Phishing Analysis: DP World

Visual Capture

Detection Info

https://signin.broker/JxcO4CqSIq8qMA

Detected Brand

DP World

Country

International

Confidence

100%

HTTP Status

200

Report ID

5ce16ec9-dbe…

Analyzed

2026-02-13 11:58

Content Hashes (HTML Similarity)

Used to detect similar phishing pages based on HTML content

Algorithm	Hash Value
CONTENT TLSH	T1BDD1F17150509D3B4283C7D4B3B96B4F3394C34AEA87565A67F4C39C1EE3E56CC1A226
CONTENT ssdeep	96:nIpkCGTHRPypyz97krwkMCFs39TbJG9KjsWsjOq0U2gs0sjOjOVJQ6Q6ynQjNsjp:9LVk8AS9TbJG9aEDOVJQyyQjs

Visual Hashes (Screenshot Similarity)

Used to detect visually similar phishing pages based on screenshots

Algorithm	Hash Value
VISUAL pHash	9c497326cc99d9e4
VISUAL aHash	18001818191f0f9f
VISUAL dHash	7161713331727d38
VISUAL wHash	191818181f1f1fff
VISUAL colorHash	07000000180
VISUAL cropResistant	7161713331727d38

Code Analysis

Risk Score 70/100

Threat Level ALTO

⚠️ Phishing Confirmed

🎣 Credential Harvester 🎣 OTP Stealer 🎣 Personal Info

🔬 Threat Analysis Report

• Threat: Credential Phishing
• Target: DP World employees or users
• Method: Impersonating DP World login page.
• Exfil: Credentials (email & password)
• Indicators: Mismatched domain, login form.
• Risk: HIGH

🎯 Kit Endpoints

https://passwordreset.microsoftonline.com/?ru=https://login.microsoftonline.com/common/oauth2/authorize?client_id=00000001-0000-cff1-ce00-235124959787&response_mode=form_post&response_type=code+id_token&scope=openid&msafed=1&msaredir=1&client-request-id=d98292e6-fa3f-ce32-2214-21bc5137cc6d&protectedtoken=true&domain_hint=dpworld.com&nonce=899971296027.ec82d3ed-b372-7cd6-3e42-fcfc13352e79&state=anVyZ2VuLnZhbnJhbnNiZWVja0BkcHdvcmxkLmJl#
https://login.microsoftonline.com/common/oauth2/authorize?client_id=00000001-0000-cff1-ce00-452161560138&response_mode=form_post&response_type=code+id_token&scope=openid&msafed=1&msaredir=1&client-request-id=d98292e6-fa3f-ce32-2918-21bc5137cc6d&protectedtoken=true&domain_hint=dpworld.com&nonce=594197104122.ec82d3ed-b372-7cd6-3e42-fcfc13352e79&state=anVyZ2VuLnZhbnJhbnNiZWVja0BkcHdvcmxkLmJl#
https://login.microsoftonline.com/common/login#
https://login.microsoftonline.com/common/oauth2/authorize?client_id=00000001-0000-cff1-ce00-104867788808&response_mode=form_post&response_type=code+id_token&scope=openid&msafed=1&msaredir=1&client-request-id=d98292e6-fa3f-ce32-7034-21bc5137cc6d&protectedtoken=true&domain_hint=dpworld.com&nonce=455431941823.ec82d3ed-b372-7cd6-3e42-fcfc13352e79&state=anVyZ2VuLnZhbnJhbnNiZWVja0BkcHdvcmxkLmJl#

📊 Risk Score Breakdown

Total Risk Score

90/100

Contributing Factors

Domain Mismatch

The domain signin.broker is not associated with DP World.

Impersonation

The page tries to impersonate a sign-in page to collect login data.

Login Form

The form is designed to steal the credentials of the user.

🔬 Comprehensive Threat Analysis

Threat Type

Two-Factor Authentication Stealer

Target

DP World users (International)

Attack Method

Brand impersonation

Exfiltration Channel

Form submission (backend endpoint not detected - likely JavaScript-based)

Risk Assessment

HIGH - Automated credential harvesting with Form submission (backend endpoint not detected - likely JavaScript-based)

⚠️ Indicators of Compromise

Kit types: Credential Harvester, OTP Stealer, Personal Info

🏢 Brand Impersonation Analysis

Impersonated Brand

DP World

Official Website

dpworld.com

Fake Service

Sign-in Service

⚔️ Attack Methodology

Primary Method: Credential Harvesting

The attacker attempts to steal user credentials by creating a fake login page that mimics a legitimate one. The user is tricked into entering their email and password, which the attacker then captures.