storage.googleapis.com
Open in
urlscan Pro
2a00:1450:4001:818::2010
Malicious Activity!
Public Scan
Effective URL: https://storage.googleapis.com/50n_oequest-client-id2c1750d9-e03e-4839-98be-dc60a3270uc60a3299/50app.htm
Submission: On February 26 via manual
Summary
TLS certificate: Issued by GTS CA 1O1 on February 12th 2020. Valid for: 3 months.
This is the only time storage.googleapis.com was scanned on urlscan.io!
urlscan.io Verdict: Potentially Malicious
Targeting these brands: Microsoft (Consumer)Domain & IP information
IP Address | AS Autonomous System | ||
---|---|---|---|
1 | 2a00:1450:400... 2a00:1450:4001:818::2010 | 15169 (GOOGLE) (GOOGLE) | |
1 | 23.101.74.106 23.101.74.106 | 8075 (MICROSOFT...) (MICROSOFT-CORP-MSN-AS-BLOCK) | |
3 | 52.58.255.168 52.58.255.168 | 16509 (AMAZON-02) (AMAZON-02) | |
1 | 192.237.225.141 192.237.225.141 | 19994 (RACKSPACE) (RACKSPACE) | |
1 | 143.204.202.34 143.204.202.34 | 16509 (AMAZON-02) (AMAZON-02) | |
1 | 151.101.12.193 151.101.12.193 | 54113 (FASTLY) (FASTLY) | |
8 | 6 |
ASN15169 (GOOGLE, US)
storage.googleapis.com |
ASN8075 (MICROSOFT-CORP-MSN-AS-BLOCK, US)
adfs.kiwacompany.com |
ASN16509 (AMAZON-02, US)
PTR: ec2-52-58-255-168.eu-central-1.compute.amazonaws.com
dentsuaegis.okta-emea.com |
ASN16509 (AMAZON-02, US)
PTR: server-143-204-202-34.fra53.r.cloudfront.net
login.okta.com |
Apex Domain Subdomains |
Transfer | |
---|---|---|
3 |
okta-emea.com
dentsuaegis.okta-emea.com |
452 KB |
1 |
imgur.com
i.imgur.com |
221 KB |
1 |
okta.com
login.okta.com |
|
1 |
microsoft.com
blogs.microsoft.com |
590 KB |
1 |
kiwacompany.com
adfs.kiwacompany.com |
21 KB |
1 |
googleapis.com
storage.googleapis.com |
90 KB |
8 | 6 |
Domain | Requested by | |
---|---|---|
3 | dentsuaegis.okta-emea.com |
storage.googleapis.com
|
1 | i.imgur.com | |
1 | login.okta.com |
dentsuaegis.okta-emea.com
|
1 | blogs.microsoft.com |
storage.googleapis.com
|
1 | adfs.kiwacompany.com |
storage.googleapis.com
|
1 | storage.googleapis.com | |
8 | 6 |
This site contains no links.
Subject Issuer | Validity | Valid | |
---|---|---|---|
*.storage.googleapis.com GTS CA 1O1 |
2020-02-12 - 2020-05-06 |
3 months | crt.sh |
*.kiwacompany.com GlobalSign Organization Validation CA - SHA256 - G2 |
2019-02-11 - 2021-05-16 |
2 years | crt.sh |
*.okta-emea.com DigiCert SHA2 High Assurance Server CA |
2018-05-16 - 2020-05-15 |
2 years | crt.sh |
accounts.okta.com DigiCert SHA2 High Assurance Server CA |
2019-07-29 - 2021-07-29 |
2 years | crt.sh |
*.imgur.com DigiCert SHA2 Secure Server CA |
2020-01-15 - 2022-03-16 |
2 years | crt.sh |
This page contains 2 frames:
Primary Page:
https://storage.googleapis.com/50n_oequest-client-id2c1750d9-e03e-4839-98be-dc60a3270uc60a3299/50app.htm
Frame ID: 40702B890C2E8CF665D88578BAEDA309
Requests: 7 HTTP requests in this frame
Frame:
https://login.okta.com/discovery/iframe.html
Frame ID: 6C11C79F2FFF4EC9C8B87FAD4BED385B
Requests: 1 HTTP requests in this frame
0 Outgoing links
These are links going to different origins than the main page.
Redirected requests
There were HTTP redirect chains for the following requests:
8 HTTP transactions
Method Protocol |
Resource Path |
Size x-fer |
Type MIME-Type |
||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
GET H2 |
Primary Request
50app.htm
storage.googleapis.com/50n_oequest-client-id2c1750d9-e03e-4839-98be-dc60a3270uc60a3299/ |
89 KB 90 KB |
Document
text/html |
||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H/1.1 |
style.css
adfs.kiwacompany.com/adfs/portal/css/ |
21 KB 21 KB |
Stylesheet
text/css |
||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H2 |
okta-login-page.min.f2d34f4f1005894f76211debc41e459a.css
dentsuaegis.okta-emea.com/assets/loginpage/css/ |
178 KB 35 KB |
Stylesheet
text/css |
||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H2 |
initLoginPage.pack.479dd4e1fce2ee689a0b388b9bf57159.js
dentsuaegis.okta-emea.com/assets/js/mvc/loginpage/ |
1 MB 414 KB |
Script
application/javascript |
||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H2 |
office365.4d711d1fe185fdc7fce851dd80cbf15d.png
dentsuaegis.okta-emea.com/assets/img/logos/ |
3 KB 3 KB |
Image
image/png |
||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H/1.1 |
8867.Microsoft_5F00_Logo_2D00_for_2D00_screen.jpg
blogs.microsoft.com/wp-content/uploads/2012/08/ |
589 KB 590 KB |
Image
image/jpeg |
||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H/1.1 |
iframe.html
login.okta.com/discovery/ Frame 6C11 |
0 0 |
Document
text/html |
||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H2 |
wfKy3rD.jpg
i.imgur.com/ |
221 KB 221 KB |
Image
image/jpeg |
||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
Verdicts & Comments Add Verdict or Comment
Potentially malicious activity detected
Disclaimer: These verdicts should be used to detect potentially malicious websites, not as a final verdict!
urlscan
Phishing against: Microsoft (Consumer)23 JavaScript Global Variables
These are the non-standard "global" variables defined on the window object. These can be helpful in identifying possible client-side frameworks and code.
object| onformdata object| onpointerrawupdate object| okta function| LoginErrors number| maxPasswordLength function| InputUtil function| SelectOption function| Login function| runLoginPage object| OktaLogin object| jQBrowser function| jQueryCourage object| Backbone object| __core-js_shared__ object| core object| global object| System function| asap function| Observable function| setImmediate function| clearImmediate object| regeneratorRuntime boolean| _babelPolyfill0 Cookies
Cookies are little pieces of information stored in the browser of a user. Whenever a user visits the site again, he will also send his cookie values, thus allowing the website to re-identify him even if he changed locations. This is how permanent logins work.
1 Console Messages
A page may trigger messages to the console to be logged. These are often error messages about being unable to load a resource or execute a piece of JavaScript. Sometimes they also provide insight into the technology behind a website.
Source | Level | URL Text |
---|
Indicators
This is a term in the security industry to describe indicators such as IPs, Domains, Hashes, etc. This does not imply that any of these indicate malicious activity.
adfs.kiwacompany.com
blogs.microsoft.com
dentsuaegis.okta-emea.com
i.imgur.com
login.okta.com
storage.googleapis.com
143.204.202.34
151.101.12.193
192.237.225.141
23.101.74.106
2a00:1450:4001:818::2010
52.58.255.168
2613297637f1c4fdb3d9cbfa6434cfc25c3651ac5e89e62c533fee49836613ba
2db302f683343cfb742ba979146e931c3a0b3fa686447b1cc34423222bd549b7
838963b33cff0c5fe540aa29bd5268881fe6077efde821c1adbd67d607db4f81
a08cd808a2eb95f330728db82226d2f77173d27f99d65d32f9000114945a86f4
c6201b38dbd27def1c71266ddb396c47113c84138e8cbce12822425693f4ad0e
cc0fbf132291d540415f55e41b34e58bbb32e762628fa084f7542b19688e8760
dae1dd4c9f81f6ae7a92974a903d67ba081b9bd5cd28f91788854ca25fb81f9e