defhost.co

https://defhost.co/

104.21.59.49 · Cloudflare, Inc.

Location

Toronto, Canada

Domain Age

—

HTTP

200 · 25.1s

SSL

Valid· WE1, Google Trust Services, US

Status

COMPLETED

Visual Evidence

Zoom

Title: "DefHost"

Save

KB/IOK Matches (0)—

No KB/IOK detections were recorded for this scan.

Google

Unknown

technology | ecommerce | hosting | other · 6/3/2026

Summary

Google appears to present branding and UI for hosting services. The page loads a SPA with dynamic content and multiple external scripts. Visual inspection (screenshot) shows a Google logo and branding, not impersonation of a well-known external brand. There is no clear credential harvesting form in the static HTML, but the SPA could render interactive elements at runtime. The scan data notes a POST to a Cloudflare-related endpoint and a large number of external scripts, which could be used for analytics or dynamic UI, but there is insufficient concrete evidence of credential phishing in the captured signals.

Evidence Summary

▸Observed 3 capture stage(s); canonical stage is late_render_3s.

▸POST targets observed during capture: https://defhost.co/cdn-cgi/rum?.

▸Distinctive asset clues: email-decode.min.js, webpack-8fa1640cc84ba8fe.js, 80520dfda2a0c4ff.css, logo.svg, il-1.png.

Capture

Stages: 3

Canonical: Late Render (+3s)

Changed: No

Credential Signals

Forms: 0

Password fields: 0

Late-stage login UI: No

Resource Signals

Resources: 180

Hosts: 3

Domains: 3

Attack Techniques (1)

Dynamic credential-collection risk due to runtime rendering (forms may be injected by JavaScript)

Indicators of Compromise (0)

No specific IOCs identified in source

Risk AssessmentUsed in abuse reports

The scan identifies a Google page with SPA architecture and runtime-loaded scripts. While there is no static login form in the HTML, the observed dynamic rendering means credential capture could occur through JavaScript. The presence of a POST to a Cloudflare telemetry endpoint and multiple external assets suggests standard hosting/telemetry behavior rather than explicit phishing. Given the current evidence, there is no conclusive phishing impersonation detected; monitoring is advised and further investigation should review runtime behavior and any credential collection flows.

Recommended Action

Monitor

Cross-Reference8

URL Intelligence