http://Milano.Docselection.com
23.227.38.74 · Shopify, Inc.
Ottawa, Canada
471 days
200 · 42.2s
Valid· E8, Let's Encrypt, US
COMPLETED
Registered-domain escalation
Submit docselection.com as the primary IOC, enriched with evidence from hostile subdomains like milano.docselection.com.
No KB/IOK detections were recorded for this scan.
Scanner blocked by hcaptcha
This scan likely captured a block/challenge page, so the AI analysis may not reflect the real site victims see.
ecommerce | technology · 7/19/2026
The page presents Milano branding under milano.docselection.com, a Shopify-hosted storefront. The domain is not the official domain of a well-known Milano brand, and the page appears to load extensively from Shopify resources and off-domain submission endpoints. However, due to scanner-block evidence and mixed signals (off-domain API endpoints, multiple POSTs to analytics endpoints, and a WAF block page during scanning), a definitive credential-phishing impersonation claim cannot be made from the captured content alone. The evidence suggests potential first-party e-commerce activity with suspicious external callback endpoints, but impersonation of a known brand is not clearly established from the visible signals.
Capture
Stages: 3
Canonical: Late Render (+3s)
Changed: No
Credential Signals
Forms: 2
Password fields: 0
Late-stage login UI: No
Resource Signals
Resources: 189
Hosts: 5
Domains: 4
Suspicious Endpoints
hxxps://milano[.]docselection[.]com/api/collect
hxxps://milano[.]docselection[.]com/api/event/collect
hxxps://milano[.]docselection[.]com/search
hxxps://milano[.]docselection[.]com/cart
hxxps://monorail-edge[.]shopifysvc[.]com/v1/produce
Off-Domain Posts
hxxps://monorail-edge[.]shopifysvc[.]com/v1/produce
No specific IOCs identified in source
The scan shows signs of potential data collection and analytics telemetry associated with a Shopify storefront, including off-domain endpoints and a WAF-block page during scanning. The presence of hidden inputs and iframe usage raises concerns about possible credential or data exfiltration mechanisms, though no direct credential harvesting form was observed in static HTML. The site did not present a clear login form or password field, and while POSTs to analytics endpoints are common for e-commerce, the off-domain submission pattern warrants caution. Scanner-block evidence indicates anti-scan measures (hcaptcha), which itself is a risk signal that the operator is actively evading automated detection. Overall, actionable phishing impersonation evidence is inconclusive; the domain appears to be an e-commerce storefront with suspicious telemetry behavior and possible abuse signals.
Monitor