SafeMode - Analysis: www.it-communications.com

Visual Capture

Detection Info

https://www.it-communications.com/?urid=QekUmAG1SKGCkVrFPcR7Eqgokar-cNrSxukpyx-1K3LBQkmgea2AJpYeUbJVQRzZ6UgCDUzOFSYPiiEdcf4E3w8tmvDhQzuQeFOk8WuvCxvTf62ExBUM23yoiDyZ7k5GBXjdhl019NTEWM&rg=CUS

Detected Brand

Microsoft

Country

International

Confidence

95%

HTTP Status

200

Report ID

b115c95b-d89…

Analyzed

2026-02-07 23:11

Content Hashes (HTML Similarity)

Used to detect similar phishing pages based on HTML content

Algorithm	Hash Value
CONTENT TLSH	T15DC15060E424DD338353D6E1BBA49B0A72D8C347CA46450866F8536E6FE3DD5CE261A1
CONTENT ssdeep	96:11RrAPn8G36sgCD6sTUxSNgEj6sTzX1p6sIGUJvySOzrG4vSAKyFSAb3+3pxRHUR:al9D+cVPpYgDS3RHAN3/

Visual Hashes (Screenshot Similarity)

Used to detect visually similar phishing pages based on screenshots

Algorithm	Hash Value
VISUAL pHash	989973674c5932dc
VISUAL aHash	ffff3e1818000000
VISUAL dHash	f0f8f0b2b2f1dab0
VISUAL wHash	ffffff1c180c0800
VISUAL colorHash	1bc00010000
VISUAL cropResistant	e0e0f0f0c0e0c0c1,f0f8f0b2b2f1dab0

Code Analysis

Risk Score 56/100

Threat Level ALTO

⚠️ Phishing Confirmed

🎣 Credential Harvester

🔬 Threat Analysis Report

• Threat: Credential Phishing
• Target: Microsoft users
• Method: Impersonation through a fake login page.
• Exfil: Unknown, but forms detected (likely harvesting credentials).
• Indicators: Domain mismatch, form asking for sensitive information.
• Risk: High

🔒 Obfuscation Detected

fromCharCode
base64_strings

🎯 Kit Endpoints

https://breeze.aimon.applicationinsights.io/v2/track
https://www.it-communications.com/js/site2.js
https://az416426.vo.msecnd.net/scripts/a/ai.0.js
https://dc-int.services.visualstudio.com/v2/track
https://dc.services.visualstudio.com/v2/track
https://www.it-communications.com/js/reporter_v8.js?ver=1.10.0

📡 API Calls Detected

POST

📊 Risk Score Breakdown

Total Risk Score

90/100

Contributing Factors

Domain Mismatch

The domain it-communications.com is completely unrelated to Microsoft.

Credential Harvesting

Form is designed to collect user credentials.

Obfuscation

Obfuscation detected in the code, likely to hide malicious intent or techniques.

🔬 Comprehensive Threat Analysis

Threat Type

Credential Harvesting Kit

Target

Microsoft users (International)

Attack Method

Brand impersonation + credential harvesting forms + obfuscated JavaScript

Exfiltration Channel

Form submission (backend endpoint not detected - likely JavaScript-based)

Risk Assessment

MEDIUM - Automated credential harvesting with Form submission (backend endpoint not detected - likely JavaScript-based)

⚠️ Indicators of Compromise

Kit types: Credential Harvester
9 obfuscation techniques

🏢 Brand Impersonation Analysis

Impersonated Brand

Microsoft

Official Website

https://www.microsoft.com

Fake Service

Microsoft account login

⚔️ Attack Methodology

Primary Method: Credential Harvesting

The attacker attempts to steal user credentials by mimicking a legitimate login page. Users are prompted to enter their Microsoft account information on the fake page, which is then captured by the attacker.

Secondary Method: Obfuscation

The JavaScript code is obfuscated to make it difficult to analyze and detect malicious activity.

🌐 Infrastructure Indicators of Compromise

🦠 Malicious Files

Main File

reporter_v8.js

File Size

Functions: sendData(), postData(), getMessageData(), crajsonpcallback(), reshapeCode(), unMinifyUrl(), addTrackerImage()

📊 Attack Flow Diagram

1. Step 1: Victim visits URL with 'urid' parameter (victim identifier)
2. Step 2: Script initializes and extracts URL parameters (urid, rid, cid, uid)
3. Step 3: Script tracks all user interactions (keystrokes, clicks, form submissions) via event listeners
4. Step 4: For each interaction, sendData() exfiltrates data to C2 via 'getresponse.getmainpoint' with custom headers
5. Step 5: getMessageData() fetches dynamic phishing content based on interaction type (e.g., type 5 for form submissions)
6. Step 6: crajsonpcallback() injects fetched content into DOM (#omContent)
7. Step 7: If AJAX fails, addTrackerImage() sends data via 1x1 pixel image
8. Step 8: On successful exfiltration, server may respond with redirect URL (window.location.replace)
9. Step 9: Conditional alerts/modals shown based on server responses (e.g., fake training links, company names)

🔬 JavaScript Deep Analysis

Operator Language

English (1%)

Total Code Size

113.6 KB

🔗 API Endpoints Detected

Other

3

🔐 Obfuscation Detected

: None
: None
: Moderate

🤖 AI-Extracted Threat Intelligence

📊 Attack Flow

1. Step 1: Victim visits URL with 'urid' parameter (victim identifier)
2. Step 2: Script initializes and extracts URL parameters (urid, rid, cid, uid)
3. Step 3: Script tracks all user interactions (keystrokes, clicks, form submissions) via event listeners
4. Step 4: For each interaction, sendData() exfiltrates data to C2 via 'getresponse.getmainpoint' with custom headers
5. Step 5: getMessageData() fetches dynamic phishing content based on interaction type (e.g., type 5 for form submissions)
6. Step 6: crajsonpcallback() injects fetched content into DOM (#omContent)
7. Step 7: If AJAX fails, addTrackerImage() sends data via 1x1 pixel image
8. Step 8: On successful exfiltration, server may respond with redirect URL (window.location.replace)
9. Step 9: Conditional alerts/modals shown based on server responses (e.g., fake training links, company names)