login.office.com.onmicrosophtdrive.xyz
Open in
urlscan Pro
162.241.29.89
Malicious Activity!
Public Scan
Effective URL: https://login.office.com.onmicrosophtdrive.xyz/common/oauth2/authorize?client_id=4345a7b9-9a63-4910-a426-35363201d503&response_mode=form_post&r...
Submission: On June 10 via manual from US
Summary
TLS certificate: Issued by Let's Encrypt Authority X3 on June 5th 2019. Valid for: 3 months.
This is the only time login.office.com.onmicrosophtdrive.xyz was scanned on urlscan.io!
urlscan.io Verdict: Potentially Malicious
Targeting these brands: Microsoft (Consumer)Domain & IP information
IP Address | AS Autonomous System | ||
---|---|---|---|
1 1 | 2606:4700:20:... 2606:4700:20::6819:2f1e | 13335 (CLOUDFLAR...) (CLOUDFLARENET - Cloudflare) | |
1 1 | 41.203.16.156 41.203.16.156 | 37153 (HETZNER) (HETZNER) | |
3 5 | 162.241.29.89 162.241.29.89 | 46606 (UNIFIEDLA...) (UNIFIEDLAYER-AS-1 - Unified Layer) | |
8 | 152.199.23.37 152.199.23.37 | 15133 (EDGECAST) (EDGECAST - MCI Communications Services) | |
11 | 3 |
ASN13335 (CLOUDFLARENET - Cloudflare, Inc., US)
emarketing.imprezahost.com |
ASN46606 (UNIFIEDLAYER-AS-1 - Unified Layer, US)
PTR: 162-241-29-89.unifiedlayer.com
login.office.com.onmicrosophtdrive.xyz | |
www.office.com.onmicrosophtdrive.xyz |
ASN15133 (EDGECAST - MCI Communications Services, Inc. d/b/a Verizon Business, US)
aadcdn.msftauth.net |
Apex Domain Subdomains |
Transfer | |
---|---|---|
8 |
msftauth.net
aadcdn.msftauth.net |
455 KB |
5 |
onmicrosophtdrive.xyz
3 redirects
login.office.com.onmicrosophtdrive.xyz www.office.com.onmicrosophtdrive.xyz www.office.com.onmicrosophtdrive.xyz.onmicrosophtdrive.xyz Failed |
37 KB |
1 |
eng.co.za
1 redirects
www.dev.eng.co.za |
269 B |
1 |
imprezahost.com
1 redirects
emarketing.imprezahost.com |
559 B |
11 | 4 |
Domain | Requested by | |
---|---|---|
8 | aadcdn.msftauth.net |
login.office.com.onmicrosophtdrive.xyz
aadcdn.msftauth.net |
4 | login.office.com.onmicrosophtdrive.xyz |
2 redirects
aadcdn.msftauth.net
|
1 | www.office.com.onmicrosophtdrive.xyz | 1 redirects |
1 | www.dev.eng.co.za | 1 redirects |
1 | emarketing.imprezahost.com | 1 redirects |
0 | www.office.com.onmicrosophtdrive.xyz.onmicrosophtdrive.xyz Failed |
aadcdn.msftauth.net
|
11 | 6 |
This site contains links to these domains. Also see Links.
Domain |
---|
login.live.com |
www.microsoft.com |
privacy.microsoft.com |
Subject Issuer | Validity | Valid | |
---|---|---|---|
login.office.com.onmicrosophtdrive.xyz Let's Encrypt Authority X3 |
2019-06-05 - 2019-09-03 |
3 months | crt.sh |
aadcdn.msftauth.net Microsoft IT TLS CA 5 |
2018-11-07 - 2020-11-07 |
2 years | crt.sh |
This page contains 2 frames:
Primary Page:
https://login.office.com.onmicrosophtdrive.xyz/common/oauth2/authorize?client_id=4345a7b9-9a63-4910-a426-35363201d503&response_mode=form_post&response_type=code+id_token&scope=openid+profile&state=OpenIdConnect.AuthenticationProperties%3d6k21ET0ywtvXdofmkVgpnar4P27Qsbd5VzyIBlZuLFMp2IIwwwZRTROE8RFLQaDrhGSCWvG-MsWnRlCa8G_BIFTAjlSUWwQVwOyLnnaH17XRx4CZDOjEt6_L2ACMfrWu&nonce=636957735226146229.MGNiNjViODItYmQ2ZS00ODBkLWE2NjctY2FjMzkyNTlhNDRkYmI3ZmJmNWYtZTAyMy00NmEwLWI2NjktNDgxZjAxYmU5MzRl&redirect_uri=https%3a%2f%2fwww.office.com%2f&ui_locales=en-US&mkt=en-US
Frame ID: 5F739A6201BB2FF0EBED0E46F890FA1B
Requests: 10 HTTP requests in this frame
Frame:
https://www.office.com.onmicrosophtdrive.xyz.onmicrosophtdrive.xyz/prefetch/prefetch
Frame ID: 7CE11293B4A4AAEC7897E33DA918908A
Requests: 1 HTTP requests in this frame
Screenshot
Page URL History Show full URLs
-
https://emarketing.imprezahost.com/campaigns/sg513ed68l889/track-url/tx075hv04zd8a/9108e2fb7a4f9a0153d516daa718...
HTTP 301
https://www.dev.eng.co.za/sites/default/files/config.php HTTP 302
https://login.office.com.onmicrosophtdrive.xyz/dQeMfXtQ HTTP 302
https://login.office.com.onmicrosophtdrive.xyz/ HTTP 302
https://www.office.com.onmicrosophtdrive.xyz/login HTTP 302
https://login.office.com.onmicrosophtdrive.xyz/common/oauth2/authorize?client_id=4345a7b9-9a63-4910-a426-35363201d503&respo... Page URL
Detected technologies
Knockout.js (JavaScript Frameworks) ExpandDetected patterns
- env /^ko$/i
webpack (Miscellaneous) Expand
Detected patterns
- env /^webpackJsonp$/i
Page Statistics
3 Outgoing links
These are links going to different origins than the main page.
Title: Create one!
Search URL Search Domain Scan URL
Title: Terms of use
Search URL Search Domain Scan URL
Title: Privacy & cookies
Search URL Search Domain Scan URL
Page URL History
This captures the URL locations of the websites, including HTTP redirects and client-side redirects via JavaScript or Meta fields.
-
https://emarketing.imprezahost.com/campaigns/sg513ed68l889/track-url/tx075hv04zd8a/9108e2fb7a4f9a0153d516daa71826c7aab01489
HTTP 301
https://www.dev.eng.co.za/sites/default/files/config.php HTTP 302
https://login.office.com.onmicrosophtdrive.xyz/dQeMfXtQ HTTP 302
https://login.office.com.onmicrosophtdrive.xyz/ HTTP 302
https://www.office.com.onmicrosophtdrive.xyz/login HTTP 302
https://login.office.com.onmicrosophtdrive.xyz/common/oauth2/authorize?client_id=4345a7b9-9a63-4910-a426-35363201d503&response_mode=form_post&response_type=code+id_token&scope=openid+profile&state=OpenIdConnect.AuthenticationProperties%3d6k21ET0ywtvXdofmkVgpnar4P27Qsbd5VzyIBlZuLFMp2IIwwwZRTROE8RFLQaDrhGSCWvG-MsWnRlCa8G_BIFTAjlSUWwQVwOyLnnaH17XRx4CZDOjEt6_L2ACMfrWu&nonce=636957735226146229.MGNiNjViODItYmQ2ZS00ODBkLWE2NjctY2FjMzkyNTlhNDRkYmI3ZmJmNWYtZTAyMy00NmEwLWI2NjktNDgxZjAxYmU5MzRl&redirect_uri=https%3a%2f%2fwww.office.com%2f&ui_locales=en-US&mkt=en-US Page URL
Redirected requests
There were HTTP redirect chains for the following requests:
11 HTTP transactions
Method Protocol |
Resource Path |
Size x-fer |
Type MIME-Type |
||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
GET H/1.1 |
Primary Request
Cookie set
authorize
login.office.com.onmicrosophtdrive.xyz/common/oauth2/ Redirect Chain
|
32 KB 33 KB |
Document
text/html |
||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
Redirect headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||
GET H2 |
converged.v2.login.min_z1htakqfwzrhpmx9_wmc6w2.css
aadcdn.msftauth.net/ests/2.1/content/cdnbundles/ |
99 KB 19 KB |
Stylesheet
text/css |
||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||
GET H2 |
ux.converged.login.pcore.min_qsib_xcszy_tpu0gidz6sq2.js
aadcdn.msftauth.net/ests/2.1/content/cdnbundles/ |
553 KB 144 KB |
Script
application/x-javascript |
||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||
GET H2 |
ux.converged.login.strings-en.min_ll9-c1j1nju3y_dxmtyxnq2.js
aadcdn.msftauth.net/ests/2.1/content/cdnbundles/ |
32 KB 10 KB |
Script
application/x-javascript |
||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||
GET |
prefetch
www.office.com.onmicrosophtdrive.xyz.onmicrosophtdrive.xyz/prefetch/ Frame 7CE1 |
0 0 |
|
||||||||||||||||||||||||||||||||||||||||||||||
GET H2 |
microsoft_logo_ee5c8d9fb6248c938fd0dc19370e90bd.svg
aadcdn.msftauth.net/ests/2.1/content/images/ |
4 KB 2 KB |
Image
image/svg+xml |
||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||
GET H2 |
ellipsis_white_5ac590ee72bfe06a7cecfd75b588ad73.svg
aadcdn.msftauth.net/ests/2.1/content/images/ |
915 B 430 B |
Image
image/svg+xml |
||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||
GET H2 |
ellipsis_grey_2b5d393db04a5e6e1f739cb266e65b4c.svg
aadcdn.msftauth.net/ests/2.1/content/images/ |
915 B 646 B |
Image
image/svg+xml |
||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||
GET H2 |
0-small_138bcee624fa04ef9b75e86211a9fe0d.jpg
aadcdn.msftauth.net/ests/2.1/content/images/backgrounds/ |
3 KB 3 KB |
Image
image/jpeg |
||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||
GET H2 |
0_a5dbd4393ff6a725c7e62b61df7e72f0.jpg
aadcdn.msftauth.net/ests/2.1/content/images/backgrounds/ |
277 KB 277 KB |
Image
image/jpeg |
||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||
POST H/1.1 |
reportpageload
login.office.com.onmicrosophtdrive.xyz/common/instrumentation/ |
264 B 950 B |
XHR
application/json |
||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
Failed requests
These URLs were requested, but there was no response received. You will also see them in the list above.
- Domain
- www.office.com.onmicrosophtdrive.xyz.onmicrosophtdrive.xyz
- URL
- https://www.office.com.onmicrosophtdrive.xyz.onmicrosophtdrive.xyz/prefetch/prefetch
Verdicts & Comments Add Verdict or Comment
Potentially malicious activity detected
Disclaimer: These verdicts should be used to detect potentially malicious websites, not as a final verdict!
urlscan
Phishing against: Microsoft (Consumer)19 JavaScript Global Variables
These are the non-standard "global" variables defined on the window object. These can be helpful in identifying possible client-side frameworks and code.
object| onselectstart object| onselectionchange function| queueMicrotask object| $Config object| $Debug object| $Do function| $Loader object| $WebWatson function| GetString function| GetErrorString function| GetUrl object| $B object| ServerData function| webpackJsonp object| ko object| PROOF object| StringRepository boolean| __ConvergedLogin_PCore boolean| __7 Cookies
Cookies are little pieces of information stored in the browser of a user. Whenever a user visits the site again, he will also send his cookie values, thus allowing the website to re-identify him even if he changed locations. This is how permanent logins work.
Domain/Path | Expires | Name / Value |
---|---|---|
login.office.com.onmicrosophtdrive.xyz/ | Name: stsservicecookie Value: ests |
|
.login.office.com.onmicrosophtdrive.xyz/ | Name: esctx Value: AQABAAAAAADCoMpjJXrxTq9VG9te-7FXUwPIViYkKqeELjayfk-Vhc3ueD5mRW2zZE8o_w_oNi6uD68pLqMVT95088XG6lNXjXC--VqHh3_i24XDDuUkRBssjCTK4GyO5DQi2YLG8OUubQhAZh9A1Jm5ca8WAUiyma87rFYWgMp9EBBzjmrK9Vv4xYyAZPiQ2Z6Pproc8LwgAA |
|
login.office.com.onmicrosophtdrive.xyz/ | Name: buid Value: AQABAAEAAADCoMpjJXrxTq9VG9te-7FXxGnTjC73vkFP4uWZf6GHeL0GrwF5ydXdtCWsSBDyYWj32J6eYjU2aTSfAMCmkDmySL98G2MSVVrQ3EnSsPNG8TkDRc-bgtk52s15r29vKgQgAA |
|
login.office.com.onmicrosophtdrive.xyz/ | Name: x-ms-gateway-slice Value: prod |
|
login.office.com.onmicrosophtdrive.xyz/ | Name: fpc Value: AsM6CCk7_gFNjoDS3uiulrh9Hyj2AQAAAFJfkNQOAAAA |
|
.office.com.onmicrosophtdrive.xyz/ | Name: MUID Value: 06F887471275602332168A30131961C9 |
|
login.office.com.onmicrosophtdrive.xyz/common/oauth2 | Name: CkTst Value: G1560176723900 |
Indicators
This is a term in the security industry to describe indicators such as IPs, Domains, Hashes, etc. This does not imply that any of these indicate malicious activity.
aadcdn.msftauth.net
emarketing.imprezahost.com
login.office.com.onmicrosophtdrive.xyz
www.dev.eng.co.za
www.office.com.onmicrosophtdrive.xyz
www.office.com.onmicrosophtdrive.xyz.onmicrosophtdrive.xyz
www.office.com.onmicrosophtdrive.xyz.onmicrosophtdrive.xyz
152.199.23.37
162.241.29.89
2606:4700:20::6819:2f1e
41.203.16.156
04d29248ee3a13a074518c93a18d6efc491bf1f298f9b87fc989a6ae4b9fad7a
16c3f6531d0fa5b4d16e82abf066233b2a9f284c068c663699313c09f5e8d6e6
211a907de2da0ff4a0e90917ac8054e2f35c351180977550c26e51b4909f2beb
3bd365bb4995a7bff9aa998a5233f3cc1217bdb27d4e32650d3c6a8fd70280fe
5d7cccb04c07e6fee3b2dda8ab08c0b7e73ff09b3202e1e49e0e15a2c06c48e4
6075736ea9c281d69c4a3d78ff97bb61b9416a5809919babe5a0c5596f99aaea
b2ee81ba8d9bd95224eb0d68942999c0cec24826221526bd6758361cddae8648
bbc357d53cb02e47dceb5928070a6ff8a5d3ffd4701bb3cf88eb4e4c4f111328
c8c35cc0013c75828170dd5753df338b0667ce37a2dca2a5d32a44b582efba50
f89e908280791803bbf1f33b596ff4a2179b355a8e15ad02ebaa2b1da11127ea