urlscan.io logo urlscan.io
SecurityTrails logo

mainofficesupport.z13.web.core.windows.net Open in urlscan Pro
20.209.75.228  Malicious Activity! Public Scan

Go To Rescan Add Verdict Report
Submitted URL: https://zpr.io/86UZK54BFc8L
Effective URL: https://mainofficesupport.z13.web.core.windows.net/
Submission: On May 02 via automatic, source phishtank — Scanned from DE
 Behaviour Indicators
Similar DOM Content API
Verdicts

Summary

This website contacted 4 IPs in 2 countries across 6 domains to perform 5 HTTP transactions. The main IP is 20.209.75.228, located in Washington, United States and belongs to MICROSOFT-CORP-MSN-AS-BLOCK, US. The main domain is mainofficesupport.z13.web.core.windows.net.
TLS certificate: Issued by Microsoft Azure RSA TLS Issuing CA 03 on April 5th 2024. Valid for: a year.
This is the only time mainofficesupport.z13.web.core.windows.net was scanned on urlscan.io!

urlscan.io Verdict: Potentially Malicious

Targeting these brands: Microsoft (Consumer)

Domain & IP information

IP Address AS Autonomous System
1 1 3.222.145.108 14618 (AMAZON-AES)
2 2 18.173.205.62 16509 (AMAZON-02)
2 20.209.75.228 8075 (MICROSOFT...)
1 172.67.74.152 13335 (CLOUDFLAR...)
1 2620:1ec:46::45 8075 (MICROSOFT...)
1 162.19.58.161 16276 (OVH)
5 4
1    3.222.145.108 (Ashburn, United States)

ASN14618 (AMAZON-AES, US)
PTR: ec2-3-222-145-108.compute-1.amazonaws.com
zpr.io
2    18.173.205.62 (United States)

ASN16509 (AMAZON-02, US)
PTR: server-18-173-205-62.fra56.r.cloudfront.net
docsend.com
2    20.209.75.228 (Washington, United States)

ASN8075 (MICROSOFT-CORP-MSN-AS-BLOCK, US)
mainofficesupport.z13.web.core.windows.net
1    172.67.74.152 (United States)

ASN13335 (CLOUDFLARENET, US)
api.ipify.org
1    2620:1ec:46::45 (United States)

ASN8075 (MICROSOFT-CORP-MSN-AS-BLOCK, US)
aadcdn.msauth.net
1    162.19.58.161 (France)

ASN16276 (OVH, FR)
PTR: ns3096669.ip-162-19-58.eu
i.ibb.co
Apex Domain
Subdomains		 Transfer
2 windows.net
mainofficesupport.z13.web.core.windows.net
25 KB
2 docsend.com
docsend.com — Cisco Umbrella Rank: 93054
8 KB
1 ibb.co
i.ibb.co — Cisco Umbrella Rank: 10971
64 KB
1 msauth.net
aadcdn.msauth.net — Cisco Umbrella Rank: 892
2 KB
1 ipify.org
api.ipify.org — Cisco Umbrella Rank: 2924
154 B
1 zpr.io
zpr.io — Cisco Umbrella Rank: 711697
90 B
5 6
Domain Requested by
2 mainofficesupport.z13.web.core.windows.net
2 docsend.com 2 redirects
1 i.ibb.co mainofficesupport.z13.web.core.windows.net
1 aadcdn.msauth.net mainofficesupport.z13.web.core.windows.net
1 api.ipify.org mainofficesupport.z13.web.core.windows.net
1 zpr.io 1 redirects
5 6

This site contains no links.

Subject Issuer Validity Valid
*.web.core.windows.net
Microsoft Azure RSA TLS Issuing CA 03		 2024-04-05 -
2025-03-31		 a year crt.sh
ipify.org
GTS CA 1P5		 2024-03-21 -
2024-06-19		 3 months crt.sh
aadcdn.msauth.net
DigiCert SHA2 Secure Server CA		 2024-04-30 -
2025-04-30		 a year crt.sh
ibb.co
R3		 2024-04-22 -
2024-07-21		 3 months crt.sh

This page contains 1 frames:

Primary Page: https://mainofficesupport.z13.web.core.windows.net/
Frame ID: B6B3EC9B82C3FE2B682F23AB5915B72C
Requests: 5 HTTP requests in this frame

Screenshot
Live screenshot
Full Image

Page Title

Document

Page URL History Show full URLs

  1. https://zpr.io/86UZK54BFc8L HTTP 302
    https://docsend.com/v/9y4jf/exec HTTP 302
    https://docsend.com/view/xje93sn9hfpkq6s3 HTTP 302
    https://mainofficesupport.z13.web.core.windows.net/ Page URL

Page Statistics

5
Requests

100 %
HTTPS

17 %
IPv6

6
Domains

6
Subdomains

4
IPs

2
Countries

91 kB
Transfer

92 kB
Size

3
Cookies

Page URL History

This captures the URL locations of the websites, including HTTP redirects and client-side redirects via JavaScript or Meta fields.

  1. https://zpr.io/86UZK54BFc8L HTTP 302
    https://docsend.com/v/9y4jf/exec HTTP 302
    https://docsend.com/view/xje93sn9hfpkq6s3 HTTP 302
    https://mainofficesupport.z13.web.core.windows.net/ Page URL

Redirected requests

There were HTTP redirect chains for the following requests:

5 HTTP transactions

Resource
Path		 Size
x-fer		 Type
MIME-Type
Primary Request /
mainofficesupport.z13.web.core.windows.net/
Redirect Chain
  • https://zpr.io/86UZK54BFc8L
  • https://docsend.com/v/9y4jf/exec
  • https://docsend.com/view/xje93sn9hfpkq6s3
  • https://mainofficesupport.z13.web.core.windows.net/
24 KB
24 KB 		Document
General
Check archive.org
Download Go to
Full URL
https://mainofficesupport.z13.web.core.windows.net/
Protocol
HTTP/1.1
Security
TLS 1.3, , AES_256_GCM
Server
20.209.75.228 Washington, United States, ASN8075 (MICROSOFT-CORP-MSN-AS-BLOCK, US),
Reverse DNS
Software
Windows-Azure-Web/1.0 Microsoft-HTTPAPI/2.0 /
Resource Hash
962c349e3f13839efdf0a0ddfb5280e6a0387cc72ff90e87cc1efa551ff9f568

Request headers

Accept-Language
de-DE,de;q=0.9;q=0.9
Upgrade-Insecure-Requests
1
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
sec-ch-ua
"Google Chrome";v="124", "Not:A-Brand";v="8", "Chromium";v="124"
sec-ch-ua-mobile
?0
sec-ch-ua-platform
"Win32"

Response headers

Accept-Ranges
bytes
Content-Length
24365
Content-MD5
bP1uZHXTzSWS5GnrnmYDwg==
Content-Type
text/html
Date
Thu, 02 May 2024 18:32:29 GMT
ETag
"0x8DC691B1025BF6C"
Last-Modified
Tue, 30 Apr 2024 13:40:13 GMT
Server
Windows-Azure-Web/1.0 Microsoft-HTTPAPI/2.0
x-ms-request-id
a80899a9-701e-004d-08bf-9c4657000000
x-ms-version
2018-03-28

Redirect headers

Cache-Control
no-cache
Connection
keep-alive
Content-Encoding
gzip
Content-Security-Policy
connect-src 'self' blob: https://assets.docsend.com https://d2qvtfnm75xrxf.cloudfront.net https://*.previews.dropboxusercontent.com/*/p.m3u8 https://*.dropboxusercontent.com https://api.intercom.io https://api-iam.intercom.io https://api-ping.intercom.io https://nexus-websocket-a.intercom.io https://nexus-websocket-b.intercom.io https://nexus-long-poller-a.intercom.io https://nexus-long-poller-b.intercom.io wss://nexus-websocket-a.intercom.io wss://nexus-websocket-b.intercom.io https://*.intercomcdn.com https://uploads.intercomusercontent.com https://sessions.bugsnag.com https://notify.bugsnag.com https://browser-intake-datadoghq.com https://browser-intake-us3-datadoghq.com https://browser-intake-us5-datadoghq.com https://*.kissmetrics.com https://*.kissmetrics.io https://api.segment.io https://cdn.segment.com https://events.statsigapi.net/v1/rgstr https://statsigapi.net/v1/sdk_exception https://*.id.opendns.com https://www.google-analytics.com https://*.g.doubleclick.net https://www.facebook.com https://api.autopilothq.com https://*.filestackapi.com https://cdn.filestackcontent.com https://s3.amazonaws.com https://*.dropbox.com https://*.dropboxapi.com https://*.dropboxstatic.com https://browser.pipe.aria.microsoft.com https://checkout.stripe.com https://forms.hubspot.com https://*.pubnub.com https://docsend-prod.s3.amazonaws.com; script-src 'self' 'unsafe-eval' 'unsafe-inline' 'strict-dynamic' https://assets.docsend.com https://app.intercom.io https://widget.intercom.io https://js.intercomcdn.com https://*.google-analytics.com https://cdn.segment.com https://scripts.kissmetrics.com https://*.id.opendns.com https://www.youtube.com https://*.ytimg.com https://vimeo.com https://www.vimeo.com https://www.googletagmanager.com https://www.googleadservices.com https://tagmanager.google.com https://connect.facebook.net https://*.quora.com https://*.bing.com https://api.autopilothq.com https://*.capterra.com https://*.g.doubleclick.net https://js.hs-analytics.net https://js.hs-scripts.com https://js-na1.hs-scripts.com https://js.hscollectedforms.net https://js.hsleadflows.net https://js.stripe.com https://checkout.stripe.com https://ajax.aspnetcdn.com https://appsforoffice.microsoft.com https://maps.googleapis.com https://static.filestackapi.com https://zapier.com https://d2wy8f7a9ursnm.cloudfront.net https://polyfill.io/v3/polyfill.min.js 'nonce-CkKuK+AnrGqY3VESO0ag/w=='; report-uri https://www.dropbox.com/csp_log?policy_name=docsend; default-src 'self'; base-uri 'self'; child-src 'self' blob:; font-src 'self' https: data: chrome-extension:; form-action 'self' https://docsend.com https://*.docsend.com https://intercom.help https://api-iam.intercom.io https://accounts.google.com https://www.linkedin.com https://*.salesforce.com https://www.dropbox.com https://accounts.logme.in https://secure.join.me https://*.okta.com https://*.oktapreview.com https://*.jumpcloud.com https://*.onelogin.com https://zapier.com https://ifttt.com https://www.facebook.com; frame-src 'self' https://assets.docsend.com https://*.previews.dropboxusercontent.com/ https://js.stripe.com https://checkout.stripe.com https://www.youtube.com https://player.vimeo.com https://*.g.doubleclick.net https://tpc.googlesyndication.com https://www.facebook.com https://telemetryservice.firstpartyapps.oaspapps.com https://www.dropbox.com https://ifttt.com; img-src 'self' https: data: blob: chrome-extension:; media-src 'self' blob: data: https://d2qvtfnm75xrxf.cloudfront.net https://js.intercomcdn.com https://*.dropboxusercontent.com; object-src 'none'; style-src 'self' 'unsafe-inline' https://assets.docsend.com https://fonts.googleapis.com https://tagmanager.google.com https://static.filestackapi.com https://use.fontawesome.com https://vjs.zencdn.net; worker-src 'self' blob:
Content-Type
text/html; charset=utf-8
Date
Thu, 02 May 2024 18:32:29 GMT
Location
https://mainofficesupport.z13.web.core.windows.net/
Nel
{"report_to":"heroku-nel","max_age":3600,"success_fraction":0.005,"failure_fraction":0.05,"response_headers":["Via"]}
Report-To
{"group":"heroku-nel","max_age":3600,"endpoints":[{"url":"https://nel.heroku.com/reports?ts=1714674749&sid=af571f24-03ee-46d1-9f90-ab9030c2c74c&s=HbBylvcVavV%2FRoSJegir4s%2FMx27AmIrkGSdHwPXB7o8%3D"}]}
Reporting-Endpoints
heroku-nel=https://nel.heroku.com/reports?ts=1714674749&sid=af571f24-03ee-46d1-9f90-ab9030c2c74c&s=HbBylvcVavV%2FRoSJegir4s%2FMx27AmIrkGSdHwPXB7o8%3D
Server
Cowboy
Strict-Transport-Security
max-age=31556952; includeSubDomains; preload
Transfer-Encoding
chunked
Vary
Accept-Encoding, Origin
Via
1.1 vegur, 1.1 daf01c71790f42e645ae4024c607941e.cloudfront.net (CloudFront)
X-Amz-Cf-Id
_CCNrTdN0zzZE7YbVSBXK4T3OsVL3ZDq4FqDVa0uWtl12FEPi926OQ==
X-Amz-Cf-Pop
FRA56-P12
X-Cache
Miss from cloudfront
X-Content-Type-Options
nosniff
X-Frame-Options
DENY
X-Request-Id
50279b5e-ee5e-42a2-a807-3659bac12b70
X-Runtime
0.310484
/
api.ipify.org/ 		21 B
154 B 		Fetch
General
Check archive.org
Download Go to
Full URL
https://api.ipify.org/?format=json
Requested by
Host: mainofficesupport.z13.web.core.windows.net
URL: https://mainofficesupport.z13.web.core.windows.net/
Protocol
H2
Security
TLS 1.3, , AES_128_GCM
Server
172.67.74.152 , United States, ASN13335 (CLOUDFLARENET, US),
Reverse DNS
Software
cloudflare /
Resource Hash
06aaa62e1f9e61c7f18891b10f965e5af18ea57ae14e0f52d0ec488db6f641db

Request headers

sec-ch-ua
"Google Chrome";v="124", "Not:A-Brand";v="8", "Chromium";v="124"
Referer
https://mainofficesupport.z13.web.core.windows.net/
Accept-Language
de-DE,de;q=0.9;q=0.9
sec-ch-ua-mobile
?0
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
sec-ch-ua-platform
"Win32"

Response headers

date
Thu, 02 May 2024 18:32:30 GMT
cf-cache-status
DYNAMIC
server
cloudflare
vary
Origin
content-type
application/json
access-control-allow-origin
*
cf-ray
87da18253c1a9152-FRA
content-length
21
microsoft_logo_564db913a7fa0ca42727161c6d031bef.svg
aadcdn.msauth.net/shared/1.0/content/images/ 		4 KB
2 KB 		Image
General
Check archive.org
Download Go to Show image
Full URL
https://aadcdn.msauth.net/shared/1.0/content/images/microsoft_logo_564db913a7fa0ca42727161c6d031bef.svg
Requested by
Host: mainofficesupport.z13.web.core.windows.net
URL: https://mainofficesupport.z13.web.core.windows.net/
Protocol
H2
Security
TLS 1.3, , AES_256_GCM
Server
2620:1ec:46::45 , United States, ASN8075 (MICROSOFT-CORP-MSN-AS-BLOCK, US),
Reverse DNS
Software
/
Resource Hash
04d29248ee3a13a074518c93a18d6efc491bf1f298f9b87fc989a6ae4b9fad7a

Request headers

sec-ch-ua
"Google Chrome";v="124", "Not:A-Brand";v="8", "Chromium";v="124"
Referer
https://mainofficesupport.z13.web.core.windows.net/
Accept-Language
de-DE,de;q=0.9;q=0.9
sec-ch-ua-mobile
?0
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
sec-ch-ua-platform
"Win32"

Response headers

x-ms-blob-type
BlockBlob
date
Thu, 02 May 2024 18:32:30 GMT
content-encoding
gzip
x-cache
TCP_HIT
x-fd-int-roxy-purgeid
4554691
content-length
1435
x-ms-lease-status
unlocked
last-modified
Wed, 24 May 2023 10:11:48 GMT
etag
0x8DB5C3F4911527F
x-azure-ref
20240502T183230Z-15ff45446449x2s7pv80sq17a000000008hg00000000c2rt
content-type
image/svg+xml
access-control-allow-origin
*
x-ms-request-id
860b25d7-a01e-0028-0b4c-972cbc000000
access-control-expose-headers
x-ms-request-id,Server,x-ms-version,Content-Type,Content-Encoding,Cache-Control,Last-Modified,ETag,x-ms-lease-status,x-ms-blob-type,Content-Length,Date,Transfer-Encoding
cache-control
public, max-age=31536000
x-ms-version
2009-09-19
accept-ranges
bytes
officebg.png
i.ibb.co/LJz4z44/ 		64 KB
64 KB 		Image
General
Check archive.org
Download Go to Show image
Full URL
https://i.ibb.co/LJz4z44/officebg.png
Requested by
Host: mainofficesupport.z13.web.core.windows.net
URL: https://mainofficesupport.z13.web.core.windows.net/
Protocol
H2
Security
TLS 1.3, , AES_128_GCM
Server
162.19.58.161 , France, ASN16276 (OVH, FR),
Reverse DNS
ns3096669.ip-162-19-58.eu
Software
nginx /
Resource Hash
95b34d2a4b2e546aa5879151a79554d7fc2dd76a2bbc85dead4fca2940334537

Request headers

sec-ch-ua
"Google Chrome";v="124", "Not:A-Brand";v="8", "Chromium";v="124"
Referer
https://mainofficesupport.z13.web.core.windows.net/
Accept-Language
de-DE,de;q=0.9;q=0.9
sec-ch-ua-mobile
?0
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
sec-ch-ua-platform
"Win32"

Response headers

date
Thu, 02 May 2024 18:32:30 GMT
last-modified
Wed, 12 Apr 2023 12:59:42 GMT
server
nginx
access-control-allow-methods
GET, OPTIONS
content-type
image/png
access-control-allow-origin
*
cache-control
max-age=315360000, public
accept-ranges
bytes
content-length
65341
expires
Thu, 31 Dec 2037 23:55:55 GMT
favicon.ico
mainofficesupport.z13.web.core.windows.net/ 		321 B
629 B 		Other
General
Check archive.org
Download Go to
Full URL
https://mainofficesupport.z13.web.core.windows.net/favicon.ico
Protocol
HTTP/1.1
Security
TLS 1.3, , AES_256_GCM
Server
20.209.75.228 Washington, United States, ASN8075 (MICROSOFT-CORP-MSN-AS-BLOCK, US),
Reverse DNS
Software
Windows-Azure-Web/1.0 Microsoft-HTTPAPI/2.0 /
Resource Hash
6a98240f6a10d1f0f78e26c385cf64e830974a00042dba195e896cfd741a580c

Request headers

sec-ch-ua
"Google Chrome";v="124", "Not:A-Brand";v="8", "Chromium";v="124"
Referer
https://mainofficesupport.z13.web.core.windows.net/
Accept-Language
de-DE,de;q=0.9;q=0.9
sec-ch-ua-mobile
?0
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
sec-ch-ua-platform
"Win32"

Response headers

x-ms-request-id
a8089df9-701e-004d-03bf-9c4657000000
Date
Thu, 02 May 2024 18:32:29 GMT
x-ms-version
2018-03-28
Server
Windows-Azure-Web/1.0 Microsoft-HTTPAPI/2.0
x-ms-error-code
WebContentNotFound
Content-Length
321
Content-Type
text/html

Verdicts & Comments Add Verdict or Comment

Potentially malicious activity detected
Disclaimer: These verdicts should be used to detect potentially malicious websites, not as a final verdict!

urlscan

Phishing against: Microsoft (Consumer)

0 JavaScript Global Variables

These are the non-standard "global" variables defined on the window object. These can be helpful in identifying possible client-side frameworks and code.

3 Cookies

Domain/Path Name / Value
.docsend.com/ Name: _dss_
Value: 11014bcb150ce5c2e47519ee0595a447
.docsend.com/ Name: _v_
Value: knXo6kgOn5R%2BfnW3aSyJ0D34VeGp5PpyfSpP6I1jjGrowKhgv2GxZgO8eR6it5oZIjfJOIp%2F0xk5wXFj%2FynJR0Z99tV%2FDHQtzAL30jsdZ8Vd2SLLWQ%3D%3D--Qq0HsiZ%2FA0qrXGjC--RSedhUbwWCQF2clVBjBhFw%3D%3D
.docsend.com/ Name: _us_
Value: eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaEpJZzkyYVdWM1pXUWdaRzlqQmpvR1JWUT0iLCJleHAiOm51bGwsInB1ciI6ImNvb2tpZS5fdXNfIn19--0a19c6dc51d459746e8b01d901655a78795a6225

2 Console Messages

Source Level URL
Text
recommendation verbose URL: https://mainofficesupport.z13.web.core.windows.net/
Message:
[DOM] Input elements should have autocomplete attributes (suggested: "current-password"): (More info: https://goo.gl/9p2vKq) %o
network error URL: https://mainofficesupport.z13.web.core.windows.net/favicon.ico
Message:
Failed to load resource: the server responded with a status of 404 (The requested content does not exist.)