 |
2 years | crt.sh |
ssl711320.cloudflaressl.com COMODO ECC Domain Validation Secure Server CA 2 |
2018-10-18 - 2019-04-26 |
6 months | crt.sh |
*.imgur.com DigiCert SHA2 Secure Server CA |
2018-12-14 - 2020-02-12 |
a year | crt.sh |
This page contains 1 frames:
Primary Page:
https://outlookloffice365user64k.z19.web.core.windows.net/8f7f2375ba3e2ee3adf67d0e32c683d5/8f7f2375ba3e2ee3adf67d0e32c683d5
Frame ID: 22908891D6512F29A4F06FC6BB964708
Requests: 9 HTTP requests in this frame
Screenshot
Page URL History Show full URLs
-
https://ur89-20.azurewebsites.net/isolo?dyu=martinb@herbalife.com&&67.29.94.79&&cc0_34k3=herbalife.com&sr=mart...
HTTP 301
https://ur89-20.azurewebsites.net/isolo/?dyu=martinb@herbalife.com&&67.29.94.79&&cc0_34k3=herbalife.com&sr=mar... Page URL
- https://outlookloffice365user64k.z19.web.core.windows.net/8f7f2375ba3e2ee3adf67d0e32c683d5/8f7f2375ba3e2ee3adf67d0e32c683d5 Page URL
Detected technologies
Windows Server (Operating Systems) ExpandDetected patterns
- headers server /IIS(?:\/([\d.]+))?/i
IIS (Web Servers) Expand
Detected patterns
- headers server /IIS(?:\/([\d.]+))?/i
jQuery (JavaScript Libraries) Expand
Detected patterns
- script /jquery.*\.js/i
- env /^jQuery$/i
Page Statistics
0 Outgoing links
These are links going to different origins than the main page.
Page URL History
This captures the URL locations of the websites, including HTTP redirects and client-side redirects via JavaScript or Meta fields.
-
https://ur89-20.azurewebsites.net/isolo?dyu=martinb@herbalife.com&&67.29.94.79&&cc0_34k3=herbalife.com&sr=martinb@herbalife.com&UNPY9BPT=herbalife.com&sc-3d=martinb@herbalife.com&&27027868884&&cc0_34k3=martinb&sr=027868884
HTTP 301
https://ur89-20.azurewebsites.net/isolo/?dyu=martinb@herbalife.com&&67.29.94.79&&cc0_34k3=herbalife.com&sr=martinb@herbalife.com&UNPY9BPT=herbalife.com&sc-3d=martinb@herbalife.com&&27027868884&&cc0_34k3=martinb&sr=027868884 Page URL
- https://outlookloffice365user64k.z19.web.core.windows.net/8f7f2375ba3e2ee3adf67d0e32c683d5/8f7f2375ba3e2ee3adf67d0e32c683d5 Page URL
Redirected requests
There were HTTP redirect chains for the following requests:
Request Chain 0- https://ur89-20.azurewebsites.net/isolo?dyu=martinb@herbalife.com&&67.29.94.79&&cc0_34k3=herbalife.com&sr=martinb@herbalife.com&UNPY9BPT=herbalife.com&sc-3d=martinb@herbalife.com&&27027868884&&cc0_34k3=martinb&sr=027868884 HTTP 301
- https://ur89-20.azurewebsites.net/isolo/?dyu=martinb@herbalife.com&&67.29.94.79&&cc0_34k3=herbalife.com&sr=martinb@herbalife.com&UNPY9BPT=herbalife.com&sc-3d=martinb@herbalife.com&&27027868884&&cc0_34k3=martinb&sr=027868884
9 HTTP transactions
Method Protocol |
Resource Path |
Size x-fer |
Type MIME-Type |
||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
GET H/1.1 |
/
ur89-20.azurewebsites.net/isolo/ Redirect Chain
|
442 B 613 B |
Document
text/html |
||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
Redirect headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H/1.1 |
Primary Request
8f7f2375ba3e2ee3adf67d0e32c683d5
outlookloffice365user64k.z19.web.core.windows.net/8f7f2375ba3e2ee3adf67d0e32c683d5/ |
9 KB 9 KB |
Document
text/html |
||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H2 |
style.css
res.cloudinary.com/dfvzxzbhe/raw/upload/v1539177451/sg/ |
6 KB 2 KB |
Stylesheet
text/css |
||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H2 |
all.css
use.fontawesome.com/releases/v5.7.1/css/ |
53 KB 13 KB |
Stylesheet
text/css |
||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H2 |
jquery.min.js
plugin.intuitcdn.net/jquery/2.2.0/dist/ |
84 KB 30 KB |
Script
application/javascript |
||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H/1.1 |
microsoft_logo.svg
secure.aadcdn.microsoftonline-p.com/ests/2.1.8014.13/content/images/ |
4 KB 2 KB |
Image
image/svg+xml |
||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H2 |
30.gif
cdn.discordapp.com/attachments/466747916187336706/502092033779957760/ |
5 KB 5 KB |
Image
image/gif |
||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H2 |
wfKy3rD.jpg
i.imgur.com/ |
221 KB 221 KB |
Image
image/jpeg |
||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H2 |
fa-solid-900.woff2
use.fontawesome.com/releases/v5.7.1/webfonts/ |
73 KB 73 KB |
Font
font/woff2 |
||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
Verdicts & Comments Add Verdict or Comment
Potentially malicious activity detected
Disclaimer: These verdicts should be used to detect potentially malicious websites, not as a final verdict!
urlscan
Phishing against: Microsoft (Consumer)8 JavaScript Global Variables
These are the non-standard "global" variables defined on the window object. These can be helpful in identifying possible client-side frameworks and code.
object| onselectstart object| onselectionchange function| queueMicrotask function| $ function| jQuery function| getUrlVars undefined| number string| $pgurl0 Cookies
Cookies are little pieces of information stored in the browser of a user. Whenever a user visits the site again, he will also send his cookie values, thus allowing the website to re-identify him even if he changed locations. This is how permanent logins work.
1 Console Messages
A page may trigger messages to the console to be logged. These are often error messages about being unable to load a resource or execute a piece of JavaScript. Sometimes they also provide insight into the technology behind a website.
Source | Level | URL Text |
---|
Indicators
This is a term in the security industry to describe indicators such as IPs, Domains, Hashes, etc. This does not imply that any of these indicate malicious activity.
cdn.discordapp.com
i.imgur.com
outlookloffice365user64k.z19.web.core.windows.net
plugin.intuitcdn.net
res.cloudinary.com
secure.aadcdn.microsoftonline-p.com
ur89-20.azurewebsites.net
use.fontawesome.com
104.16.13.231
151.101.120.193
20.38.96.97
23.100.82.11
23.111.9.35
23.45.236.121
2a02:26f0:6c00:283::35c1
2a04:4e42::393
04d29248ee3a13a074518c93a18d6efc491bf1f298f9b87fc989a6ae4b9fad7a
1513c0c74a617b9863b05d320c1983a09cec28b075307b98edba4a92576f438f
52600dd842dfe2b1de28fb0e8a9dd948be6b19ac2d9e4905dafaa4aa059802ac
8a102873a33f24f7eb22221e6b23c4f718e29f85168ecc769a35bfaed9b12cce
9c099acc093abd2df85eaa34052ad36fe69b6ed16582c14aecd2928baa3b63bf
9e6bd5b2d75bba485d2337d020750744983a3521ec697adfe21b29ee4f14f6a9
dae1dd4c9f81f6ae7a92974a903d67ba081b9bd5cd28f91788854ca25fb81f9e
e73bc447281a2b6d39fe47d8eea58cd085da17cbcdd0ac1f70fa553f994edb15