![](/screenshots/43babeb4-8856-47ed-98d7-54fa65cb5c1c.png)
login.microsoftonline.com.office.prodoffice365.atrium.myshn.net
Open in
urlscan Pro
162.212.241.214
Malicious Activity!
Public Scan
Effective URL: https://login.microsoftonline.com.office.prodoffice365.atrium.myshn.net/common/oauth2/authorize?client_id=00000002-0000-0ff1-ce00-000000000000&redirect_uri=https%3a%2f%...
Submission: On July 30 via automatic, source certstream-suspicious
Summary
TLS certificate: Issued by GlobalSign RSA OV SSL CA 2018 on July 30th 2019. Valid for: a year.
This is the only time login.microsoftonline.com.office.prodoffice365.atrium.myshn.net was scanned on urlscan.io!
urlscan.io Verdict: Potentially Malicious
Targeting these brands: Microsoft (Consumer)Domain & IP information
IP Address | AS Autonomous System | ||
---|---|---|---|
2 11 | 162.212.241.214 162.212.241.214 | 14807 (SHNAC1) (SHNAC1 - Skyhigh Networks Inc) | |
9 | 2620:1ec:bdf::10 2620:1ec:bdf::10 | 8068 (MICROSOFT...) (MICROSOFT-CORP-MSN-AS-BLOCK - Microsoft Corporation) | |
18 | 2 |
ASN14807 (SHNAC1 - Skyhigh Networks Inc, US)
ASN8068 (MICROSOFT-CORP-MSN-AS-BLOCK - Microsoft Corporation, US)
aadcdn.msauth.net |
Apex Domain Subdomains |
Transfer | |
---|---|---|
11 |
myshn.net
2 redirects
attachments.office.net.office.prodoffice365.atrium.myshn.net login.microsoftonline.com.office.prodoffice365.atrium.myshn.net outlook.office365.com.office.prodoffice365.atrium.myshn.net r4.res.office365.com.office.prodoffice365.atrium.myshn.net |
729 KB |
9 |
msauth.net
aadcdn.msauth.net |
461 KB |
18 | 2 |
Domain | Requested by | |
---|---|---|
9 | aadcdn.msauth.net |
login.microsoftonline.com.office.prodoffice365.atrium.myshn.net
aadcdn.msauth.net |
7 | r4.res.office365.com.office.prodoffice365.atrium.myshn.net |
outlook.office365.com.office.prodoffice365.atrium.myshn.net
|
2 | attachments.office.net.office.prodoffice365.atrium.myshn.net | 2 redirects |
1 | outlook.office365.com.office.prodoffice365.atrium.myshn.net |
aadcdn.msauth.net
|
1 | login.microsoftonline.com.office.prodoffice365.atrium.myshn.net | |
18 | 5 |
This site contains links to these domains. Also see Links.
Domain |
---|
www.microsoft.com.office.prodoffice365.atrium.myshn.net |
privacy.microsoft.com.office.prodoffice365.atrium.myshn.net |
Subject Issuer | Validity | Valid | |
---|---|---|---|
office.prodoffice365.atrium.myshn.net GlobalSign RSA OV SSL CA 2018 |
2019-07-30 - 2020-07-30 |
a year | crt.sh |
aadcdn.msauth.net Microsoft IT TLS CA 4 |
2018-11-07 - 2020-11-07 |
2 years | crt.sh |
This page contains 2 frames:
Primary Page:
https://login.microsoftonline.com.office.prodoffice365.atrium.myshn.net/common/oauth2/authorize?client_id=00000002-0000-0ff1-ce00-000000000000&redirect_uri=https%3a%2f%2fattachments.office.net.office.prodoffice365.atrium.myshn.net%2fowa%2f&resource=00000002-0000-0ff1-ce00-000000000000&response_mode=form_post&response_type=code+id_token&scope=openid&msafed=0&client-request-id=c73cf8a5-7300-4cdd-9c23-b2cf6be08a07&protectedtoken=true&nonce=637000641560135292.17d53e62-c700-4d6e-be84-d77deffa76ab&state=DYtBEoAgCACxpueQKAr1HA28duz7cdi97GwCgD3YgkQhUGElImmlCxXu9a5nUevsUvGJhM3EcfrV0FTN1xoqY6Z4j_x-I_8
Frame ID: 7A399C81D666180C5C65D013488152C2
Requests: 10 HTTP requests in this frame
Frame:
https://outlook.office365.com.office.prodoffice365.atrium.myshn.net/owa/prefetch.aspx
Frame ID: 543C5978156EBFE9BFDEE420F3B1D773
Requests: 8 HTTP requests in this frame
Screenshot
![](/screenshots/43babeb4-8856-47ed-98d7-54fa65cb5c1c.png)
Page URL History Show full URLs
-
https://attachments.office.net.office.prodoffice365.atrium.myshn.net/
HTTP 302
https://attachments.office.net.office.prodoffice365.atrium.myshn.net/owa/ HTTP 302
https://login.microsoftonline.com.office.prodoffice365.atrium.myshn.net/common/oauth2/authorize?client_id=00000002-0000-0ff1-ce00-000000000000&redir... Page URL
Detected technologies
Detected patterns
- headers server /nginx(?:\/([\d.]+))?/i
Page Statistics
2 Outgoing links
These are links going to different origins than the main page.
Title: Terms of use
Search URL Search Domain Scan URL
Title: Privacy & cookies
Search URL Search Domain Scan URL
Page URL History
This captures the URL locations of the websites, including HTTP redirects and client-side redirects via JavaScript or Meta fields.
-
https://attachments.office.net.office.prodoffice365.atrium.myshn.net/
HTTP 302
https://attachments.office.net.office.prodoffice365.atrium.myshn.net/owa/ HTTP 302
https://login.microsoftonline.com.office.prodoffice365.atrium.myshn.net/common/oauth2/authorize?client_id=00000002-0000-0ff1-ce00-000000000000&redirect_uri=https%3a%2f%2fattachments.office.net.office.prodoffice365.atrium.myshn.net%2fowa%2f&resource=00000002-0000-0ff1-ce00-000000000000&response_mode=form_post&response_type=code+id_token&scope=openid&msafed=0&client-request-id=c73cf8a5-7300-4cdd-9c23-b2cf6be08a07&protectedtoken=true&nonce=637000641560135292.17d53e62-c700-4d6e-be84-d77deffa76ab&state=DYtBEoAgCACxpueQKAr1HA28duz7cdi97GwCgD3YgkQhUGElImmlCxXu9a5nUevsUvGJhM3EcfrV0FTN1xoqY6Z4j_x-I_8 Page URL
Redirected requests
There were HTTP redirect chains for the following requests:
18 HTTP transactions
Method Protocol |
Resource Path |
Size x-fer |
Type MIME-Type |
||||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
GET H/1.1 |
Primary Request
![]() login.microsoftonline.com.office.prodoffice365.atrium.myshn.net/common/oauth2/ Redirect Chain
|
29 KB 13 KB |
Document
text/html |
||||||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
Redirect headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H2 |
converged.v2.login.min_eihab3wwm23ia-nkvubaww2.css
aadcdn.msauth.net/ests/2.1/content/cdnbundles/ |
99 KB 19 KB |
Stylesheet
text/css |
||||||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H2 |
ux.converged.login.pcore.min_qgmemp6whsrem51-khqjmg2.js
aadcdn.msauth.net/ests/2.1/content/cdnbundles/ |
567 KB 146 KB |
Script
application/x-javascript |
||||||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H2 |
ux.converged.login.strings-en.min_m6_6gc8vfflqvlkuqzgmpg2.js
aadcdn.msauth.net/ests/2.1/content/cdnbundles/ |
31 KB 10 KB |
Script
application/x-javascript |
||||||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H/1.1 |
![]() outlook.office365.com.office.prodoffice365.atrium.myshn.net/owa/ Frame 543C |
3 KB 2 KB |
Document
text/html |
||||||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H2 |
microsoft_logo_ee5c8d9fb6248c938fd0dc19370e90bd.svg
aadcdn.msauth.net/ests/2.1/content/images/ |
4 KB 2 KB |
Image
image/svg+xml |
||||||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H2 |
ellipsis_white_5ac590ee72bfe06a7cecfd75b588ad73.svg
aadcdn.msauth.net/ests/2.1/content/images/ |
915 B 563 B |
Image
image/svg+xml |
||||||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H2 |
ellipsis_grey_2b5d393db04a5e6e1f739cb266e65b4c.svg
aadcdn.msauth.net/ests/2.1/content/images/ |
915 B 555 B |
Image
image/svg+xml |
||||||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H2 |
33-small_138bcee624fa04ef9b75e86211a9fe0d.jpg
aadcdn.msauth.net/ests/2.1/content/images/appbackgrounds/ |
3 KB 3 KB |
Image
image/jpeg |
||||||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H2 |
33_a5dbd4393ff6a725c7e62b61df7e72f0.jpg
aadcdn.msauth.net/ests/2.1/content/images/appbackgrounds/ |
277 KB 277 KB |
Image
image/jpeg |
||||||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H2 |
37_533e293f0c8947ada653b47c00e394e2.png
aadcdn.msauth.net/ests/2.1/content/images/applogos/ |
2 KB 2 KB |
Image
image/png |
||||||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H/1.1 |
boot.worldwide.0.mouse.js
r4.res.office365.com.office.prodoffice365.atrium.myshn.net/owa/prem/16.3177.2.2704109/scripts/ Frame 543C |
648 KB 176 KB |
Stylesheet
application/x-javascript |
||||||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H/1.1 |
boot.worldwide.1.mouse.js
r4.res.office365.com.office.prodoffice365.atrium.myshn.net/owa/prem/16.3177.2.2704109/scripts/ Frame 543C |
644 KB 160 KB |
Stylesheet
application/x-javascript |
||||||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H/1.1 |
boot.worldwide.2.mouse.js
r4.res.office365.com.office.prodoffice365.atrium.myshn.net/owa/prem/16.3177.2.2704109/scripts/ Frame 543C |
647 KB 167 KB |
Stylesheet
application/x-javascript |
||||||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H/1.1 |
boot.worldwide.3.mouse.js
r4.res.office365.com.office.prodoffice365.atrium.myshn.net/owa/prem/16.3177.2.2704109/scripts/ Frame 543C |
646 KB 143 KB |
Stylesheet
application/x-javascript |
||||||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H/1.1 |
sprite1.mouse.png
r4.res.office365.com.office.prodoffice365.atrium.myshn.net/owa/prem/16.3177.2.2704109/resources/images/0/ Frame 543C |
16 KB 17 KB |
Stylesheet
image/png |
||||||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H/1.1 |
sprite1.mouse.css
r4.res.office365.com.office.prodoffice365.atrium.myshn.net/owa/prem/16.3177.2.2704109/resources/images/0/ Frame 543C |
7 KB 2 KB |
Stylesheet
text/css |
||||||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H/1.1 |
boot.worldwide.mouse.css
r4.res.office365.com.office.prodoffice365.atrium.myshn.net/owa/prem/16.3177.2.2704109/resources/styles/0/ Frame 543C |
227 KB 44 KB |
Stylesheet
text/css |
||||||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
Verdicts & Comments Add Verdict or Comment
Potentially malicious activity detected
Disclaimer: These verdicts should be used to detect potentially malicious websites, not as a final verdict!
urlscan
Phishing against: Microsoft (Consumer)19 JavaScript Global Variables
These are the non-standard "global" variables defined on the window object. These can be helpful in identifying possible client-side frameworks and code.
object| onselectstart object| onselectionchange function| queueMicrotask object| $Config object| $Debug object| $Do function| $Loader object| $WebWatson function| GetString function| GetErrorString function| GetUrl object| $B object| ServerData function| webpackJsonp object| ko object| PROOF object| StringRepository boolean| __ConvergedLogin_PCore boolean| __6 Cookies
Cookies are little pieces of information stored in the browser of a user. Whenever a user visits the site again, he will also send his cookie values, thus allowing the website to re-identify him even if he changed locations. This is how permanent logins work.
Domain/Path | Expires | Name / Value |
---|---|---|
login.microsoftonline.com.office.prodoffice365.atrium.myshn.net/ | Name: stsservicecookie Value: ests |
|
login.microsoftonline.com.office.prodoffice365.atrium.myshn.net/ | Name: fpc Value: AsEWrkwAVSpLptPwsHq23FI-NjKRAQAAAJvX0dQOAAAA |
|
login.microsoftonline.com.office.prodoffice365.atrium.myshn.net/ | Name: buid Value: AQABAAEAAAAP0wLlqdLVToOpA4kwzSnxTlO3f9-jb6OG61rq1_k2LBVQ5yC0pO_fTFMCv6osVM0Lq1lfGd9vHovYX6SkTToU5AIdml6W1TyYYc7Gj9YyZmalnBs2lGW6_aU4dlc_t8kgAA |
|
login.microsoftonline.com.office.prodoffice365.atrium.myshn.net/ | Name: x-ms-gateway-slice Value: prod |
|
.login.microsoftonline.com.office.prodoffice365.atrium.myshn.net/ | Name: esctx Value: AQABAAAAAAAP0wLlqdLVToOpA4kwzSnxSqdKPOVafdgc1-5p4PVd6YIdD7-8e3WNnRKH1gxv6Uavl8W_0QI7p0XpVjVbaHjD_-hXHutzX6s5fURMz4d7eCfF-8qo2QDYi15mez6X1E3tJKC28kgxjn7sf9sTjKe8bL22xYoNAXDiw_VMfG9pev6sC-LHMDoHFCKsEBDWxU8gAA |
|
login.microsoftonline.com.office.prodoffice365.atrium.myshn.net/common/oauth2 | Name: CkTst Value: G1564467356976 |
Security Headers
This page lists any security headers set by the main page. If you want to understand what these mean and how to use them, head on over to this page
Header | Value |
---|---|
Strict-Transport-Security | max-age=31536000; includeSubDomains |
X-Content-Type-Options | nosniff |
X-Frame-Options | DENY |
Indicators
This is a term in the security industry to describe indicators such as IPs, Domains, Hashes, etc. This does not imply that any of these indicate malicious activity.
aadcdn.msauth.net
attachments.office.net.office.prodoffice365.atrium.myshn.net
login.microsoftonline.com.office.prodoffice365.atrium.myshn.net
outlook.office365.com.office.prodoffice365.atrium.myshn.net
r4.res.office365.com.office.prodoffice365.atrium.myshn.net
162.212.241.214
2620:1ec:bdf::10
04d29248ee3a13a074518c93a18d6efc491bf1f298f9b87fc989a6ae4b9fad7a
05be5ab63f6a6dba8849706f2ae869706c964579968fb35059896389c0786f5a
0b5e3a0456cedbcf8108a2cb6304ff3efc61e504e7889de194816cff87192000
0fa2b179b0e2652b5befbfa696f12cd1dcebfbdc58def206a70c43c515fb9810
1543abbb97b68b13cb83996ed64cec53e1a1179ce9a21a8e85ca4aedc5f74644
16c3f6531d0fa5b4d16e82abf066233b2a9f284c068c663699313c09f5e8d6e6
211a907de2da0ff4a0e90917ac8054e2f35c351180977550c26e51b4909f2beb
33129f222345463087c34f69ebdd0c2146cd29c43e3e7e15a5e293783fddd8a3
461f87e55bba34c4d9248d1b45685ea832eba56c15ebf6cccf75d49f1547b502
4be411e7506a4347ac58a07eb4aa7ae98d57704db362dfb35edb16e7f8a8d9a8
6075736ea9c281d69c4a3d78ff97bb61b9416a5809919babe5a0c5596f99aaea
86b5b5f839dc0f734d4049b7a68db228c92e07e35f01ad7024b281079c85be3b
8dfade63d9153799d2f8a254edcff8718388ea8d65b5a0daf340fe0fb302270e
954bd482f102fd4b8d6db06d553233df847a5909fb04bc25f99451bbaea034a4
99190cfe65f919edb8071d84eee7096ec27561bc9b9fa396e55e0eb5e2cd0194
b4931428dc262e6d3f7112c8d20777d6a15842963589f3f9119d9827a00af1ed
b5d587f6c48a9b22bbe97150249e0c0655ac1780bd273431480a22f8a5bfef6c
f89e908280791803bbf1f33b596ff4a2179b355a8e15ad02ebaa2b1da11127ea