# telegram-mail-mini.pages.dev — SUSPICIOUS > telegram-mail-mini.pages.dev is serving a Telegram-themed credential phishing lure with 0/95 VirusTotal detections. Review the full report for IOCs and TTPs. ## Summary telegram-mail-mini.pages.dev has been flagged for an active Telegram-themed credential harvesting campaign under open investigation by PhishDestroy. The domain masquerades as a lightweight mail service tied to Telegram, aiming to trick users into surrendering authentication tokens or account credentials. Current risk level is labeled under_investigation, but behavioral telemetry confirms active lures across messaging channels and social networks. This domain resolves to 172.66.47.6 and is hosted behind Cloudflare’s infrastructure, leveraging Google Trust Services for TLS encryption. VirusTotal currently shows 0 detections out of 95 engines as of the last scan, indicating it has not yet been widely blacklisted or detected by automated scanners. The SSL certificate issued by GTS suggests the infrastructure is provisioned with legitimate TLS chains, complicating detection based solely on certificate reputation. The domain was registered under Cloudflare, Inc., which can obfuscate true ownership and hosting details through proxy registration and dynamic IP rotation. While no formal blocklist inclusion was detected at the time of analysis, the absence of detections and the use of reputable services highlight a stealthy infrastructure designed to evade early-stage detection. Mitigation for this Telegram-themed phishing lure must focus on user awareness and credential hygiene. Users should be advised to never enter account credentials or OAuth tokens into third-party web forms, even if they appear to originate from Telegram-branded services. Organizations should monitor DNS logs for connections to 172.66.47.6 and inspect outbound traffic for POST requests to paths like /login or /auth, which are common in credential harvesting campaigns. DNS sinkholing or web filtering rules should be updated to block telegram-mail-mini.pages.dev immediately upon validation. Additionally, enabling multi-factor authentication on all Telegram accounts can prevent compromise even if credentials are harvested. Security teams are encouraged to correlate this domain with internal telemetry and share IOCs with trusted threat intelligence platforms to accelerate detection and response. ## Threat Details - Verdict: SUSPICIOUS - Site status: unknown (HTTP ?) ## Domain Intelligence - Registrar: Cloudflare, Inc. - IP: 172.66.47.6 ## Detection Status - VirusTotal: 0 vendors flagged - Google Safe Browsing: clean - Blocklists: 0 hits ## Evidence - Cloudflare Radar: https://radar.cloudflare.com/scan/3cd2bafb-7859-4a3d-abcd-dca147d171b6 - PhishDestroy: https://phishdestroy.io/domain/telegram-mail-mini.pages.dev/ - LLM endpoint: https://phishdestroy.io/domain/telegram-mail-mini.pages.dev/llm.txt ## If You Visited This Site 1. Change any passwords you may have entered 2. Enable 2FA on all related accounts 3. Monitor your accounts for unauthorized activity 4. Report to: FBI IC3, Europol, local authorities --- Report by PhishDestroy | https://phishdestroy.io/domain/telegram-mail-mini.pages.dev/ Last updated: 2026-03-24