# andrewgroup.co — SUSPICIOUS

> PhishDestroy identifies andrewgroup.co as a fake invoice phishing domain. Only 0/95 VirusTotal detections detected. Check the full report.

## Summary
PhishDestroy identifies andrewgroup.co as an active phishing domain currently under investigation for generic invoice scam activity. This deceptive domain mimics legitimate business correspondence to trick recipients into downloading malicious attachments or revealing sensitive payment data. The risk level remains formally under_investigation, but observed behaviors align with known invoice-themed phishing campaigns that leverage urgency and fake invoices to exploit trust in corporate billing processes.  This domain was flagged by PhishDestroy analysts due to its suspicious payload delivery pattern, despite lacking immediate detection by security vendors. As of today, the domain resolves to IP address 104.21.69.2 and is associated with an SSL certificate issued by Google Trust Services. It was registered through Gname.com Pte. Ltd. on February 02, 2026. VirusTotal scanning shows 0 detections out of 95 engines, indicating it has evaded signature-based detection systems thus far. The domain has not yet appeared on major public blocklists such as Google Safe Browsing, PhishTank, or OpenPhish, suggesting a newly emerged or stealthily operated threat.  To mitigate exposure to this invoice scam, organizations should immediately block access to andrewgroup.co at the network perimeter using DNS filtering, firewall rules, or endpoint protection platforms. Users should be alerted through security awareness training about red flags in unsolicited invoices, including mismatched sender domains, urgent payment demands, and unexpected attachments. If received, suspicious invoices should be reported to the IT security team for analysis before any action is taken. Given the low detection rate and recent registration, this domain poses a growing threat to finance and procurement teams. Immediate proactive blocking is recommended to prevent potential financial fraud.

## Threat Details
- Verdict: SUSPICIOUS
- Site status: unknown (HTTP ?)

## Domain Intelligence
- Registered: 2026-02-02 15:55:30
- Registrar: Gname.com Pte. Ltd.
- IP: 104.21.69.2

## Detection Status
- VirusTotal: 0 vendors flagged
- Google Safe Browsing: clean
- Blocklists: 0 hits

## Evidence
- Cloudflare Radar: https://radar.cloudflare.com/scan/40248548-6ea7-4a90-86ba-c86961b2218f
- PhishDestroy: https://phishdestroy.io/domain/andrewgroup.co/
- LLM endpoint: https://phishdestroy.io/domain/andrewgroup.co/llm.txt

## If You Visited This Site
1. Change any passwords you may have entered
2. Enable 2FA on all related accounts
3. Monitor your accounts for unauthorized activity
4. Report to: FBI IC3, Europol, local authorities

---
Report by PhishDestroy | https://phishdestroy.io/domain/andrewgroup.co/
Last updated: 2026-03-23