Phishing Analysis
Detailed analysis of captured phishing page
Visual Capture
Detection Info
https://multi-factor.link/3XaU00WDGY80ng
Detected Brand
KLP (Likely Impersonation)
Country
International
Confidence
100%
HTTP Status
200
Report ID
265defae-64b…
Analyzed
2026-03-19 10:33
Content Hashes (HTML Similarity)
Used to detect similar phishing pages based on HTML content
| Algorithm | Hash Value |
|---|---|
|
CONTENT
TLSH
|
T152D1EE7060409D3B4283C7D8B3B96B9F3394C346EA97565A67F4C35C1EE3E16CC1A226 |
|
CONTENT
ssdeep
|
96:DIpkCGTHRPy9OkrwkMxs39TbJG9KjsWsjOI0U2gs0sjO5OVJQ6Q6ynQjNsjOO:ZsOk8A9TbJG9a2ZOVJQyyQjq |
Visual Hashes (Screenshot Similarity)
Used to detect visually similar phishing pages based on screenshots
| Algorithm | Hash Value |
|---|---|
|
VISUAL
pHash
|
9c497326cc99d966 |
|
VISUAL
aHash
|
18001818191f0f9f |
|
VISUAL
dHash
|
7161713331727d38 |
|
VISUAL
wHash
|
191818181f1f1fff |
|
VISUAL
colorHash
|
070000001c0 |
|
VISUAL
cropResistant
|
7161713331727d38 |
Code Analysis
Risk Score
70/100
Threat Level
ALTO
⚠️ Phishing Confirmed
🎣 Credential Harvester
🎣 OTP Stealer
🎣 Personal Info
🔬 Threat Analysis Report
• Threat: Phishing
• Target: KLP customers
• Method: Credential Harvesting
• Exfil: Unknown, likely to attackers.
• Indicators: Malicious domain, login form, impersonation.
• Risk: High
🎯 Kit Endpoints
- https://login.microsoftonline.com/common/oauth2/authorize?client_id=00000001-0000-cff1-ce00-416676562927&response_mode=form_post&response_type=code+id_token&scope=openid&msafed=1&msaredir=1&client-request-id=d98292e6-fa3f-ce32-8024-21bc5137cc6d&protectedtoken=true&domain_hint=klp.no&nonce=899285250283.ec82d3ed-b372-7cd6-3e42-fcfc13352e79&state=am9uLm5ldHR1bUBrbHAubm8#
- https://login.microsoftonline.com/common/login#
- https://login.microsoftonline.com/common/oauth2/authorize?client_id=00000001-0000-cff1-ce00-487191339135&response_mode=form_post&response_type=code+id_token&scope=openid&msafed=1&msaredir=1&client-request-id=d98292e6-fa3f-ce32-8136-21bc5137cc6d&protectedtoken=true&domain_hint=klp.no&nonce=829204807123.ec82d3ed-b372-7cd6-3e42-fcfc13352e79&state=am9uLm5ldHR1bUBrbHAubm8#
- https://passwordreset.microsoftonline.com/?ru=https://login.microsoftonline.com/common/oauth2/authorize?client_id=00000001-0000-cff1-ce00-399058842550&response_mode=form_post&response_type=code+id_token&scope=openid&msafed=1&msaredir=1&client-request-id=d98292e6-fa3f-ce32-6822-21bc5137cc6d&protectedtoken=true&domain_hint=klp.no&nonce=163656193502.ec82d3ed-b372-7cd6-3e42-fcfc13352e79&state=am9uLm5ldHR1bUBrbHAubm8#
📊 Risk Score Breakdown
Total Risk Score
95/100
Contributing Factors
Domain Mismatch
The domain 'multi-factor.link' is completely unrelated to the intended brand (KLP).
Requesting Sensitive Information
The page is requesting an email address as a login credential.
Impersonation
The page attempts to impersonate KLP's login page.
🔬 Comprehensive Threat Analysis
Threat Type
Two-Factor Authentication Stealer
Target
KLP (Likely Impersonation) users (International)
Attack Method
Brand impersonation
Exfiltration Channel
Form submission (backend endpoint not detected - likely JavaScript-based)
Risk Assessment
HIGH - Automated credential harvesting with Form submission (backend endpoint not detected - likely JavaScript-based)
⚠️ Indicators of Compromise
- Kit types: Credential Harvester, OTP Stealer, Personal Info
🏢 Brand Impersonation Analysis
Impersonated Brand
KLP
Official Website
klp.no
Fake Service
KLP Login Portal
⚔️ Attack Methodology
Primary Method: Credential Harvesting
The attacker aims to steal user credentials by mimicking a legitimate login page and tricking users into entering their information.
🌐 Infrastructure Indicators of Compromise
Domain Information
Domain
multi-factor.link
Registered
None
Registrar
Unknown
Status
Active
🤖 AI-Extracted Threat Intelligence
Similar Websites
Pages with identical visual appearance (based on perceptual hash)
Groupe Deret
https://loginservice.cloud/MaFjX1S4Auo
Apr 05, 2026
Microsoft 365
https://authentication.ms/lr_zHa7DF9xZlA
Apr 05, 2026
Unknown
https://cdn.gosafemode.com/screenshots/49bc7805d422.png
Apr 05, 2026
Microsoft 365 (impersonated)
https://authentication.ms/lNU4Ma0tGc5AARehVw
Apr 05, 2026
KLP
https://loginservice.cloud/stF-CMW7YaMOXKtf
Apr 05, 2026
Scan History for multi-factor.link
Found 10 other scans for this domain
-
https://multi-factor.link/X-K3CeZWToDctA
https://multi-factor.link/f-RUA_KGYl3F?/ContextID=...
https://multi-factor.link/RYkgo7bJzbDKSpTz6A
https://multi-factor.link/hyXVBzQmfrFL
https://multi-factor.link/_Sb1YAwXrHtOIg
https://multi-factor.link/ml6rxBE89to
https://multi-factor.link/Klqob1GIQic
https://multi-factor.link/q4Ikhp2EI5_YOQ
https://multi-factor.link/qewOWgJmJow
https://multi-factor.link/XLHO3q9WdoQ
"I Never Thought It Would Happen to Me"
That's what 2.3 million victims say every year. Don't wait to become a statistic.