SafeMode - Analysis: login.microsoftonline.us.office.rp1.abangaritest.govshn.net

Visual Capture

Screenshot of login.microsoftonline.us.office.rp1.abangaritest.govshn.net

Detection Info

https://login.microsoftonline.us.office.rp1.abangaritest.govshn.net/common/oauth2/authorize?client_id=4dca1d4f-adcf-4dd2-a0a0-d2fa9d86b752&redirect_uri=https://vir.www.office365.us.office.rp1.abangaritest.govshn.net/landing&response_type=code%20id_token&scope=openid%20profile&response_mode=form_post&nonce=637772685624977344.Mzc0YzlkNGMtNmUzMy00NjViLTkzN2UtZTkzOTRmNTIzMTE2ZWE4MTlkYjctYWMyNi00NGM0LWI4NDYtMGZhNjY4ZDYyOWU1&ui_locales=en-US&mkt=en-US&state=WFWs1oRmXL4zWjwTGhX4ybaleSCYAq8G_IOLUeaE1GGIDF-aFnl-EsG2k1YMep94wWqgr-yGWp2sMtbMzcBUbJ8ys2hA4A9SSV24B-S_R56A2ur63dFwjAyFuDg7OtS6DsiYlwa-uQRzOE-JvByLYoCeL2_Nv60tuUa3d_j4jlqycpZPUuikY8l398JOH_mfwXffj5VO8sLuNjdrx5TaSAUSlaYmAkntEF0ThxElVE4l_4_yQni1a6nTnpc_kPYcw0GJ49_uzVSadTkzdaBfQ9fOigGGP_zrqPT0yomQi6USAWcw4-sk9dxEg60yGAWW&x-client-SKU=ID_NETSTANDARD2_0&x-client-ver=6.12.1.0

Detected Brand

Microsoft

Country

International

Confidence

100%

HTTP Status

200

Report ID

a92e5da9-6e4…

Analyzed

2025-12-28 20:14

Final URL (after redirects)

https://login.microsoftonline.us.office.rp1.abangaritest.govshn.net/common/oauth2/authorize?client_id=4dca1d4f-adcf-4dd2-a0a0-d2fa9d86b752&redirect_uri=https://vir.www.office365.us.office.rp1.abangaritest.govshn.net/landing&response_type=code%20id_token&scope=openid%20profile&response_mode=form_post&nonce=637772685624977344.Mzc0YzlkNGMtNmUzMy00NjViLTkzN2UtZTkzOTRmNTIzMTE2ZWE4MTlkYjctYWMyNi00NGM0LWI4NDYtMGZhNjY4ZDYyOWU1&ui_locales=en-US&mkt=en-US&state=WFWs1oRmXL4zWjwTGhX4ybaleSCYAq8G_IOLUeaE1GGIDF-aFnl-EsG2k1YMep94wWqgr-yGWp2sMtbMzcBUbJ8ys2hA4A9SSV24B-S_R56A2ur63dFwjAyFuDg7OtS6DsiYlwa-uQRzOE-JvByLYoCeL2_Nv60tuUa3d_j4jlqycpZPUuikY8l398JOH_mfwXffj5VO8sLuNjdrx5TaSAUSlaYmAkntEF0ThxElVE4l_4_yQni1a6nTnpc_kPYcw0GJ49_uzVSadTkzdaBfQ9fOigGGP_zrqPT0yomQi6USAWcw4-sk9dxEg60yGAWW&x-client-SKU=ID_NETSTANDARD2_0&x-client-ver=6.12.1.0&sso_reload=true

Content Hashes (HTML Similarity)

Used to detect similar phishing pages based on HTML content

Algorithm	Hash Value
CONTENT TLSH	T1DEA2F9B1B010682B829FD9FAF235E9016B58E144D2075FB5B9EC83CD19D792CE933629
CONTENT ssdeep	192:ij7qO7UHp9zaP72eoxvb5aOLa7Qodu/g2tve8LZNRyfQ4BZlfM6BLWYx8G+G:1O7T72eoxrLCQuu/gQ1yY4BZ3WsJ+G

Visual Hashes (Screenshot Similarity)

Used to detect visually similar phishing pages based on screenshots

Algorithm	Hash Value
VISUAL pHash	8459717646d9596e
VISUAL aHash	0000383b37373737
VISUAL dHash	88e4d2d3e5eee6e6
VISUAL wHash	00003b3f373f3737

Code Analysis

Risk Score 100/100

Threat Level CRITICAL

⚠️ Phishing Confirmed

🎣 Credential Harvester 🎣 OTP Stealer 🎣 Banking 🎣 Personal Info

🔬 Threat Analysis Report

• Threat: Credential harvesting phishing targeting Microsoft users.
• Target: Microsoft users, specifically those using Microsoft services such as Outlook, Office 365, or Skype.
• Method: A fake Microsoft login page is presented to steal credentials when users enter their email, phone, or Skype and password.
• Exfil: The stolen credentials are likely sent to a malicious server controlled by the attacker. 
• Indicators: The domain name is not an official Microsoft domain and contains suspicious and potentially compromised domain elements ('rp1.abangaritest.govshn.net'). The domain's creation date is relatively old, but this is irrelevant as the other features clearly indicate phishing. The page uses Microsoft branding to appear legitimate.
• Risk: HIGH - Real-time credential theft.