Phishing Analysis
Detailed analysis of captured phishing page
Visual Capture
Detection Info
https://ahv3ctpms4e.premisp.net/education_redirect_second?8c5781c2-7b1e-4035-b1d7-990e269e5380
Detected Brand
KPMG
Country
International
Confidence
95%
HTTP Status
200
Report ID
59cea021-2ad…
Analyzed
2026-03-17 04:22
Content Hashes (HTML Similarity)
Used to detect similar phishing pages based on HTML content
| Algorithm | Hash Value |
|---|---|
|
CONTENT
TLSH
|
T1C66173B1808444EF22A6D1EBF220F60ED0539519DB8796007BB2D3DD91D8DC6CDE7762 |
|
CONTENT
ssdeep
|
48:TIpcvtcvkQcXcQc1Fu7oIqiU3kyqtLBi43Q5diiFXpXaq7qH:TGaXQC70o7oIpU3kXFi43nidRaq7qH |
Visual Hashes (Screenshot Similarity)
Used to detect visually similar phishing pages based on screenshots
| Algorithm | Hash Value |
|---|---|
|
VISUAL
pHash
|
b73c3625252d3636 |
|
VISUAL
aHash
|
030707ffefefefef |
|
VISUAL
dHash
|
6e2d6d58cccc4c0c |
|
VISUAL
wHash
|
0307070767e7a7c7 |
|
VISUAL
colorHash
|
06000000098 |
|
VISUAL
cropResistant
|
6e2d6d58cccc4c0c,c025dad23968e412,1028c8c84c32d2b2,2c9993d14da4c8a9 |
Code Analysis
Risk Score
53/100
Threat Level
ALTO
⚠️ Phishing Confirmed
🎣 Credential Harvester
🔬 Threat Analysis Report
• Threat: Phishing
• Target: KPMG employees
• Method: Impersonation via email and fake training link
• Exfil: Likely collecting credentials via a phishing form.
• Indicators: Mismatched domain, suspicious URL, email from unknown domain.
• Risk: High
🔒 Obfuscation Detected
- fromCharCode
🎯 Kit Endpoints
- https://login.phishme.com.au/spa-ckeditor
📡 API Calls Detected
- GET
📊 Risk Score Breakdown
Total Risk Score
90/100
Contributing Factors
Domain Mismatch
The domain used in the email and URL do not match the expected official KPMG domains.
Impersonation
The email and page attempt to mimic the official KPMG branding, increasing the likelihood of successful impersonation.
Suspicious Content
The email requests a user to login using email. Forms detected. Obfuscation detected.
🔬 Comprehensive Threat Analysis
Threat Type
Credential Harvesting Kit
Target
KPMG users (International)
Attack Method
Brand impersonation + credential harvesting forms + obfuscated JavaScript
Exfiltration Channel
Form submission (backend endpoint not detected - likely JavaScript-based)
Risk Assessment
MEDIUM - Automated credential harvesting with Form submission (backend endpoint not detected - likely JavaScript-based)
⚠️ Indicators of Compromise
- Kit types: Credential Harvester
- 4 obfuscation techniques
🏢 Brand Impersonation Analysis
Impersonated Brand
KPMG
Official Website
kpmg.com
Fake Service
Compliance Training
Fraudulent Claims
⚔️ Attack Methodology
Primary Method: Credential Harvesting (Spear Phishing)
The attacker sends a seemingly legitimate email, likely pretending to be from KPMG, to trick employees into entering their credentials on a fake login page. The content is about mandatory training.
Secondary Method: Social Engineering
The email uses tactics to create a sense of urgency. The fake page is requesting credentials.
🌐 Infrastructure Indicators of Compromise
Domain Information
Domain
ahv3ctpms4e.premisp.net
Registered
None
Registrar
None
Status
Active
🤖 AI-Extracted Threat Intelligence
Similar Websites
Pages with identical visual appearance (based on perceptual hash)
Unknown
https://cdn.gosafemode.com/screenshots/f384b65cdbee.png
May 21, 2026
Unknown
https://cdn.gosafemode.com/screenshots/8c9cdbef928e.png
May 16, 2026
Unknown
https://cdn.gosafemode.com/screenshots/77c037bb212f.png
Apr 12, 2026
KPMG
https://yourcompany.webadmin-email.net/education_redirect_se...
Mar 17, 2026
KPMG
https://ahv3ctpms4e.opsupportmatrix.com/education_redirect_s...
Mar 17, 2026
Scan History for ahv3ctpms4e.premisp.net
Found 1 other scan for this domain
"I Never Thought It Would Happen to Me"
That's what 2.3 million victims say every year. Don't wait to become a statistic.