# PhishDestroy threat dossier — docupdate.cloud ================================================================ Fetched: 2026-07-03 07:38:17 UTC Canonical: https://phishdestroy.io/domain/docupdate.cloud/ ## VERDICT ---------------------------------------------------------------- HIGH THREAT — malicious activity confirmed Composite threat score: 73/100 (PhishDestroy scoring — see methodology below) Targeted brand: Microsoft ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 1/95 security vendors flagged this domain Public blocklists: listed on 3 independent blocklists ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 162.255.119.80 (US, Los Angeles) Hosting org: AS22612 Namecheap, Inc. Registrar: NAMECHEAP INC Nameservers: dns1.registrar-servers.com, dns2.registrar-servers.com Registered: 2026-06-30 Expires: 2027-06-30 HTTP response: 200 ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: none Status: INVALID chain ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: pending notification queue. No abuse reports filed yet — this domain is waiting for the next cycle of our automated abuse-reporter. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-06-30 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-07-01 18:49:34 UTC (by PhishDestroy tracker) First reported: 2026-07-01 16:53:47 UTC (abuse notice filed) Last verified: 2026-07-03 08:20:35 UTC Current status: ACTIVE / observable ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019f1e94-2881-77f3-8dc9-e468a7458706/ Wayback Machine: https://web.archive.org/web/*/docupdate.cloud crt.sh CT logs: https://crt.sh/?q=%25.docupdate.cloud Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=docupdate.cloud AlienVault OTX: https://otx.alienvault.com/indicator/domain/docupdate.cloud URLhaus: https://urlhaus.abuse.ch/host/docupdate.cloud/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-07-01 18:56:55 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] This domain is currently under investigation for hosting a credential phishing scheme specifically designed to mimic Microsoft 365 login portals. Analysis indicates the infrastructure is structured to harvest corporate or personal account credentials by presenting users with a fraudulent authentication interface that closely resembles legitimate Microsoft services. The threat type is classified as a fake login portal, with potential secondary risks including account takeover and unauthorized access to cloud-stored documents or emails. Infrastructure analysis reveals the domain was registered on June 30, 2026, through NAMECHEAP INC, a registrar frequently observed in phishing operations due to its accessibility and bulk registration options. As of the latest scan, the domain has zero detections out of 95 engines on VirusTotal, suggesting it has not yet been widely flagged or incorporated into blocklists. The domain resolves to the IP address 162.255.119.80, which has been associated with other low-reputation hosting environments but currently lacks definitive malicious classification. No public blocklist entries or threat intelligence reports have been identified at this time, though the domain remains active and capable of serving content. Users who have visited docupdate.cloud or entered credentials on any page hosted under this domain should immediately revoke any submitted passwords and enable multi-factor authentication on the affected account. System administrators are advised to monitor network logs for connections to 162.255.119.80 or DNS queries for docupdate.cloud and consider preemptive blocking at the perimeter. If credentials were entered, a full audit of the account for unauthorized access or data exfiltration is recommended. Given the domain's recent creation and lack of detection, continued vigilance is warranted as threat intelligence may evolve. ## EVIDENCE HASHES ---------------------------------------------------------------- PhishDestroy Case ID: PD-20260701-1863AB ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (operator takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/docupdate.cloud/ JSON API: https://api.destroy.tools/v1/check?domain=docupdate.cloud Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: independent open-source threat-intelligence platform. Tracked: 174,184 domains (13,643 alive under monitoring, 159,748 confirmed takedowns/dead). Site: https://phishdestroy.io