# mx20.goteal.io — MALICIOUS > mx20.goteal.io is a credential harvesting phishing domain with a 9/95 detection rate on VirusTotal. Malicious infrastructure linked to Amazon SSL and GoDaddy. ## Summary PhishDestroy identifies mx20.goteal.io as an active credential harvesting domain designed to deceive users into surrendering sensitive login credentials. This domain mimics legitimate email infrastructure, leveraging a generic MX record format (mx20) to appear as part of a corporate mail server. Threat actors frequently abuse such patterns to bypass email security filters, exploiting user trust in domain familiarity. The domain resolves to IP 52.44.87.47, a hosting environment with a history of phishing deployments, and operates under a fraudulent SSL certificate issued by Amazon. This combination of trusted infrastructure and deceptive naming conventions significantly increases the likelihood of successful credential theft. This domain was flagged by 9 of 95 security vendors on VirusTotal, indicating widespread detection but not universal coverage, leaving potential victims exposed. Registered through GoDaddy.com, LLC on June 28, 2016, the domain has persisted for years, suggesting sustained malicious intent rather than a short-lived campaign. The Amazon-issued SSL certificate further complicates detection, as browsers and security tools may not flag the connection as suspicious. Given the domain’s age and infrastructure reuse, it has likely been involved in multiple phishing operations, reinforcing its elevated risk profile. Organizations and individual users who may have accessed mx20.goteal.io should immediately reset passwords for any accounts where the same credentials might have been reused. Isolate affected systems for forensic review if they were used to submit credentials to this domain. Security teams should block the domain at the DNS and firewall levels using the indicators provided (mx20.goteal.io, 52.44.87.47). Enable multi-factor authentication (MFA) as an additional layer of defense against credential-based attacks. Monitor email traffic for similar deceptive MX record patterns, particularly those using numerical prefixes in domain names. Reporting this domain to threat intelligence platforms can help disrupt ongoing and future campaigns leveraging the same infrastructure. ## Threat Details - Verdict: MALICIOUS - Site status: unknown (HTTP ?) ## Domain Intelligence - Registered: 2016-06-28 16:28:52 - Registrar: GoDaddy.com, LLC - IP: 52.44.87.47 ## Detection Status - VirusTotal: 9 vendors flagged - Google Safe Browsing: clean - Blocklists: 0 hits ## Evidence - Cloudflare Radar: https://radar.cloudflare.com/scan/34deab3e-684a-469a-a3f8-96a074d7051a - PhishDestroy: https://phishdestroy.io/domain/mx20.goteal.io/ - LLM endpoint: https://phishdestroy.io/domain/mx20.goteal.io/llm.txt ## If You Visited This Site 1. Change any passwords you may have entered 2. Enable 2FA on all related accounts 3. Monitor your accounts for unauthorized activity 4. Report to: FBI IC3, Europol, local authorities --- Report by PhishDestroy | https://phishdestroy.io/domain/mx20.goteal.io/ Last updated: 2026-03-23