# live-led-eom-en.pages.dev — SUSPICIOUS > live-led-eom-en.pages.dev is a credential theft phishing domain flagged by 2/95 VirusTotal vendors. Avoid entering any credentials—it mimics legitimate services. ## Summary PhishDestroy identifies live-led-eom-en.pages.dev as an active credential theft phishing domain using a generic lure designed to harvest user credentials. The site masquerades as an official or semi-official endpoint, leveraging Cloudflare Pages hosting to appear legitimate while deploying a phishing kit that targets unsuspecting users under the guise of an end-of-month enrollment or verification process. No evidence of a branded impersonation (e.g., Microsoft, PayPal) or crypto drainer payload has been observed in current telemetry, suggesting a broad, opportunistic campaign aimed at harvesting login credentials for resale or further exploitation. The domain’s naming pattern—live-led-eom-en—hints at a staged, time-sensitive scenario (end-of-month enrollment), a common tactic to pressure victims into immediate action without scrutiny. This domain resolves to IP 172.66.47.189 via Cloudflare’s edge network and is served over HTTPS with a Google Trust Services certificate, increasing its perceived legitimacy. VirusTotal analysis shows minimal detection, with only 2 out of 95 security vendors flagging the domain at time of analysis. The domain was registered through Cloudflare, Inc. as the registrar, leveraging Cloudflare’s privacy-protecting infrastructure to obscure ownership details. Notably, the domain does not appear on Google Safe Browsing’s blocklist as of the latest scan, and no significant presence in public threat intelligence feeds has been recorded. These factors indicate a low-profile, possibly experimental or short-lived campaign designed to evade broad detection while maintaining plausible deniability through Cloudflare’s legitimate infrastructure. As of the latest assessment, live-led-eom-en.pages.dev remains active and is actively serving a credential harvesting page. Given its elevated risk profile—low detection rate, use of trusted infrastructure, and absence from major blocklists—this domain poses a credible threat to users who may unknowingly submit sensitive login information. Security teams and end-users are advised to block the domain at the network level and avoid interacting with any links or forms associated with it. Immediate action includes reporting the domain to threat intelligence platforms, updating browser blocklists, and educating users about the risks of unsolicited login prompts. Although the campaign appears opportunistic rather than highly targeted, the potential for credential abuse remains significant, warranting heightened vigilance and proactive defense measures. ## Threat Details - Verdict: SUSPICIOUS - Site status: unknown (HTTP ?) ## Domain Intelligence - Registrar: Cloudflare, Inc. - IP: 172.66.47.189 ## Detection Status - VirusTotal: 2 vendors flagged - Google Safe Browsing: clean - Blocklists: 0 hits ## Evidence - Cloudflare Radar: https://radar.cloudflare.com/scan/5a27db6e-265f-4346-83e8-1b58a6addf23 - PhishDestroy: https://phishdestroy.io/domain/live-led-eom-en.pages.dev/ - LLM endpoint: https://phishdestroy.io/domain/live-led-eom-en.pages.dev/llm.txt ## If You Visited This Site 1. Change any passwords you may have entered 2. Enable 2FA on all related accounts 3. Monitor your accounts for unauthorized activity 4. Report to: FBI IC3, Europol, local authorities --- Report by PhishDestroy | https://phishdestroy.io/domain/live-led-eom-en.pages.dev/ Last updated: 2026-03-25