zerophish / console
Register Sign in
URL THREAT INTELLIGENCE · v0.5.0 · OPERATIONAL

The full anatomy of a phishing site,
one URL at a time.

ZeroPhish renders the page, runs twelve detection signals against the DOM, certificate chain, brand fingerprint and threat feeds, and returns a typed verdict. Built for security teams and product engineers.

scan
100 scans / day · free · typical scan 2–4 s ·
try
Result scan a9fd2244
Scan another →
CACHED Showing previous scan from 3 h ago. Click Reanalyze to run a fresh scan.
PHISHING · MEDIUM CONFIDENCE

Phishing detected

brand SAFRA scan id a9fd2244 duration 46.52s signals 0 failing / 12
Risk score 0.62
62 / 100 · High risk
Tags
URL anatomy safra-acesso.netlify.app
https :// safra-acesso . netlify . app /
flagged registered domain path protocol / query
Indicators of compromise 6 · click any row to copy
URL hxxps://safra-acesso[.]netlify[.]app/
Host safra-acesso[.]netlify[.]app
Registered domain netlify[.]app
Brand SAFRA
Screenshot https://cdn.zerophish.ai/9d15229f-aa28-4e2b-9c55-31ba6e941542.jpg
Scan ID a9fd2244-81e6-42eb-ba21-5dd67ca234aa
Detection signals 0 fail · 1 warn · 6 pass
Brand typo-squat detected
No similar legitimate brand within edit-distance 2
critical
Domain age
Awaiting analysis
high
Threat intel blocklists
Awaiting analysis
critical
Credential collection form
No credential collection form on visible content
high
!
Visual similarity to known brand
45% partial similarity to SAFRA
high
Favicon impersonation
Favicon matches the registered owner
medium
SSL certificate
Served over HTTPS · valid TLS certificate
low
DNS reputation
Awaiting analysis
medium
showing 8 of 12 ·
Captured page from scan
Captured page
screenshot · captured at scan live page render
Brand impersonation visual + DOM analysis
S
SAFRA
45%
Technical profile resolved at scan time
Host safra-acesso.netlify.app
Registered domain netlify.app
Scheme https
Content length 57914 B
HTTP 200 · text/html
JARM 7939b39b37937930320320320320128c19258acd09ccdea8faad630541ff7e
Redirect hops 1
Analyst summary AI-generated
Initial scan heuristic + LLM

Presentation / impersonation

The page presents itself as “SAFRA — Acesso” and shows the heading “Acesse sua conta” with tabs for “Pessoa Física” and “Pessoa Jurídica”.

Suspicious signals found

  • Credential-collection UI (login form): Both tabs contain a <form> with an “Entrar” submit button (e.g., button ... id="btnPF" ...>Entrar</button>). The links “Esqueci minha senha” and “Esqueci meu usuário” are also present, consistent with a login workflow.
  • Brand + domain mismatch: The URL is https://safra-acesso.netlify.app/. A real SAFRA login would normally be on a SAFRA-owned domain, not a generic hosting domain like Netlify.
  • Low credibility / likely spoof: The HTML is a minimal modal/login shell with generic elements (no clear SAFRA domain references, no verified host/issuer information).

Brand and URL relationship

Although the visual branding uses SAFRA (logo text and title), the hosting domain netlify.app is not SAFRA’s registered domain. This mismatch is a strong phishing indicator.

Verdict

Given the login-form surface paired with a non-authoritative domain impersonating SAFRA, this is likely phishing. Confidence is medium because the simplified HTML doesn’t show field names/inputs for usernames/passwords, but the presence of login forms and the domain mismatch are compelling.