zerophish / console
Register Sign in
URL THREAT INTELLIGENCE · v0.5.0 · OPERATIONAL

The full anatomy of a phishing site,
one URL at a time.

ZeroPhish renders the page, runs twelve detection signals against the DOM, certificate chain, brand fingerprint and threat feeds, and returns a typed verdict. Built for security teams and product engineers.

scan
100 scans / day · free · typical scan 2–4 s ·
try
Result scan 7be43b40
Scan another →
CACHED Showing previous scan from 5 h ago. Click Reanalyze to run a fresh scan.
SUSPICIOUS · HIGH CONFIDENCE

Suspicious — review required

brand Unknown scan id 7be43b40 duration 22.63s signals 5 failing / 19
Risk score 0.63
63 / 100 · Medium risk
Tags
URL anatomy jhl9vv9k.r.us-east-1.awstrack.me
https :// jhl9vv9k.r.us-east-1 . awstrack . me /L0/https:%2F%2Flogin.microsoftonline.com%2Fcommon%2Foauth2%2Fv2.0%2Fauthorize%3Fscope=openid%26prompt=none%26client_id=865af9bf-2634-4259-a8e3-37a7003b12f8%26state=mike.johnson@roadssinc.com/1/0100019eb84dc1cf-37ed7f88-f378-4f41-bbad-ba72cf210111-000000/1fLURlgXxT5wZ5mtgpU8-CJ3wm4=473
flagged registered domain path protocol / query
Indicators of compromise 4 · click any row to copy
URL hxxps://jhl9vv9k[.]r[.]us-east-1[.]awstrack[.]me/L0/https:%2F%2Flogin[.]microsoftonline[.]com%2Fcommon%2Foauth2%2Fv2[.]0%2Fauthorize%3Fscope=openid%26prompt=none%26client_id=865af9bf-2634-4259-a8e3-37a7003b12f8%26state=mike[.]johnson@roadssinc[.]com/1/0100019eb84dc1cf-37ed7f88-f378-4f41-bbad-ba72cf210111-000000/1fLURlgXxT5wZ5mtgpU8-CJ3wm4=473
Host jhl9vv9k[.]r[.]us-east-1[.]awstrack[.]me
Registered domain awstrack[.]me
Scan ID 7be43b40-5ccf-482a-8bbe-e28ac827d841
Detection signals 5 fail · 2 warn · 7 pass
Brand typo-squat detected
No similar legitimate brand within edit-distance 2
critical
Domain age
Awaiting analysis
high
Threat intel blocklists
Awaiting analysis
critical
Credential collection form
No credential collection form on visible content
high
Visual similarity to known brand
Brand presentation matches the registered owner
high
Favicon impersonation
Favicon matches the registered owner
medium
SSL certificate
Served over HTTPS · valid TLS certificate
low
DNS reputation
Awaiting analysis
medium
showing 8 of 19 ·
Captured page from scan
no screenshot
screenshot · captured at scan live page render
Brand impersonation visual + DOM analysis

No brand impersonation signals available.

Technical profile resolved at scan time
Host jhl9vv9k.r.us-east-1.awstrack.me
Registered domain awstrack.me
Scheme https
ApiFlash transport error
JARM 7937937937937938c28c28c28c2602366908fabef72f2cf3a79c7f9d962e4a
Redirect hops 2
Analyst summary AI-generated
Initial scan heuristic + LLM

The fetched content is a generic “404 Not Found” page with no login form, credential collection fields, or brand-specific UI.

Although the URL path contains an encoded Microsoft login endpoint (login.microsoftonline.com / oauth2 / authorize), the server response provides only an error message: “The requested resource was not found on this server.” This strongly suggests the phishing payload did not load (or the request was blocked), so there is insufficient evidence of an active phishing flow in the HTML/OCR provided.

With no visible social-engineering elements present (no account warning, urgency cues, or form fields), the safest conservative conclusion is that this instance is not demonstrably phishing based on the retrieved content alone.

🤖 Agent run #1 autonomous investigation

The landing page is a blank Microsoft OAuth2 /authorize endpoint with prompt=none and sso_reload=true — a silent SSO flow that intentionally renders no UI. No credential form, brand impersonation, or interactive phishing affordance is visible. However, the redirect chain reveals this originated from jhl9vv9k.r.us-east-1.awstrack.me (IP: 100.49.36.98), an AWS SES email click-tracking domain — strongly suggesting the user arrived here via a tracked phishing email link. The OAuth client_id (865af9bf-2634-4259-a8e3-37a7003b12f8) and the victim’s email in the state parameter are consistent with an illicit consent grant / OAuth phishing attack, but the current page itself is legitimate Microsoft infrastructure with no hostile content rendered.