outlook.safesurf-secureaccess.com Open in urlscan Pro
116.203.197.71 Malicious Activity! Public Scan

Go To Rescan
Add Verdict Report

URL:
https://outlook.safesurf-secureaccess.com/kv1ua0kbzgcq9iop
Submission: On October 27 via automatic, source openphish (October 27th 2022, 1:25:08 pm UTC) — Scanned from DE

Summary HTTP 16 Redirects Behaviour Indicators

Summary

This website contacted 4 IPs in 2 countries across 3 domains to perform 16 HTTP transactions. The main IP is 116.203.197.71, located in Germany and belongs to HETZNER-AS, DE. The main domain is outlook.safesurf-secureaccess.com.
TLS certificate: Issued by R3 on August 26th 2022. Valid for: 3 months.

This is the only time outlook.safesurf-secureaccess.com was scanned on urlscan.io!

urlscan.io Verdict: Potentially Malicious

Targeting these brands: Outlook Web Access (Online)

Domain & IP information

	IP Address	AS Autonomous System
13	116.203.197.71 116.203.197.71	24940 (HETZNER-AS) (HETZNER-AS)
1 3	2a00:1450:400... 2a00:1450:4001:829::200d	15169 (GOOGLE) (GOOGLE)
1 1	2a00:1450:400... 2a00:1450:4001:829::200e	15169 (GOOGLE) (GOOGLE)
1	104.244.42.193 104.244.42.193	13414 (TWITTER) (TWITTER)
16	4

13 116.203.197.71 (Germany)

ASN24940 (HETZNER-AS, DE)
PTR: mail.cloudserver329.com

outlook.safesurf-secureaccess.com	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

3 2a00:1450:4001:829::200d (Frankfurt am Main, Germany) 1 redirects

ASN15169 (GOOGLE, US)

accounts.google.com	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

1 2a00:1450:4001:829::200e (Frankfurt am Main, Germany) 1 redirects

ASN15169 (GOOGLE, US)

plus.google.com	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

1 104.244.42.193 (United States)

ASN13414 (TWITTER, US)

twitter.com	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

	Apex Domain Subdomains	Transfer
13	safesurf-secureaccess.com outlook.safesurf-secureaccess.com	89 KB
4	google.com 2 redirects accounts.google.com — Cisco Umbrella Rank: 83 plus.google.com — Cisco Umbrella Rank: 7738	3 KB
1	twitter.com twitter.com — Cisco Umbrella Rank: 201
16	3

	Domain	Requested by
13	outlook.safesurf-secureaccess.com	outlook.safesurf-secureaccess.com
3	accounts.google.com	1 redirects outlook.safesurf-secureaccess.com
1	twitter.com	outlook.safesurf-secureaccess.com
1	plus.google.com	1 redirects
16	4

This site contains no links.

Subject Issuer	Validity	Valid
outlook.safesurf-secureaccess.com R3	`2022-08-26` - `2022-11-24`	3 months	crt.sh
accounts.google.com GTS CA 1C3	`2022-09-26` - `2022-12-19`	3 months	crt.sh
twitter.com DigiCert TLS Hybrid ECC SHA384 2020 CA1	`2022-03-07` - `2023-03-06`	a year	crt.sh

This page contains 1 frames:

Primary Page: https://outlook.safesurf-secureaccess.com/kv1ua0kbzgcq9iop
Frame ID: 79EB3F27F9BE9CA40180F515DDCA4984
Requests: 17 HTTP requests in this frame

Screenshot
Live screenshot

Full Image

Page Title

Outlook

Detected technologies

TrackJs (Analytics) Expand

Overall confidence: 100%
Detected patterns

tracker\.js

Page Statistics

16
Requests

94 %
HTTPS

50 %
IPv6

3
Domains

4
Subdomains

4
IPs

2
Countries

89 kB
Transfer

98 kB
Size

4
Cookies

0 Outgoing links

These are links going to different origins than the main page.

Redirected requests

There were HTTP redirect chains for the following requests:

Request Chain 9

https://plus.google.com/up/?continue=https://www.google.com/intl/en/images/logos/accounts_logo.png&type=st&gpsrc=ogpy0 HTTP 302
https://accounts.google.com/ServiceLogin?passive=1209600&osid=1&continue=https://plus.google.com/up/?continue%3Dhttps://www.google.com/intl/en/images/logos/accounts_logo.png%26type%3Dst%26gpsrc%3Dogpy0&followup=https://plus.google.com/up/?continue%3Dhttps://www.google.com/intl/en/images/logos/accounts_logo.png%26type%3Dst%26gpsrc%3Dogpy0 HTTP 302
https://accounts.google.com/v3/signin/identifier?dsh=S-1056382085%3A1666877104398056&continue=https%3A%2F%2Fplus.google.com%2Fup%2F%3Fcontinue%3Dhttps%3A%2F%2Fwww.google.com%2Fintl%2Fen%2Fimages%2Flogos%2Faccounts_logo.png%26type%3Dst%26gpsrc%3Dogpy0&followup=https%3A%2F%2Fplus.google.com%2Fup%2F%3Fcontinue%3Dhttps%3A%2F%2Fwww.google.com%2Fintl%2Fen%2Fimages%2Flogos%2Faccounts_logo.png%26type%3Dst%26gpsrc%3Dogpy0&osid=1&passive=1209600&flowName=GlifWebSignIn&flowEntry=ServiceLogin&ifkv=AQDHYWoJOUy8ATCOlLnLT2tdXWveBoL1gi8XjZTFHkpBxLWGBT1BCDe0gOmlggS32PhlH3lTmPFdtg

16 HTTP transactions
1 data transactions

Method Protocol	Status	Resource Path	Size x-fer	Time Latency	Type MIME-Type	IP Location
GET H/1.1	200 OK	Primary Request kv1ua0kbzgcq9iop Show response outlook.safesurf-secureaccess.com/	17 KB 6 KB	287ms 264ms	Document text/html	116.203.197.71 HETZNER-AS
General Check archive.org Show headers Download Go to Full URL https://outlook.safesurf-secureaccess.com/kv1ua0kbzgcq9iop Protocol HTTP/1.1 Security TLS 1.2, ECDHE_RSA, AES_256_GCM Server 116.203.197.71 , Germany, ASN24940 (HETZNER-AS, DE), Reverse DNS mail.cloudserver329.com Software Lucy / Resource Hash `f7439c4b416d59b9e14680626448d83b6eb2962a5f33025a4ab344a9f8171a39` Request headers Upgrade-Insecure-Requests 1 User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.119 Safari/537.36 accept-language de-DE,de;q=0.9 Response headers Access-Control-Allow-Headers * Access-Control-Allow-Methods * Access-Control-Allow-Origin * Cache-Control no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Connection Keep-Alive Content-Encoding gzip Content-Length 5346 Content-Type text/html; charset=UTF-8 Date Thu, 27 Oct 2022 13:25:03 GMT Expires Thu, 19 Nov 1981 08:52:00 GMT Keep-Alive timeout=5, max=100 Pragma no-cache Server Lucy Vary Accept-Encoding
GET H/1.1	200 OK	events.js Show response outlook.safesurf-secureaccess.com/js/	558 B 917 B	5ms 5ms	Script text/javascript	116.203.197.71 HETZNER-AS
General Check archive.org Show headers Download Go to Full URL https://outlook.safesurf-secureaccess.com/js/events.js Requested by Host: outlook.safesurf-secureaccess.com URL: https://outlook.safesurf-secureaccess.com/kv1ua0kbzgcq9iop Protocol HTTP/1.1 Security TLS 1.2, ECDHE_RSA, AES_256_GCM Server 116.203.197.71 , Germany, ASN24940 (HETZNER-AS, DE), Reverse DNS mail.cloudserver329.com Software Lucy / Resource Hash `a8f7e59c2a6d75c51e1898b2d1ff9f6f666caad39a12d215e506202fce2ce150` Request headers accept-language de-DE,de;q=0.9 Referer https://outlook.safesurf-secureaccess.com/kv1ua0kbzgcq9iop User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.119 Safari/537.36 Response headers Date Thu, 27 Oct 2022 13:25:04 GMT Server Lucy Access-Control-Allow-Methods * Content-Type text/javascript;charset=UTF-8 Access-Control-Allow-Origin * Cache-Control max-age=86400 Connection Keep-Alive Access-Control-Allow-Headers * Content-Length 558 Keep-Alive timeout=5, max=99 Expires Fri, 28 Oct 2022 13:25:04 GMT
GET H/1.1	200 OK	b64FFXrMp.png outlook.safesurf-secureaccess.com/public/campaign/130/147/11/	2 KB 3 KB	10ms 5ms	Image image/png	116.203.197.71 HETZNER-AS
General Check archive.org Show headers Download Go to Show image Full URL https://outlook.safesurf-secureaccess.com/public/campaign/130/147/11/b64FFXrMp.png Requested by Host: outlook.safesurf-secureaccess.com URL: https://outlook.safesurf-secureaccess.com/kv1ua0kbzgcq9iop Protocol HTTP/1.1 Security TLS 1.2, ECDHE_RSA, AES_256_GCM Server 116.203.197.71 , Germany, ASN24940 (HETZNER-AS, DE), Reverse DNS mail.cloudserver329.com Software Lucy / Resource Hash `d9ed6586942003696afe4e52b09f343f8342244b51a9e175b75162d7e615207b` Request headers accept-language de-DE,de;q=0.9 Referer https://outlook.safesurf-secureaccess.com/kv1ua0kbzgcq9iop User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.119 Safari/537.36 Response headers Date Thu, 27 Oct 2022 13:25:04 GMT Last-Modified Thu, 22 Sep 2022 16:03:10 GMT Server Lucy ETag "9c7-5e94632a5549b" Content-Type image/png Connection Keep-Alive Accept-Ranges bytes Keep-Alive timeout=5, max=98 Content-Length 2503
GET H/1.1	200 OK	b64FqoqcQ.png outlook.safesurf-secureaccess.com/public/campaign/130/147/11/	4 KB 4 KB	12ms 4ms	Image image/png	116.203.197.71 HETZNER-AS
General Check archive.org Show headers Download Go to Show image Full URL https://outlook.safesurf-secureaccess.com/public/campaign/130/147/11/b64FqoqcQ.png Requested by Host: outlook.safesurf-secureaccess.com URL: https://outlook.safesurf-secureaccess.com/kv1ua0kbzgcq9iop Protocol HTTP/1.1 Security TLS 1.2, ECDHE_RSA, AES_256_GCM Server 116.203.197.71 , Germany, ASN24940 (HETZNER-AS, DE), Reverse DNS mail.cloudserver329.com Software Lucy / Resource Hash `4de8fc175826d9f78fce9f9f2b71a63fe832fc7507e0394125c823b0909fa54a` Request headers accept-language de-DE,de;q=0.9 Referer https://outlook.safesurf-secureaccess.com/kv1ua0kbzgcq9iop User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.119 Safari/537.36 Response headers Date Thu, 27 Oct 2022 13:25:04 GMT Last-Modified Thu, 22 Sep 2022 16:03:10 GMT Server Lucy ETag "e0b-5e94632a5549b" Content-Type image/png Connection Keep-Alive Accept-Ranges bytes Keep-Alive timeout=5, max=100 Content-Length 3595
GET H/1.1	200 OK	b64yl6KCg.png outlook.safesurf-secureaccess.com/public/campaign/130/147/11/	8 KB 8 KB	14ms 4ms	Image image/png	116.203.197.71 HETZNER-AS
General Check archive.org Show headers Download Go to Show image Full URL https://outlook.safesurf-secureaccess.com/public/campaign/130/147/11/b64yl6KCg.png Requested by Host: outlook.safesurf-secureaccess.com URL: https://outlook.safesurf-secureaccess.com/kv1ua0kbzgcq9iop Protocol HTTP/1.1 Security TLS 1.2, ECDHE_RSA, AES_256_GCM Server 116.203.197.71 , Germany, ASN24940 (HETZNER-AS, DE), Reverse DNS mail.cloudserver329.com Software Lucy / Resource Hash `a7c14ee84d81a536a4cd54e3a144f388f2174a4a5c409ae118ea49f0da6b4aa6` Request headers accept-language de-DE,de;q=0.9 Referer https://outlook.safesurf-secureaccess.com/kv1ua0kbzgcq9iop User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.119 Safari/537.36 Response headers Date Thu, 27 Oct 2022 13:25:04 GMT Last-Modified Thu, 22 Sep 2022 16:03:10 GMT Server Lucy ETag "1e42-5e94632a5549b" Content-Type image/png Connection Keep-Alive Accept-Ranges bytes Keep-Alive timeout=5, max=98 Content-Length 7746
GET H/1.1	200 OK	b64U5zr3G.png outlook.safesurf-secureaccess.com/public/campaign/130/147/11/	1 KB 2 KB	15ms 4ms	Image image/png	116.203.197.71 HETZNER-AS
General Check archive.org Show headers Download Go to Show image Full URL https://outlook.safesurf-secureaccess.com/public/campaign/130/147/11/b64U5zr3G.png Requested by Host: outlook.safesurf-secureaccess.com URL: https://outlook.safesurf-secureaccess.com/kv1ua0kbzgcq9iop Protocol HTTP/1.1 Security TLS 1.2, ECDHE_RSA, AES_256_GCM Server 116.203.197.71 , Germany, ASN24940 (HETZNER-AS, DE), Reverse DNS mail.cloudserver329.com Software Lucy / Resource Hash `07f38b8b8c1f96ed85ecd96988f0454a95d1f665427086a507c72e55ff3ce0e7` Request headers accept-language de-DE,de;q=0.9 Referer https://outlook.safesurf-secureaccess.com/kv1ua0kbzgcq9iop User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.119 Safari/537.36 Response headers Date Thu, 27 Oct 2022 13:25:04 GMT Last-Modified Thu, 22 Sep 2022 16:03:10 GMT Server Lucy ETag "5a1-5e94632a5549b" Content-Type image/png Connection Keep-Alive Accept-Ranges bytes Keep-Alive timeout=5, max=100 Content-Length 1441
GET H/1.1	200 OK	timeme.min.js Show response outlook.safesurf-secureaccess.com/js/	4 KB 4 KB	5ms 4ms	Script text/javascript	116.203.197.71 HETZNER-AS
General Check archive.org Show headers Download Go to Full URL https://outlook.safesurf-secureaccess.com/js/timeme.min.js Requested by Host: outlook.safesurf-secureaccess.com URL: https://outlook.safesurf-secureaccess.com/kv1ua0kbzgcq9iop Protocol HTTP/1.1 Security TLS 1.2, ECDHE_RSA, AES_256_GCM Server 116.203.197.71 , Germany, ASN24940 (HETZNER-AS, DE), Reverse DNS mail.cloudserver329.com Software Lucy / Resource Hash `3ae66a8d261814acf0678914f1832973fe5be31912abf545f81fe4f97fd707dd` Request headers accept-language de-DE,de;q=0.9 Referer https://outlook.safesurf-secureaccess.com/kv1ua0kbzgcq9iop User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.119 Safari/537.36 Response headers Date Thu, 27 Oct 2022 13:25:04 GMT Server Lucy Access-Control-Allow-Methods * Content-Type text/javascript;charset=UTF-8 Access-Control-Allow-Origin * Cache-Control max-age=86400 Connection Keep-Alive Access-Control-Allow-Headers * Content-Length 4210 Keep-Alive timeout=5, max=97 Expires Fri, 28 Oct 2022 13:25:04 GMT
GET H/1.1	200 OK	time-tracker.js Show response outlook.safesurf-secureaccess.com/js/	2 KB 2 KB	5ms 5ms	Script text/javascript	116.203.197.71 HETZNER-AS
General Check archive.org Show headers Download Go to Full URL https://outlook.safesurf-secureaccess.com/js/time-tracker.js Requested by Host: outlook.safesurf-secureaccess.com URL: https://outlook.safesurf-secureaccess.com/kv1ua0kbzgcq9iop Protocol HTTP/1.1 Security TLS 1.2, ECDHE_RSA, AES_256_GCM Server 116.203.197.71 , Germany, ASN24940 (HETZNER-AS, DE), Reverse DNS mail.cloudserver329.com Software Lucy / Resource Hash `ce5b41bb9e310321a957d16cbd21b476c2f68454eb3eb6c5f79a3f3e823908c0` Request headers accept-language de-DE,de;q=0.9 Referer https://outlook.safesurf-secureaccess.com/kv1ua0kbzgcq9iop User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.119 Safari/537.36 Response headers Date Thu, 27 Oct 2022 13:25:04 GMT Server Lucy Access-Control-Allow-Methods * Content-Type text/javascript;charset=UTF-8 Access-Control-Allow-Origin * Cache-Control max-age=86400 Connection Keep-Alive Access-Control-Allow-Headers * Content-Length 1597 Keep-Alive timeout=5, max=100 Expires Fri, 28 Oct 2022 13:25:04 GMT
GET H/1.1	200 OK	analyse.js Show response outlook.safesurf-secureaccess.com/js/	3 KB 3 KB	10ms 4ms	Script text/javascript	116.203.197.71 HETZNER-AS
General Check archive.org Show headers Download Go to Full URL https://outlook.safesurf-secureaccess.com/js/analyse.js Requested by Host: outlook.safesurf-secureaccess.com URL: https://outlook.safesurf-secureaccess.com/kv1ua0kbzgcq9iop Protocol HTTP/1.1 Security TLS 1.2, ECDHE_RSA, AES_256_GCM Server 116.203.197.71 , Germany, ASN24940 (HETZNER-AS, DE), Reverse DNS mail.cloudserver329.com Software Lucy / Resource Hash `df44e74c857de0cd2b94ae343fe1afced4203aacb6dce3a7107338b0c9a76593` Request headers accept-language de-DE,de;q=0.9 Referer https://outlook.safesurf-secureaccess.com/kv1ua0kbzgcq9iop User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.119 Safari/537.36 Response headers Date Thu, 27 Oct 2022 13:25:04 GMT Server Lucy Access-Control-Allow-Methods * Content-Type text/javascript;charset=UTF-8 Access-Control-Allow-Origin * Cache-Control max-age=86400 Connection Keep-Alive Access-Control-Allow-Headers * Content-Length 2938 Keep-Alive timeout=5, max=99 Expires Fri, 28 Oct 2022 13:25:04 GMT
GET H2	400	CheckCookie accounts.google.com/	0 0	61ms 33ms	Image text/html	2a00:1450:4001:829::200d GOOGLE
General Check archive.org Show headers Download Go to Show image Full URL https://accounts.google.com/CheckCookie?continue=https%3A%2F%2Fwww.google.com%2Fintl%2Fen%2Fimages%2Flogos%2Faccounts_logo.png&followup=https%3A%2F%2Fwww.google.com%2Fintl%2Fen%2Fimages%2Flogos%2Faccounts_logo.png&chtml=LoginDoneHtml&checkedDomains=youtube&checkConnection=youtube%3A291%3A1 Requested by Host: outlook.safesurf-secureaccess.com URL: https://outlook.safesurf-secureaccess.com/kv1ua0kbzgcq9iop Protocol H2 Security TLS 1.3, , AES_128_GCM Server 2a00:1450:4001:829::200d Frankfurt am Main, Germany, ASN15169 (GOOGLE, US), Reverse DNS Software / Resource Hash `e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855` Request headers accept-language de-DE,de;q=0.9 Referer https://outlook.safesurf-secureaccess.com/ User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.119 Safari/537.36 Response headers
GET H3	403	identifier accounts.google.com/v3/signin/ Redirect Chain https://plus.google.com/up/?continue=https://www.google.com/intl/en/images/logos/accounts_logo.png&type=st&gpsrc=ogpy0 https://accounts.google.com/ServiceLogin?passive=1209600&osid=1&continue=https://plus.google.com/up/?continue%3Dhttps://www.google.com/intl/en/images/logos/accounts_logo.png%26type%3Dst%26gpsrc%3Do... https://accounts.google.com/v3/signin/identifier?dsh=S-1056382085%3A1666877104398056&continue=https%3A%2F%2Fplus.google.com%2Fup%2F%3Fcontinue%3Dhttps%3A%2F%2Fwww.google.com%2Fintl%2Fen%2Fimages%2F...	0 0	58ms 57ms	Image text/html	2a00:1450:4001:829::200d GOOGLE
General Check archive.org Show headers Download Go to Show image Full URL https://accounts.google.com/v3/signin/identifier?dsh=S-1056382085%3A1666877104398056&continue=https%3A%2F%2Fplus.google.com%2Fup%2F%3Fcontinue%3Dhttps%3A%2F%2Fwww.google.com%2Fintl%2Fen%2Fimages%2Flogos%2Faccounts_logo.png%26type%3Dst%26gpsrc%3Dogpy0&followup=https%3A%2F%2Fplus.google.com%2Fup%2F%3Fcontinue%3Dhttps%3A%2F%2Fwww.google.com%2Fintl%2Fen%2Fimages%2Flogos%2Faccounts_logo.png%26type%3Dst%26gpsrc%3Dogpy0&osid=1&passive=1209600&flowName=GlifWebSignIn&flowEntry=ServiceLogin&ifkv=AQDHYWoJOUy8ATCOlLnLT2tdXWveBoL1gi8XjZTFHkpBxLWGBT1BCDe0gOmlggS32PhlH3lTmPFdtg Requested by Host: outlook.safesurf-secureaccess.com URL: https://outlook.safesurf-secureaccess.com/kv1ua0kbzgcq9iop Protocol H3 Server 2a00:1450:4001:829::200d Frankfurt am Main, Germany, ASN15169 (GOOGLE, US), Reverse DNS Software / Resource Hash `e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855` Request headers accept-language de-DE,de;q=0.9 Referer https://outlook.safesurf-secureaccess.com/ User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.119 Safari/537.36 Response headers Redirect headers date Thu, 27 Oct 2022 13:25:04 GMT strict-transport-security max-age=31536000; includeSubDomains content-encoding gzip content-security-policy script-src 'report-sample' 'nonce-CSc1M9ZLgA-V5xIs_KRH8g' 'unsafe-inline' 'unsafe-eval';object-src 'none';base-uri 'self';report-uri /cspreport, require-trusted-types-for 'script';report-uri /cspreport x-content-type-options nosniff alt-svc h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43" content-length 443 x-xss-protection 1; mode=block pragma no-cache server GSE x-frame-options DENY report-to {"group":"coop_gse_qebhlk","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gse_qebhlk"}]} content-type text/html; charset=UTF-8 location https://accounts.google.com/v3/signin/identifier?dsh=S-1056382085%3A1666877104398056&continue=https%3A%2F%2Fplus.google.com%2Fup%2F%3Fcontinue%3Dhttps%3A%2F%2Fwww.google.com%2Fintl%2Fen%2Fimages%2Flogos%2Faccounts_logo.png%26type%3Dst%26gpsrc%3Dogpy0&followup=https%3A%2F%2Fplus.google.com%2Fup%2F%3Fcontinue%3Dhttps%3A%2F%2Fwww.google.com%2Fintl%2Fen%2Fimages%2Flogos%2Faccounts_logo.png%26type%3Dst%26gpsrc%3Dogpy0&osid=1&passive=1209600&flowName=GlifWebSignIn&flowEntry=ServiceLogin&ifkv=AQDHYWoJOUy8ATCOlLnLT2tdXWveBoL1gi8XjZTFHkpBxLWGBT1BCDe0gOmlggS32PhlH3lTmPFdtg cache-control no-cache, no-store, max-age=0, must-revalidate cross-origin-opener-policy-report-only same-origin; report-to="coop_gse_qebhlk" expires Mon, 01 Jan 1990 00:00:00 GMT
GET H2	200	login twitter.com/	0 0	390ms 199ms	Image text/html	104.244.42.193 TWITTER
General Check archive.org Show headers Download Go to Show image Full URL https://twitter.com/login?redirect_after_login=/favicon.ico Requested by Host: outlook.safesurf-secureaccess.com URL: https://outlook.safesurf-secureaccess.com/kv1ua0kbzgcq9iop Protocol H2 Security TLS 1.3, , AES_128_GCM Server 104.244.42.193 , United States, ASN13414 (TWITTER, US), Reverse DNS Software / Resource Hash `e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855` Request headers accept-language de-DE,de;q=0.9 Referer https://outlook.safesurf-secureaccess.com/ User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.119 Safari/537.36 Response headers
GET DATA	200 OK	truncated /	1 KB 0		Image image/png
General Check archive.org Show headers Download Go to Show image Full URL data:truncated Protocol DATA Server -, , ASN (), Reverse DNS Software / Resource Hash `6710ee6e22d5e3e82f70554804806c37aac5789b110d944383ea393d93eb627a` Request headers accept-language de-DE,de;q=0.9 Referer User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.119 Safari/537.36 Response headers Content-Type image/png
GET H/1.1	200 OK	segoeui-regular.ttf outlook.safesurf-secureaccess.com/public/campaign/130/147/11/	55 KB 56 KB	7ms 4ms	Font application/font-sfnt	116.203.197.71 HETZNER-AS
General Check archive.org Show headers Download Go to Full URL https://outlook.safesurf-secureaccess.com/public/campaign/130/147/11/segoeui-regular.ttf Requested by Host: outlook.safesurf-secureaccess.com URL: https://outlook.safesurf-secureaccess.com/kv1ua0kbzgcq9iop Protocol HTTP/1.1 Security TLS 1.2, ECDHE_RSA, AES_256_GCM Server 116.203.197.71 , Germany, ASN24940 (HETZNER-AS, DE), Reverse DNS mail.cloudserver329.com Software Lucy / Resource Hash `c147c2ec76a8ab8bd5082f1f4d3f80a43c689165cb164cdd812e44048fe38708` Request headers Referer https://outlook.safesurf-secureaccess.com/kv1ua0kbzgcq9iop Origin https://outlook.safesurf-secureaccess.com accept-language de-DE,de;q=0.9 User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.119 Safari/537.36 Response headers Date Thu, 27 Oct 2022 13:25:04 GMT Last-Modified Thu, 22 Sep 2022 16:03:10 GMT Server Lucy ETag "ddb8-5e94632a5549b" Content-Type application/font-sfnt Connection Keep-Alive Accept-Ranges bytes Keep-Alive timeout=5, max=96 Content-Length 56760
POST H/1.1	200 OK	run-analyse Show response outlook.safesurf-secureaccess.com/kv1ua0kbzgcq9iop/	0 419 B	123ms 123ms	XHR text/html	116.203.197.71 HETZNER-AS
General Check archive.org Show headers Download Go to Full URL https://outlook.safesurf-secureaccess.com/kv1ua0kbzgcq9iop/run-analyse Requested by Host: outlook.safesurf-secureaccess.com URL: https://outlook.safesurf-secureaccess.com/kv1ua0kbzgcq9iop Protocol HTTP/1.1 Security TLS 1.2, ECDHE_RSA, AES_256_GCM Server 116.203.197.71 , Germany, ASN24940 (HETZNER-AS, DE), Reverse DNS mail.cloudserver329.com Software Lucy / Resource Hash `e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855` Request headers Referer https://outlook.safesurf-secureaccess.com/kv1ua0kbzgcq9iop accept-language de-DE,de;q=0.9 User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.119 Safari/537.36 Content-Type multipart/form-data; boundary=----WebKitFormBoundarylBUdvhKtecwqRB4B Response headers Pragma no-cache Date Thu, 27 Oct 2022 13:25:04 GMT Server Lucy Access-Control-Allow-Methods * Content-Type text/html; charset=UTF-8 Access-Control-Allow-Origin * Cache-Control no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Connection Keep-Alive Access-Control-Allow-Headers * Content-Length 0 Keep-Alive timeout=5, max=95 Expires Thu, 19 Nov 1981 08:52:00 GMT
POST H/1.1	200 OK	run-analyse Show response outlook.safesurf-secureaccess.com/kv1ua0kbzgcq9iop/	0 419 B	118ms 118ms	XHR text/html	116.203.197.71 HETZNER-AS
General Check archive.org Show headers Download Go to Full URL https://outlook.safesurf-secureaccess.com/kv1ua0kbzgcq9iop/run-analyse Requested by Host: outlook.safesurf-secureaccess.com URL: https://outlook.safesurf-secureaccess.com/kv1ua0kbzgcq9iop Protocol HTTP/1.1 Security TLS 1.2, ECDHE_RSA, AES_256_GCM Server 116.203.197.71 , Germany, ASN24940 (HETZNER-AS, DE), Reverse DNS mail.cloudserver329.com Software Lucy / Resource Hash `e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855` Request headers Referer https://outlook.safesurf-secureaccess.com/kv1ua0kbzgcq9iop accept-language de-DE,de;q=0.9 User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.119 Safari/537.36 Content-Type multipart/form-data; boundary=----WebKitFormBoundaryT27VQ4neD3cNvrGd Response headers Pragma no-cache Date Thu, 27 Oct 2022 13:25:04 GMT Server Lucy Access-Control-Allow-Methods * Content-Type text/html; charset=UTF-8 Access-Control-Allow-Origin * Cache-Control no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Connection Keep-Alive Access-Control-Allow-Headers * Content-Length 0 Keep-Alive timeout=5, max=99 Expires Thu, 19 Nov 1981 08:52:00 GMT
POST H/1.1	200 OK	track-time outlook.safesurf-secureaccess.com/scenario/	0 589 B	162ms 162ms	Ping text/html	116.203.197.71 HETZNER-AS
General Check archive.org Show headers Download Go to Full URL https://outlook.safesurf-secureaccess.com/scenario/track-time Requested by Host: outlook.safesurf-secureaccess.com URL: https://outlook.safesurf-secureaccess.com/kv1ua0kbzgcq9iop Protocol HTTP/1.1 Security TLS 1.2, ECDHE_RSA, AES_256_GCM Server 116.203.197.71 , Germany, ASN24940 (HETZNER-AS, DE), Reverse DNS mail.cloudserver329.com Software Lucy / Resource Hash `e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855` Request headers Referer https://outlook.safesurf-secureaccess.com/kv1ua0kbzgcq9iop accept-language de-DE,de;q=0.9 User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.119 Safari/537.36 Content-Type text/plain;charset=UTF-8 Response headers Pragma no-cache Date Thu, 27 Oct 2022 13:25:05 GMT Server Lucy Access-Control-Max-Age 86400 Access-Control-Allow-Methods * Content-Type text/html; charset=UTF-8 Access-Control-Allow-Origin * Cache-Control no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Access-Control-Allow-Credentials true Connection Keep-Alive Access-Control-Allow-Headers * Content-Length 0 Keep-Alive timeout=5, max=98 Expires Thu, 19 Nov 1981 08:52:00 GMT

Verdicts & Comments Add Verdict or Comment

Potentially malicious activity detected
Disclaimer: These verdicts should be used to detect potentially malicious websites, not as a final verdict!

urlscan

Phishing against: Outlook Web Access (Online)

24 JavaScript Global Variables

These are the non-standard "global" variables defined on the window object. These can be helpful in identifying possible client-side frameworks and code.

4 Cookies

Cookies are little pieces of information stored in the browser of a user. Whenever a user visits the site again, he will also send his cookie values, thus allowing the website to re-identify him even if he changed locations. This is how permanent logins work.

Domain/Path	Expires	Name / Value
outlook.safesurf-secureaccess.com/	1969-12-31 23:59:59	Name: PHPSESSID Value: u3ka9prkpp9bvlgpa9lq6lagt4
outlook.safesurf-secureaccess.com/	1970-01-20 07:44:29	Name: link Value: kv1ua0kbzgcq9iop
.google.com/	1970-01-20 11:24:48	Name: NID Value: 511=OFFKYSiWg1K0Tyg-rkhtCznRJmNriFHCoUjcSNp-IjzMbCsTXYPSYccdAKYwoCUKXKlMAG9pX9zDpVa9g99QcB8hMJXVx3tZhqwLwVdkfAthbR8k2g-CUj1XtePujo1X5PjqAhm_7amMfwjGcnPsCqr2yT4t-14D_iwL21E1mHA
.twitter.com/	1970-01-20 16:31:31	Name: guest_id Value: v1%3A166687710456026324

2 Console Messages

A page may trigger messages to the console to be logged. These are often error messages about being unable to load a resource or execute a piece of JavaScript. Sometimes they also provide insight into the technology behind a website.

Source	Level	URL Text
network	error	URL: https://accounts.google.com/CheckCookie?continue=https%3A%2F%2Fwww.google.com%2Fintl%2Fen%2Fimages%2Flogos%2Faccounts_logo.png&followup=https%3A%2F%2Fwww.google.com%2Fintl%2Fen%2Fimages%2Flogos%2Faccounts_logo.png&chtml=LoginDoneHtml&checkedDomains=youtube&checkConnection=youtube%3A291%3A1 Message: Failed to load resource: the server responded with a status of 400 ()
network	error	URL: https://accounts.google.com/v3/signin/identifier?dsh=S-1056382085%3A1666877104398056&continue=https%3A%2F%2Fplus.google.com%2Fup%2F%3Fcontinue%3Dhttps%3A%2F%2Fwww.google.com%2Fintl%2Fen%2Fimages%2Flogos%2Faccounts_logo.png%26type%3Dst%26gpsrc%3Dogpy0&followup=https%3A%2F%2Fplus.google.com%2Fup%2F%3Fcontinue%3Dhttps%3A%2F%2Fwww.google.com%2Fintl%2Fen%2Fimages%2Flogos%2Faccounts_logo.png%26type%3Dst%26gpsrc%3Dogpy0&osid=1&passive=1209600&flowName=GlifWebSignIn&flowEntry=ServiceLogin&ifkv=AQDHYWoJOUy8ATCOlLnLT2tdXWveBoL1gi8XjZTFHkpBxLWGBT1BCDe0gOmlggS32PhlH3lTmPFdtg Message: Failed to load resource: the server responded with a status of 403 ()

Indicators

This is a term in the security industry to describe indicators such as IPs, Domains, Hashes, etc. This does not imply that any of these indicate malicious activity.

accounts.google.com
outlook.safesurf-secureaccess.com
plus.google.com
twitter.com
104.244.42.193
116.203.197.71
2a00:1450:4001:829::200d
2a00:1450:4001:829::200e
07f38b8b8c1f96ed85ecd96988f0454a95d1f665427086a507c72e55ff3ce0e7
3ae66a8d261814acf0678914f1832973fe5be31912abf545f81fe4f97fd707dd
4de8fc175826d9f78fce9f9f2b71a63fe832fc7507e0394125c823b0909fa54a
6710ee6e22d5e3e82f70554804806c37aac5789b110d944383ea393d93eb627a
a7c14ee84d81a536a4cd54e3a144f388f2174a4a5c409ae118ea49f0da6b4aa6
a8f7e59c2a6d75c51e1898b2d1ff9f6f666caad39a12d215e506202fce2ce150
c147c2ec76a8ab8bd5082f1f4d3f80a43c689165cb164cdd812e44048fe38708
ce5b41bb9e310321a957d16cbd21b476c2f68454eb3eb6c5f79a3f3e823908c0
d9ed6586942003696afe4e52b09f343f8342244b51a9e175b75162d7e615207b
df44e74c857de0cd2b94ae343fe1afced4203aacb6dce3a7107338b0c9a76593
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
f7439c4b416d59b9e14680626448d83b6eb2962a5f33025a4ab344a9f8171a39

outlook.safesurf-secureaccess.com Open in urlscan Pro 116.203.197.71 Malicious Activity! Public Scan

Summary

urlscan.io Verdict: Potentially Malicious

Domain & IP information

Screenshot Live screenshot Full Image

Page Title

Detected technologies

Page Statistics

16 Requests

94 %HTTPS

50 %IPv6

3 Domains

4 Subdomains

4 IPs

2 Countries

89 kBTransfer

98 kBSize

4 Cookies

0 Outgoing links

Redirected requests

16 HTTP transactions Everything HTML Script AJAX CSS Image Expand all 1 data transactions

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Redirect headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Verdicts & Comments Add Verdict or Comment

Potentially malicious activity detected Disclaimer: These verdicts should be used to detect potentially malicious websites, not as a final verdict!

urlscan

24 JavaScript Global Variables

4 Cookies

2 Console Messages

Indicators

outlook.safesurf-secureaccess.com Open in urlscan Pro
116.203.197.71 Malicious Activity! Public Scan

Screenshot
Live screenshot

Full Image

16
Requests

94 %
HTTPS

50 %
IPv6

3
Domains

4
Subdomains

4
IPs

2
Countries

89 kB
Transfer

98 kB
Size

4
Cookies

16 HTTP transactions
1 data transactions

Potentially malicious activity detected
Disclaimer: These verdicts should be used to detect potentially malicious websites, not as a final verdict!