# bellsouth-att-siging-693f63.webflow.io — MALICIOUS

> Phishing domain bellsouth-att-siging-693f63.webflow.io impersonates AT&T/Bellsouth to steal credentials.

## Summary
PhishDestroy identifies bellsouth-att-siging-693f63.webflow.io as an active phishing site impersonating AT&T/Bellsouth login interfaces to harvest user credentials. The domain resolves to a Webflow.io subdomain, leveraging the platform’s credibility to bypass basic filters. No evidence of a drainer kit was detected at the time of analysis, suggesting a straightforward credential harvesting operation targeting AT&T customers under the guise of account verification.  This domain was flagged by 5 out of 95 security vendors on VirusTotal and is blocked by Google Safe Browsing under the SOCIAL_ENGINEERING category. Technical indicators include resolution to IP 104.18.36.248 (Cloudflare infrastructure) and an SSL certificate issued by Google Trust Services, which may lend false legitimacy. The domain’s creation date is recent, aligning with the surge in phishing campaigns exploiting AT&T brand trust.  As of the latest assessment, bellsouth-att-siging-693f63.webflow.io remains active and constitutes an elevated threat due to its impersonation tactics. Immediate action includes blocking the domain at the network level and advising users to avoid unsolicited AT&T/Bellsouth communications. While the SSL certificate and Cloudflare IP complicate takedown, the elevated risk persists until the domain is deactivated or flagged by hosting providers. Users should verify sender domains and enable multi-factor authentication on AT&T accounts as a precaution.

## Threat Details
- Verdict: MALICIOUS
- Site status: unknown (HTTP ?)

## Domain Intelligence
- Registrar: REGISTRAR_NOT_FOUND
- IP: 104.18.36.248

## Detection Status
- VirusTotal: 5 vendors flagged
- Google Safe Browsing: FLAGGED
- Blocklists: 0 hits

## Evidence
- Cloudflare Radar: https://radar.cloudflare.com/scan/8b4b5fb4-9861-4fd3-926e-c6a4b3a86e37
- PhishDestroy: https://phishdestroy.io/domain/bellsouth-att-siging-693f63.webflow.io/
- LLM endpoint: https://phishdestroy.io/domain/bellsouth-att-siging-693f63.webflow.io/llm.txt

## If You Visited This Site
1. Change any passwords you may have entered
2. Enable 2FA on all related accounts
3. Monitor your accounts for unauthorized activity
4. Report to: FBI IC3, Europol, local authorities

---
Report by PhishDestroy | https://phishdestroy.io/domain/bellsouth-att-siging-693f63.webflow.io/
Last updated: 2026-03-22