# ndx-io.zapier.app — MALICIOUS

> ndx-io.zapier.app is a credential-harvesting domain that mimics Zapier. Blocked by OpenPhish & PhishingArmy. Check the full report.

## Summary
A recently identified credential-harvesting domain, ndx-io.zapier.app, has been flagged with an elevated risk level and is actively engaged in impersonating the legitimate automation platform Zapier. Security teams should treat this domain as a high-priority threat due to its clear intent to deceive users into surrendering credentials under the guise of legitimate service access. Observed behavior includes luring victims through fake login portals hosted on the domain, harvesting credentials, and redirecting input to attacker-controlled endpoints for further exploitation. Historical context suggests this campaign may be part of a broader credential-stuffing or social engineering campaign targeting users of SaaS automation tools.


This domain was flagged based on multiple indicators of compromise, including detection by 19 out of 95 security vendors on VirusTotal. The domain resolves to IP address 64.239.123.193 and is associated with a Let’s Encrypt SSL certificate, suggesting an attempt to appear legitimate. It has appeared on two independent blocklists and is hosted on infrastructure managed by Cloudflare’s CDN platform, consistent with phishing campaigns designed to evade detection and blocklisting. No public record of its creation date is available within standard WHOIS databases, indicating potential recent registration typical of disposable phishing domains designed for short-lived campaigns.


To mitigate exposure to this threat, organizations are advised to block ndx-io.zapier.app at the DNS and perimeter levels immediately. Users should verify URLs manually before entering credentials and avoid clicking links embedded in unsolicited messages. Endpoint detection and response rules should include monitoring for access to this domain and any associated IP, along with behavioral detection of unauthorized credential submission during authentication attempts. Security teams should also review proxy logs for outbound connections to 64.239.123.193. Additionally, user awareness training should highlight the risks of document-sharing and automation platform spoofing, with emphasis on verifying sender domains and avoiding automated login prompts outside official interfaces. Immediate blocking and reporting through threat intelligence platforms (e.g., OpenPhish, PhishingArmy) are recommended to prevent downstream compromise via credential reuse.

## Threat Details
- Verdict: MALICIOUS
- Site status: unknown (HTTP ?)

## Domain Intelligence
- Registrar: REGISTRAR_NOT_FOUND
- IP: 64.239.123.193

## Detection Status
- VirusTotal: 19 vendors flagged
- Google Safe Browsing: clean
- Blocklists: 2 hits
  Lists: ["OpenPhish", "PhishingArmy"]

## Evidence
- Cloudflare Radar: https://radar.cloudflare.com/scan/146f2ac9-13c1-4160-b7db-06bb68a42426
- PhishDestroy: https://phishdestroy.io/domain/ndx-io.zapier.app/
- LLM endpoint: https://phishdestroy.io/domain/ndx-io.zapier.app/llm.txt

## If You Visited This Site
1. Change any passwords you may have entered
2. Enable 2FA on all related accounts
3. Monitor your accounts for unauthorized activity
4. Report to: FBI IC3, Europol, local authorities

---
Report by PhishDestroy | https://phishdestroy.io/domain/ndx-io.zapier.app/
Last updated: 2026-03-29