# pub-2a92347ea03e4260a6bb3d381381c037.r2.dev — MALICIOUS

> PhishDestroy identifies pub-2a92347ea03e4260a6bb3d381381c037.r2.dev as an active Microsoft 365 phishing domain. 16 of 95 VirusTotal vendors flagged it.

## Summary
PhishDestroy identifies the domain pub-2a92347ea03e4260a6bb3d381381c037.r2.dev as an active Microsoft 365 credential-harvesting phishing campaign. The infrastructure mimics Microsoft’s cloud storage branding to trick users into entering account credentials on a spoofed OneDrive login page. This threat is currently active and leverages deceptive domain naming conventions to appear legitimate.

This domain was flagged by 16 of 95 VirusTotal security vendors, utilizes a Let’s Encrypt SSL certificate, and is blocked by two major blocklists: PhishingArmy and OISD. The domain resolves to IP address 104.18.54.45 and is hosted on Cloudflare’s R2 storage service. Based on the available telemetry, the domain exhibits high-risk indicators consistent with phishing infrastructure designed to harvest Microsoft 365 credentials. The low trust scores and presence across multiple threat intelligence feeds confirm its malicious intent.

Given the elevated risk level and active campaign status, PhishDestroy strongly advises against interacting with this domain or any URLs associated with it. Users who encounter this domain or suspicious emails referencing cloud storage should report the incident to their IT security team immediately. Organizations are encouraged to implement DNS filtering rules to block this domain at the gateway and to educate employees about recognizing phishing attempts that misuse Microsoft branding. If credential compromise is suspected, enable multi-factor authentication and conduct a password reset for affected accounts.

## Threat Details
- Verdict: MALICIOUS
- Site status: unknown (HTTP ?)

## Domain Intelligence
- Registrar: REGISTRAR_NOT_FOUND
- IP: 104.18.54.45

## Detection Status
- VirusTotal: 16 vendors flagged
- Google Safe Browsing: clean
- Blocklists: 2 hits
  Lists: ["PhishingArmy", "OISD"]

## Evidence
- Cloudflare Radar: https://radar.cloudflare.com/scan/0ffa0f3f-053b-4081-bf86-db2f05954652
- PhishDestroy: https://phishdestroy.io/domain/pub-2a92347ea03e4260a6bb3d381381c037.r2.dev/
- LLM endpoint: https://phishdestroy.io/domain/pub-2a92347ea03e4260a6bb3d381381c037.r2.dev/llm.txt

## If You Visited This Site
1. Change any passwords you may have entered
2. Enable 2FA on all related accounts
3. Monitor your accounts for unauthorized activity
4. Report to: FBI IC3, Europol, local authorities

---
Report by PhishDestroy | https://phishdestroy.io/domain/pub-2a92347ea03e4260a6bb3d381381c037.r2.dev/
Last updated: 2026-04-01