EN ES PT

Phishing Analysis

Detailed analysis of captured phishing page

Back to Stats

Visual Capture

Screenshot of authentication.ms

Detection Info

https://authentication.ms/7KAoO-G-jwCpMv6ZYA?0b80-4d97-86d7-0025813a9eda&realm=hays.com&quarantine
Detected Brand
Hays
Country
International
Confidence
100%
HTTP Status
200
Report ID
7ca475dd-8a0…
Analyzed
2026-02-13 23:59

Content Hashes (HTML Similarity)

Used to detect similar phishing pages based on HTML content

Algorithm Hash Value
CONTENT TLSH
T158D1DF7150409D3B4283C7D4B3B9AB8F3394C346EA97565A67F8C75C1EE3E16CC1A226
CONTENT ssdeep
96:nIpkCGTHRPynkrwkMvvs39TbJG9KjsWsjO40U2gs0sjOpOVJQ6Q6ynQjNsjO+:9Kk8i9TbJG9amJOVJQyyQj6

Visual Hashes (Screenshot Similarity)

Used to detect visually similar phishing pages based on screenshots

Algorithm Hash Value
VISUAL pHash
9d4b6326cc999966
VISUAL aHash
08000818191f0f9f
VISUAL dHash
71615b3331727d38
VISUAL wHash
391808181f1f1fff
VISUAL colorHash
070000001c0
VISUAL cropResistant
71615b3331727d38

Code Analysis

Risk Score 70/100
Threat Level ALTO
⚠️ Phishing Confirmed
🎣 Credential Harvester 🎣 OTP Stealer 🎣 Personal Info

🔬 Threat Analysis Report

• Threat: Credential Phishing
• Target: Hays employees
• Method: Domain spoofing
• Exfil: Stolen credentials
• Indicators: Domain mismatch, login form
• Risk: HIGH

🎯 Kit Endpoints

  • https://passwordreset.microsoftonline.com/?ru=https://login.microsoftonline.com/common/oauth2/authorize?client_id=00000001-0000-cff1-ce00-720239011528&response_mode=form_post&response_type=code+id_token&scope=openid&msafed=1&msaredir=1&client-request-id=d98292e6-fa3f-ce32-6543-21bc5137cc6d&protectedtoken=true&domain_hint=hays.com&nonce=293709790003.ec82d3ed-b372-7cd6-3e42-fcfc13352e79&state=YWJlbC5kb21pbmd1ZXpAaGF5cy5jb20#
  • https://login.microsoftonline.com/common/login#
  • https://login.microsoftonline.com/common/oauth2/authorize?client_id=00000001-0000-cff1-ce00-897290629678&response_mode=form_post&response_type=code+id_token&scope=openid&msafed=1&msaredir=1&client-request-id=d98292e6-fa3f-ce32-7702-21bc5137cc6d&protectedtoken=true&domain_hint=hays.com&nonce=149334119525.ec82d3ed-b372-7cd6-3e42-fcfc13352e79&state=YWJlbC5kb21pbmd1ZXpAaGF5cy5jb20#
  • https://login.microsoftonline.com/common/oauth2/authorize?client_id=00000001-0000-cff1-ce00-924658770332&response_mode=form_post&response_type=code+id_token&scope=openid&msafed=1&msaredir=1&client-request-id=d98292e6-fa3f-ce32-9476-21bc5137cc6d&protectedtoken=true&domain_hint=hays.com&nonce=854410102496.ec82d3ed-b372-7cd6-3e42-fcfc13352e79&state=YWJlbC5kb21pbmd1ZXpAaGF5cy5jb20#

📊 Risk Score Breakdown

Total Risk Score
90/100

Contributing Factors

Domain Mismatch
The domain does not match the brand's official website.
Form for sensitive information
The page contains a login form designed to collect user credentials.
Impersonation of Brand
The site attempts to imitate the official brand's login page.

🔬 Comprehensive Threat Analysis

Threat Type
Two-Factor Authentication Stealer
Target
Hays users (International)
Attack Method
Brand impersonation
Exfiltration Channel
Form submission (backend endpoint not detected - likely JavaScript-based)
Risk Assessment
HIGH - Automated credential harvesting with Form submission (backend endpoint not detected - likely JavaScript-based)

⚠️ Indicators of Compromise

  • Kit types: Credential Harvester, OTP Stealer, Personal Info

🏢 Brand Impersonation Analysis

Impersonated Brand
Hays
Official Website
hays.com
Fake Service
Login

⚔️ Attack Methodology

Primary Method: Credential Harvesting

The attacker is using a fake login page to steal the victim's username and password.

🌐 Infrastructure Indicators of Compromise

Domain Information

Domain
authentication.ms
Registered
2023-06-03
Registrar
Unknown
Status
Active

🤖 AI-Extracted Threat Intelligence

Similar Websites

Pages with identical visual appearance (based on perceptual hash)

Screenshot
RWE
https://auth.properties/E.0n0B4aTckMr8iLg?/tasks/rwehome/Pla...
Apr 22, 2026
 Screenshot
RWE
https://authentication.ms/rQ0RGMdkjQA?/domain=rwe.com?teams=...
Feb 14, 2026
 Screenshot
RWE
https://auth-secure.me/Tp4fhL9s_WfsYzyMGQ
Jan 10, 2026

Scan History for authentication.ms

Found 10 other scans for this domain

😰
"I Never Thought It Would Happen to Me"
That's what 2.3 million victims say every year. Don't wait to become a statistic.