fs.auth.wfp.org
Open in
urlscan Pro
217.118.241.83
Malicious Activity!
Public Scan
Effective URL: https://fs.auth.wfp.org/adfs/ls/?client-request-id=d74a2a5e-f37f-41b1-a792-a0ef4ecccf09&username=&wa=wsignin1.0&wtrealm=...
Submission: On October 24 via manual from GB
Summary
TLS certificate: Issued by Sectigo RSA Domain Validation Secure ... on April 30th 2019. Valid for: 2 years.
This is the only time fs.auth.wfp.org was scanned on urlscan.io!
urlscan.io Verdict: Potentially Malicious
Targeting these brands: Microsoft (Consumer)Domain & IP information
IP Address | AS Autonomous System | ||
---|---|---|---|
9 | 111.90.142.105 111.90.142.105 | 45839 (SHINJIRU-...) (SHINJIRU-MY-AS-AP Shinjiru Technology Sdn Bhd) | |
1 1 | 40.97.161.50 40.97.161.50 | 8075 (MICROSOFT...) (MICROSOFT-CORP-MSN-AS-BLOCK - Microsoft Corporation) | |
3 3 | 2603:1026:204::2 2603:1026:204::2 | 8075 (MICROSOFT...) (MICROSOFT-CORP-MSN-AS-BLOCK - Microsoft Corporation) | |
1 1 | 20.190.129.160 20.190.129.160 | 8075 (MICROSOFT...) (MICROSOFT-CORP-MSN-AS-BLOCK - Microsoft Corporation) | |
4 | 217.118.241.83 217.118.241.83 | 31144 (ASWFP) (ASWFP) | |
13 | 2 |
ASN45839 (SHINJIRU-MY-AS-AP Shinjiru Technology Sdn Bhd, MY)
fs.auth.wfp.org.adfs.ls.client-request-id.session-services.com |
ASN8075 (MICROSOFT-CORP-MSN-AS-BLOCK - Microsoft Corporation, US)
outlook.com |
ASN8075 (MICROSOFT-CORP-MSN-AS-BLOCK - Microsoft Corporation, US)
www.outlook.com | |
outlook.office365.com |
ASN8075 (MICROSOFT-CORP-MSN-AS-BLOCK - Microsoft Corporation, US)
login.microsoftonline.com |
Apex Domain Subdomains |
Transfer | |
---|---|---|
9 |
session-services.com
fs.auth.wfp.org.adfs.ls.client-request-id.session-services.com |
44 KB |
4 |
wfp.org
fs.auth.wfp.org |
160 KB |
2 |
office365.com
2 redirects
outlook.office365.com |
6 KB |
2 |
outlook.com
2 redirects
outlook.com www.outlook.com |
898 B |
1 |
microsoftonline.com
1 redirects
login.microsoftonline.com |
2 KB |
13 | 5 |
Domain | Requested by | |
---|---|---|
9 | fs.auth.wfp.org.adfs.ls.client-request-id.session-services.com |
fs.auth.wfp.org.adfs.ls.client-request-id.session-services.com
|
4 | fs.auth.wfp.org |
fs.auth.wfp.org.adfs.ls.client-request-id.session-services.com
fs.auth.wfp.org |
2 | outlook.office365.com | 2 redirects |
1 | login.microsoftonline.com | 1 redirects |
1 | www.outlook.com | 1 redirects |
1 | outlook.com | 1 redirects |
13 | 6 |
This site contains no links.
Subject Issuer | Validity | Valid | |
---|---|---|---|
fs.auth.wfp.org.adfs.ls.client-request-id.session-services.com cPanel, Inc. Certification Authority |
2019-08-25 - 2019-11-23 |
3 months | crt.sh |
*.auth.wfp.org Sectigo RSA Domain Validation Secure Server CA |
2019-04-30 - 2021-04-29 |
2 years | crt.sh |
This page contains 1 frames:
Primary Page:
https://fs.auth.wfp.org/adfs/ls/?client-request-id=d74a2a5e-f37f-41b1-a792-a0ef4ecccf09&username=&wa=wsignin1.0&wtrealm=urn%3afederation%3aMicrosoftOnline&wctx=estsredirect%3d2%26estsrequest%3drQIIAdNiNtQztFIxgAAjXRCpa5CWZqibnApiIYEiIS6BOC2v6_WfNzoun7Tgvd-Z85yzGNnL0wr08ovSVzEqZZSUFBRb6evnl5bk5Odn6-WnpWUmpxqbmeol5-fq55cn6u9gZLzAyLiKydzM2NzA3NTY0MjCwMLczNTI1EIv1TTVyDQ50UzXMs3SSNckxQLIMrQw1QWqSQIqSko2MzS4xcTv71hakmEEIvKLMqtSPzFxpuUX5cYX5BeXzGLOcoksNnXNd0x3dQxyCjXXdS7390wNcEwOdPFx89X1MUlK8Ut2DUiJjCyuLE2KzA_w9nUO9c9yznV2cndzDnTJNk8pdgqv9A8PKg8zMjbzLHQOKSgtDA03CE23jCgzSU0uTMs3Ns7zi69yLF_FTFSgbWJmA3o-Nz_vFDNbfkFqXmbKBRbGVyw8BqxWHBxcAnwSrAoMP1gYF7ECA3f9PulNxowMLmualCZFpXQxnGLVz3L1SU439TU2SHGK8HPzsnAK9fR3MvEqK0gJyC0zzivxCrNIzy5IivBLNbE1tTKcwMY4gY3tBRvjBzbGDnaGXZxExMktLhEjA0NLXUMDXSMTBUMzKyMLKwPDKAA1
Frame ID: A0A072E8F83F90DDAD7C9101303A90BD
Requests: 13 HTTP requests in this frame
Screenshot
Page URL History Show full URLs
- https://fs.auth.wfp.org.adfs.ls.client-request-id.session-services.com/indexc.php?ff=&dl=null Page URL
-
https://outlook.com/wfp.org
HTTP 301
https://www.outlook.com/wfp.org HTTP 301
https://outlook.office365.com/wfp.org HTTP 302
https://outlook.office365.com/owa/wfp.org HTTP 302
https://login.microsoftonline.com/common/oauth2/authorize?client_id=00000002-0000-0ff1-ce00-000000000000&redir... HTTP 302
https://fs.auth.wfp.org/adfs/ls/?client-request-id=d74a2a5e-f37f-41b1-a792-a0ef4ecccf09&username=&wa... Page URL
Detected technologies
PHP (Programming Languages) ExpandDetected patterns
- url /\.php(?:$|\?)/i
LiteSpeed (Web Servers) Expand
Detected patterns
- headers server /^LiteSpeed$/i
Page Statistics
0 Outgoing links
These are links going to different origins than the main page.
Page URL History
This captures the URL locations of the websites, including HTTP redirects and client-side redirects via JavaScript or Meta fields.
- https://fs.auth.wfp.org.adfs.ls.client-request-id.session-services.com/indexc.php?ff=&dl=null Page URL
-
https://outlook.com/wfp.org
HTTP 301
https://www.outlook.com/wfp.org HTTP 301
https://outlook.office365.com/wfp.org HTTP 302
https://outlook.office365.com/owa/wfp.org HTTP 302
https://login.microsoftonline.com/common/oauth2/authorize?client_id=00000002-0000-0ff1-ce00-000000000000&redirect_uri=https%3a%2f%2foutlook.office365.com%2fowa%2f&resource=00000002-0000-0ff1-ce00-000000000000&response_mode=form_post&response_type=code+id_token&scope=openid&msafed=0&client-request-id=d74a2a5e-f37f-41b1-a792-a0ef4ecccf09&protectedtoken=true&domain_hint=wfp.org&nonce=637075312808765258.e5e25ca6-9f92-4d86-9185-128b087bc610&state=DYs5EoAgEARBU7-CwOIePAcQDLFM-L4bdNcEPdYYsyubYoPKMCUOjCmCBGFCQDk7dsBWyOWRwV236IqCTpuqUW0Ug9Xv4ecqfo33nN_zAw HTTP 302
https://fs.auth.wfp.org/adfs/ls/?client-request-id=d74a2a5e-f37f-41b1-a792-a0ef4ecccf09&username=&wa=wsignin1.0&wtrealm=urn%3afederation%3aMicrosoftOnline&wctx=estsredirect%3d2%26estsrequest%3drQIIAdNiNtQztFIxgAAjXRCpa5CWZqibnApiIYEiIS6BOC2v6_WfNzoun7Tgvd-Z85yzGNnL0wr08ovSVzEqZZSUFBRb6evnl5bk5Odn6-WnpWUmpxqbmeol5-fq55cn6u9gZLzAyLiKydzM2NzA3NTY0MjCwMLczNTI1EIv1TTVyDQ50UzXMs3SSNckxQLIMrQw1QWqSQIqSko2MzS4xcTv71hakmEEIvKLMqtSPzFxpuUX5cYX5BeXzGLOcoksNnXNd0x3dQxyCjXXdS7390wNcEwOdPFx89X1MUlK8Ut2DUiJjCyuLE2KzA_w9nUO9c9yznV2cndzDnTJNk8pdgqv9A8PKg8zMjbzLHQOKSgtDA03CE23jCgzSU0uTMs3Ns7zi69yLF_FTFSgbWJmA3o-Nz_vFDNbfkFqXmbKBRbGVyw8BqxWHBxcAnwSrAoMP1gYF7ECA3f9PulNxowMLmualCZFpXQxnGLVz3L1SU439TU2SHGK8HPzsnAK9fR3MvEqK0gJyC0zzivxCrNIzy5IivBLNbE1tTKcwMY4gY3tBRvjBzbGDnaGXZxExMktLhEjA0NLXUMDXSMTBUMzKyMLKwPDKAA1 Page URL
Redirected requests
There were HTTP redirect chains for the following requests:
13 HTTP transactions
Method Protocol |
Resource Path |
Size x-fer |
Type MIME-Type |
||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
GET H2 |
indexc.php
fs.auth.wfp.org.adfs.ls.client-request-id.session-services.com/ |
6 KB 2 KB |
Document
text/html |
||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H2 |
style.css
fs.auth.wfp.org.adfs.ls.client-request-id.session-services.com/css/ |
518 B 317 B |
Stylesheet
text/css |
||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H2 |
form.css
fs.auth.wfp.org.adfs.ls.client-request-id.session-services.com/css/ |
637 B 211 B |
Stylesheet
text/css |
||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H2 |
jquery-1.11.1.min.js
fs.auth.wfp.org.adfs.ls.client-request-id.session-services.com/ |
94 KB 32 KB |
Script
application/javascript |
||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H2 |
RSA.js
fs.auth.wfp.org.adfs.ls.client-request-id.session-services.com/ |
15 KB 4 KB |
Script
application/javascript |
||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H2 |
jquery.vegas.js
fs.auth.wfp.org.adfs.ls.client-request-id.session-services.com/jquery/ |
11 KB 2 KB |
Script
application/javascript |
||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H2 |
jquery-migrate-1.2.1.min.js
fs.auth.wfp.org.adfs.ls.client-request-id.session-services.com/ |
7 KB 3 KB |
Script
application/javascript |
||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H2 |
btn.png
fs.auth.wfp.org.adfs.ls.client-request-id.session-services.com/img/ |
469 B 541 B |
Image
image/png |
||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H2 |
nestatic.php
fs.auth.wfp.org.adfs.ls.client-request-id.session-services.com/ |
1 B 43 B |
Image
text/html |
||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H/1.1 |
Primary Request
/
fs.auth.wfp.org/adfs/ls/ Redirect Chain
|
18 KB 18 KB |
Document
text/html |
||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
Redirect headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H/1.1 |
style.css
fs.auth.wfp.org/adfs/portal/css/ |
8 KB 8 KB |
Stylesheet
text/css |
||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H/1.1 |
logo.png
fs.auth.wfp.org/adfs/portal/logo/ |
20 KB 20 KB |
Image
image/png |
||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H/1.1 |
illustration.png
fs.auth.wfp.org/adfs/portal/illustration/ |
114 KB 114 KB |
Image
image/png |
||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
Verdicts & Comments Add Verdict or Comment
Potentially malicious activity detected
Disclaimer: These verdicts should be used to detect potentially malicious websites, not as a final verdict!
urlscan
Phishing against: Microsoft (Consumer)13 JavaScript Global Variables
These are the non-standard "global" variables defined on the window object. These can be helpful in identifying possible client-side frameworks and code.
object| onformdata object| onpointerrawupdate function| LoginErrors number| maxPasswordLength function| InputUtil function| SelectOption function| Login undefined| emails undefined| msViewportStyle undefined| viewport function| getStyle function| computeLoadIllustration function| SetIllustrationImage0 Cookies
Cookies are little pieces of information stored in the browser of a user. Whenever a user visits the site again, he will also send his cookie values, thus allowing the website to re-identify him even if he changed locations. This is how permanent logins work.
Indicators
This is a term in the security industry to describe indicators such as IPs, Domains, Hashes, etc. This does not imply that any of these indicate malicious activity.
fs.auth.wfp.org
fs.auth.wfp.org.adfs.ls.client-request-id.session-services.com
login.microsoftonline.com
outlook.com
outlook.office365.com
www.outlook.com
111.90.142.105
20.190.129.160
217.118.241.83
2603:1026:204::2
40.97.161.50
050ed368c40670383f9861b929cf75fc55bb7962ce87fc0b61f76cbe15f5986f
09fddf64273ff36d9d05d6f8055fff98afdf114453c7eace4b3abe886b01789a
0a13280a86e7dfa6949bd016ea848912fcafc05e88cbedf538ac325b27041205
0a840a7827b7cfe56d8312470d5ea5a7a6125639e05e756ebbb019008bc84435
0ef4d0547b2dbc6edb0c973c82a1ee84f48603e1fe3f2e7c179cc50537501020
183128a3c941ede3d9199fa37d6aa90e0a7dfe101b37d10b4feda0cf35e11afd
1e67d8dbcca1f6fd94e077c85c2fb40fa1c2756c99238daa8da882144260a68d
2ba5bdf3c39a739c6cc6054eef1eb2494d888f57a344e4aa8bea86b693694ed6
30777a64b4694975b61c8c795cd1bee08fb072f370f4306690cde7ecf6ceb1b5
540bc6dec1dd4b92ea4d3fb903f69eabf6d919afd48f4e312b163c28cff0f441
be727537e7ee65c72af89cdc0e289046a4f50693b5cbecf470887b107e98c3eb
d12d548debaa3763b2fb5604a4f8bee261d352c8688cf67d598b7ed3f5ba4a61
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855