zerophish / console
Register Sign in
URL THREAT INTELLIGENCE · v0.5.0 · OPERATIONAL

The full anatomy of a phishing site,
one URL at a time.

ZeroPhish renders the page, runs twelve detection signals against the DOM, certificate chain, brand fingerprint and threat feeds, and returns a typed verdict. Built for security teams and product engineers.

scan
100 scans / day · free · typical scan 2–4 s ·
try
Result scan 876870f2
Scan another →
CACHED Showing previous scan from 1 h ago. Click Reanalyze to run a fresh scan.
PHISHING · HIGH CONFIDENCE

Phishing detected

brand Unknown scan id 876870f2 duration 19.82s signals 6 failing / 21
Risk score 1.00
100 / 100 · High risk
Tags
URL anatomy 7-0070hu.vercel.app
https :// 7-0070hu . vercel . app /
flagged registered domain path protocol / query
Why this verdict 8 contributing signals · model gpt-5.4-nano
×
Credential collection form
Credential collection form detected on the page
↑ risk
×
Email-auth posture (SPF/DMARC)
No DMARC record — domain trivially spoofable in phishing email
↑ risk
Brand typo-squat detected
No similar legitimate brand within edit-distance 2
↓ risk
Visual similarity to known brand
Brand presentation matches the registered owner
↓ risk
Favicon impersonation
Favicon matches the registered owner
↓ risk
SSL certificate
Served over HTTPS · valid TLS certificate
↓ risk
Brand-in-subdomain attack
No known brand label in subdomain
↓ risk
Homoglyph attack
ASCII only · no mixed-script characters detected
↓ risk
enrichment used: dns network jarm asn
Indicators of compromise 5 · click any row to copy
URL hxxps://7-0070hu[.]vercel[.]app/
Host 7-0070hu[.]vercel[.]app
Registered domain vercel[.]app
Screenshot https://cdn.zerophish.ai/34aeef19-6757-4116-9cec-0c98a58b5d76.jpg
Scan ID 876870f2-4c5e-4bdc-82fe-dbcff439793c
Related detections 1 other scan on this registered domain
536 d ago
 PHISHING office365-mauve.vercel.app view →
Detection signals 6 fail · 2 warn · 6 pass
Brand typo-squat detected
No similar legitimate brand within edit-distance 2
critical
Domain age
Awaiting analysis
high
Threat intel blocklists
Awaiting analysis
critical
×
Credential collection form
Credential collection form detected on the page
high
Visual similarity to known brand
Brand presentation matches the registered owner
high
Favicon impersonation
Favicon matches the registered owner
medium
SSL certificate
Served over HTTPS · valid TLS certificate
low
DNS reputation
Awaiting analysis
medium
showing 8 of 21 ·
Captured page from scan
Captured page
screenshot · captured at scan live page render
Brand impersonation visual + DOM analysis

No brand impersonation signals available.

Technical profile resolved at scan time
Host 7-0070hu.vercel.app
Registered domain vercel.app
Scheme https
Content length 46004 B
HTTP 200 · text/html
DMARC policy none
SPF policy none
MX records none
Analyst summary AI-generated
Initial scan heuristic + LLM

The page presents itself as a generic “Web Mail” sign-in screen. It shows a credential-collection form with labels for “Email address” and “Password” and a “Sign in” button.

Several phishing signals are present: the URL is a Vercel subdomain (https://7-0070hu.vercel.app/) rather than any known mail provider’s domain, and there is no verifiable brand attribution in the content. The page also displays an authentication-style error message (“Incorrect email password, try again!”) that can be used to keep users interacting while attempting repeated logins.

Because the UI is a convincing login template but hosted on an unrelated, non-branded domain, it is highly consistent with phishing rather than a legitimate account portal.

🤖 Agent run #1 autonomous investigation

The page at 7-0070hu.vercel.app is a bare “Web Mail” credential harvester with no legitimate branding. On submitting the email/password form, the credentials are exfiltrated via XHR POST to api.telegram.org (bot ID 8748740538, chat ID 8397796619), along with the victim’s IP and geolocation. This is a confirmed phishing page using Telegram as the command-and-exfil backend.