SafeMode - Analysis: messagedownload.com

EN ES PT

Back to Stats

Visual Capture

Screenshot of messagedownload.com

Detection Info

https://messagedownload.com/?keyname=PFrspJ2

Detected Brand

Microsoft

Country

International

Confidence

95%

HTTP Status

200

Report ID

c14c0508-721…

Analyzed

2026-02-17 10:11

Content Hashes (HTML Similarity)

Used to detect similar phishing pages based on HTML content

Algorithm	Hash Value
CONTENT TLSH	T17BA1DBB21280482753569AC890726ACE78EEC347DE87C61475D8870D8FFBFD7D995270
CONTENT ssdeep	96:nr0ti67t66X660Ldt6xRtds6mqqNVsypWPG6foOJsvvuGBvHCM+sCcsvvuGBvHC5:MzVdxR/YQaBPCZssBPCZsY

Visual Hashes (Screenshot Similarity)

Used to detect visually similar phishing pages based on screenshots

Algorithm	Hash Value
VISUAL pHash	9d49f326e6999924
VISUAL aHash	19181818171f1fff
VISUAL dHash	61717331257a7539
VISUAL wHash	39181818171f1fff
VISUAL colorHash	07000000180
VISUAL cropResistant	61717331257a7539

Code Analysis

Risk Score 50/100

Threat Level ALTO

⚠️ Phishing Confirmed

🎣 Credential Harvester

🔬 Threat Analysis Report

• Threat: Credential Phishing
• Target: Microsoft Users
• Method: Impersonation via fake login page
• Exfil: Unknown, but most likely to a backend server. Forms detected: 1
• Indicators: Domain mismatch, impersonation of Microsoft, form fields.
• Risk: HIGH

📊 Risk Score Breakdown

Total Risk Score

90/100

Contributing Factors

Domain mismatch

The domain is completely unrelated to the brand being impersonated.

Impersonation

The page tries to imitate Microsoft's login page.

Form present for credentials

The presence of a form to collect email and password data.

🔬 Comprehensive Threat Analysis

Threat Type

Credential Harvesting Kit

Target

Microsoft users (International)

Attack Method

Brand impersonation + credential harvesting forms

Exfiltration Channel

Form submission (backend endpoint not detected - likely JavaScript-based)

Risk Assessment

MEDIUM - Automated credential harvesting with Form submission (backend endpoint not detected - likely JavaScript-based)

⚠️ Indicators of Compromise

Kit types: Credential Harvester

🏢 Brand Impersonation Analysis

Impersonated Brand

Microsoft

Official Website

microsoft.com

Fake Service

Microsoft account login

⚔️ Attack Methodology

Primary Method: Credential Harvesting

The attackers are using a fake login page to trick users into entering their Microsoft credentials (email/phone/Skype and password).

🌐 Infrastructure Indicators of Compromise

Domain Information

Domain

messagedownload.com

Registered

2022-06-23 01:41:20+00:00

Registrar

Unknown

Status

Active

🤖 AI-Extracted Threat Intelligence

Similar Websites

Pages with identical visual appearance (based on perceptual hash)

Screenshot

https://cdn.gosafemode.com/screenshots/df0bea6b277c.png

Screenshot

https://encrypted-login.com/?keyname=preview-GiiunCo

Screenshot

https://encrypted-portal.com/?keyname=EPYzJLX

😰

"I Never Thought It Would Happen to Me"

That's what 2.3 million victims say every year. Don't wait to become a statistic.