0/100

high Risk

muniea.tumblr.com

https://muniea.tumblr.com/

74.114.154.22 · TUMBLR, INC

Location

Ashburn, United States

Domain Age

7292 days

HTTP

403 · 65.6s

SSL

Valid· E8, Let's Encrypt, US

Status

COMPLETED

Visual Evidence

Zoom

Save

Domain Intelligence: tumblr.com

Scanned 3 times since May 27, 2026, 11:33 AM UTC

⚠ Medium (40)

Linked Phishing Report

This scan is attached to a vendor submission report

Brand

Tumblr

Vendors

29/31

Status

partial

✓ emsisoft✓ virustotal✓ avast✓ drweb✓ eset✓ chainpatrol✓ sophos✓ isitphish✓ microsoft✓ bitdefender✓ polyswarm✓ brightcloud✗ norton✓ avg✗ threatyeti✓ kaspersky✓ netcraft✓ apple✓ apwg✓ openphish✓ yandex✓ urlquery✓ urlscan✓ spamhaus✓ phishreport✓ phishtank✓ cisa✓ urlabuse✓ mcafee✓ google✓ fortiguard

Registered-domain escalation suggested

Suggested now

Submit tumblr.com as the primary IOC, enriched with evidence from hostile subdomains like muniea.tumblr.com.

2 hostile subdomains across 2 completed scans were observed under this registered domain. Recent hosts: muniea.tumblr.com, shooku.tumblr.com.

KB/IOK Matches (0)—

No KB/IOK detections were recorded for this scan.

Tumblr

Unknown

technology | ecommerce | finance | social_media · 6/3/2026

Summary

The page presents Tumblr branding but is hosted on a Tumblr subdomain (muniea.tumblr.com) with a 403 response and evidence of dynamic credential-capable scripts. The HTML shows Turkish language and a controlled warning about not entering Tumblr credentials, plus multiple external scripts and an observed POST to /__challenge, suggesting an attempted credential capture flow via SPA content loaded from third-party endpoints. Visual evidence from the screenshot shows Tumblr branding rather than a legitimate impersonation of another brand; however, the combination of an on-page warning, external assets, and a POST to a challenge endpoint indicates a credential harvesting attempt rather than a legitimate Tumblr page. Overall, evidence supports potential credential phishing activity targeting users, albeit under the Tumblr domain, with cloaking indicators and SPA-based rendering that could capture credentials via dynamic forms. Analyst flagged likely cloaking/evasion behavior for this target. Analyst context noted: Fake brand phishing only works with Turkish IP and scamming users Analyst note: this target may cloak content or block scanners.

Evidence Summary

▸Observed 3 capture stage(s); canonical stage is late_render_3s.

▸POST targets observed during capture: https://muniea.tumblr.com/__challenge.

▸Distinctive asset clues: tumblelog_post_message_queue.js, index.build.js, index.build.css, stylesheet.css, g.gif, impixu.

Capture

Stages: 3

Canonical: Late Render (+3s)

Changed: No

Credential Signals

Forms: 0

Password fields: 0

Late-stage login UI: No

Resource Signals

Resources: 34

Hosts: 9

Domains: 5

Attack Techniques (3)

Analyst-identified phishing kitSingle-Page Application (SPA) rendering of credential forms via JavaScript bundlesUse of external ad/analytics scripts and iframes to obscure credential collection

Indicators of Compromise (1)

▸Turkish language in page hints and a warning about not entering Tumblr password (credential harvesting feint)

Risk AssessmentUsed in abuse reports

The scan shows clear signals of credential harvesting potential on a Tumblr-hosted page (muniea.tumblr.com) with a POST to /__challenge and SPA-style script loading, plus Turkish language context suggesting targeted scam. Although the brand presented is Tumblr, the combination of dynamic credential capture risk, external, non-Tumblr script sources, and the 403 status implies suspicious behavior intended to deceive users into revealing credentials. The page appears to be cloaking and evasive, leveraging legitimate Tumblr infrastructure to host a phishing flow. Recommend elevated scrutiny and containment actions as appropriate for abuse reporting. Analyst-reported cloaking/evasion suspicion increases confidence that the operator is actively attempting to evade automated security analysis. Analyst context was provided and corroborated during this assessment (Fake brand phishing only works with Turkish IP and scamming users Analyst note: this target may cloak content or block scanners.). Because analyst context identifies an active phishing or fraud kit, domain suspension is recommended rather than passive monitoring.

Recommended Action

Monitor

Cross-Reference9

URL Intelligence