# PhishDestroy threat dossier — grupopalacios.com.mx ================================================================ Fetched: 2026-06-26 07:42:26 UTC Canonical: https://phishdestroy.io/domain/grupopalacios.com.mx/ ## VERDICT ---------------------------------------------------------------- TAKEN DOWN (neutralised) Composite threat score: 100/100 (PhishDestroy scoring — see methodology below) ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 20/91 security vendors flagged this domain Flagging vendors: ADMINUSLabs, alphaMountain.ai, BitDefender, Chong Lua Dao, Cluster25, CRDF, CyRadar, ESET, Forcepoint ThreatSeeker, Fortinet, G-Data, Google Safebrowsing, Gridinsoft, Lionic, Seclookup, SOCRadar, Sophos, URLQuery, VIPRE, Webroot URLQuery: 3 detections AlienVault OTX: 1 pulses (threat-intel feed mentions) Public blocklists: listed on 1 independent blocklist Google Safe Browsing: FLAGGED ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 162.240.79.223 (US, Provo) ASN: ASAS46606 UNIFIEDLAYER-AS-1 - Unified Layer, US Hosting org: AS46606 Unified Layer Registrar: PDR Ltd. d/b/a PublicDomainRegistry.com Nameservers: ns1.grupopalacios.com.mx, ns1.grupopalacios.com.mx, 162.240.79.223, ns2.grupopalacios.com.mx, ns2.grupopalacios.com.mx, 162.240.39.1 Registered: 2022-12-19 Expires: 2026-12-19 Page title: Outlook Web App ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Let's Encrypt / YR2 Expires: 2026-09-19 Status: INVALID chain Fingerprint: 91c60c003656891c7c949a8d41af3cc4b4e6d1e950b5d72ccf4f849db01a81eb Subject Alternative Names (related infrastructure — often same operator): - flexoluciones.com - innovacionedu.com - tsgetiquetas.com - www.colchasraqui.mx.grupopalacios.com.mx - www.innovacionedu.grupopalacios.com.mx - www.tsgetiquetas.com.grupopalacios.com.mx ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: CLOSED — no report required. This domain was neutralised before the abuse-report cycle could be dispatched — either the hosting provider / registrar suspended it on their own, the DNS went dead, or the operator abandoned the infrastructure. PhishDestroy keeps the evidence bundle on file for audit but no formal notice was sent. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2022-12-19 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-06-24 14:38:00 UTC (by PhishDestroy tracker) First reported: 2026-06-24 12:57:21 UTC (abuse notice filed) Last verified: 2026-06-26 09:17:53 UTC Neutralised: 2026-06-24 18:19:01 UTC Current status: taken down (registrar suspended or DNS dead) ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019ef9a1-cb17-742c-9518-beefb0237369/ URLQuery: https://urlquery.net/report/e01fd7c2-ea03-4034-b829-aebfb523da64 Wayback Machine: https://web.archive.org/web/*/grupopalacios.com.mx crt.sh CT logs: https://crt.sh/?q=%25.grupopalacios.com.mx Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=grupopalacios.com.mx AlienVault OTX: https://otx.alienvault.com/indicator/domain/grupopalacios.com.mx URLhaus: https://urlhaus.abuse.ch/host/grupopalacios.com.mx/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-06-25 21:11:29 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] This domain, grupopalacios.com.mx, is confirmed as a high-risk phishing site specifically designed to harvest Microsoft Outlook credentials through a fake Outlook Web App login interface. Analysis indicates the threat type is credential theft via brand impersonation, targeting users of enterprise email services with a realistic but fraudulent authentication portal. The infrastructure demonstrates deliberate targeting of corporate or institutional users, a common tactic in business email compromise (BEC) campaigns. Infrastructure analysis reveals multiple technical indicators supporting the malicious classification. The domain resolves to IP address 162.240.79.223, hosted on AS46606 (Unified Layer) in the United States. It was registered on December 19, 2022, through PDR Ltd. d/b/a PublicDomainRegistry.com, a registrar frequently associated with abuse reports. The site employed a Let's Encrypt SSL certificate (serial YR2), providing a false sense of security to victims. Detection metrics include 20 out of 95 security vendors flagging the domain on VirusTotal, with Google Safe Browsing and one additional security blocklist listing it as phishing. The page title, Outlook Web App, directly matches the impersonated service, confirming the targeted deception. Mitigation requires immediate action from both users and security teams. Organizations should block the domain and associated IP (162.240.79.223) at the perimeter, and monitor for any attempted access from internal networks. Users who may have entered credentials should reset passwords immediately and enable multi-factor authentication on all accounts. Security teams are advised to review logs for connections to the domain or IP, particularly from endpoints with access to sensitive corporate resources. Given the domain's registration date and hosting provider, additional related infrastructure may exist; proactive hunting for similar patterns (e.g., recently registered domains with Let's Encrypt certificates resolving to the same ASN) is recommended. The site's current offline status does not eliminate risk, as phishing infrastructure is often reactivated or repurposed. ## EVIDENCE HASHES ---------------------------------------------------------------- PhishDestroy Case ID: PD-20260624-7157F0 Favicon MD5: ff36daf8d36208247688c19b34a11eca TLS cert SHA-256: 91c60c003656891c7c949a8d41af3cc4b4e6d1e950b5d72ccf4f849db01a81eb ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (volunteer takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/grupopalacios.com.mx/ JSON API: https://api.destroy.tools/v1/check?domain=grupopalacios.com.mx Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: volunteer-driven open-source threat-intelligence platform. Tracked: 170,057 domains (12,358 alive under monitoring, 157,076 confirmed takedowns/dead). Site: https://phishdestroy.io