# PhishDestroy threat dossier — 365infverificar.fwh.is ================================================================ Fetched: 2026-07-03 06:43:17 UTC Canonical: https://phishdestroy.io/domain/365infverificar.fwh.is/ ## VERDICT ---------------------------------------------------------------- ACTIVE + CLOAKED — returns HTTP 666 to scanners, real fraudulent site to victims Composite threat score: 100/100 (PhishDestroy scoring — see methodology below) Targeted brand: Microsoft Cloaking: DETECTED — domain returns custom HTTP 666 to scanners while serving fraudulent content to real users (type: redirect_split) (score: 3/6) ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 17/91 security vendors flagged this domain Flagging vendors: BitDefender, Chong Lua Dao, CRDF, CyRadar, ESET, Forcepoint ThreatSeeker, Fortinet, G-Data, Kaspersky, LevelBlue, Lionic, OpenPhish, Seclookup, Sophos, URLQuery, Webroot URLQuery: 2 detections Public blocklists: listed on 1 independent blocklist ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 185.27.134.59 (GB, London) Hosting org: AS34119 Wildcard UK Limited Registrar: FreeWebHostingArea Nameservers: ns1.byet.org, ns2.byet.org, ns3.byet.org, ns4.byet.org Registered: 2024-11-01 Expires: 2026-11-01 HTTP response: 200 ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: pending notification queue. No abuse reports filed yet — this domain is waiting for the next cycle of our automated abuse-reporter. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2024-11-01 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-07-02 15:28:11 UTC (by PhishDestroy tracker) First reported: 2026-07-02 13:43:52 UTC (abuse notice filed) Last verified: 2026-07-03 08:20:35 UTC Current status: ACTIVE — cloaked behind HTTP 666 to evade scanners ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019f2303-2883-7043-8478-104bdc869b56/ URLQuery: https://urlquery.net/report/c90b20fa-4dfa-4bbf-b053-c788bcc02c19 Wayback Machine: https://web.archive.org/web/*/365infverificar.fwh.is crt.sh CT logs: https://crt.sh/?q=%25.365infverificar.fwh.is Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=365infverificar.fwh.is AlienVault OTX: https://otx.alienvault.com/indicator/domain/365infverificar.fwh.is URLhaus: https://urlhaus.abuse.ch/host/365infverificar.fwh.is/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-07-02 16:06:09 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] This domain, 365infverificar.fwh.is, is currently active and classified as a generic phishing threat specializing in fake Microsoft 365 login portals. Analysis indicates the infrastructure is designed to harvest user credentials by mimicking legitimate authentication pages, a tactic commonly associated with credential theft and subsequent account compromise. The domain does not explicitly replicate a single brand but leverages the widely recognized Microsoft 365 identity to deceive targets into entering sensitive information. Infrastructure analysis reveals multiple high-risk indicators. The domain resolves to the IP address 185.27.134.59 and was registered on November 01, 2024, through FreeWebHostingArea, a registrar frequently associated with low-cost or free hosting environments. It is flagged by 16 of 95 security vendors on VirusTotal, with one confirmed appearance on a security blocklist. The SSL certificate is issued by ZeroSSL GmbH, a provider commonly used for both legitimate and malicious domains, offering no inherent trust signal. The combination of recent registration, low-cost hosting, and detection by multiple security engines strongly suggests malicious intent. The domain remains active and poses an elevated risk to users. Organizations and individuals are advised to block the domain and its associated IP address at the network level. Endpoint protection solutions should be updated to include this domain in phishing and credential theft detection rules. Users who may have interacted with this domain should immediately reset their Microsoft 365 credentials from a secure device and enable multi-factor authentication. Security teams are encouraged to monitor for related indicators, including the IP address 185.27.134.59 and any subdomains or redirect chains originating from 365infverificar.fwh.is. ## EVIDENCE HASHES ---------------------------------------------------------------- PhishDestroy Case ID: PD-20260702-119BA2 ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (operator takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/365infverificar.fwh.is/ JSON API: https://api.destroy.tools/v1/check?domain=365infverificar.fwh.is Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: independent open-source threat-intelligence platform. Tracked: 174,171 domains (13,630 alive under monitoring, 159,748 confirmed takedowns/dead). Site: https://phishdestroy.io