0/100

critical Risk

official.wpp-workforceresource.com

https://official.wpp-workforceresource.com

104.21.47.15 · Cloudflare, Inc.

Location

Toronto, Canada

Domain Age

6 days ⚠

HTTP

200 · 32.1s

SSL

Valid· E8, Let's Encrypt, US

Status

COMPLETED

Visual Evidence

Screenshot of official.wpp-workforceresource.com

Zoom

Title: "WPP Careers | Explore Job Opportunities & Work With Us | About Instagram"

Save

Registered-domain escalation

Submit wpp-workforceresource.com as the primary IOC, enriched with evidence from hostile subdomains like official.wpp-workforceresource.com.

Take this site down

Report to 50+ vendors instantly

KB/IOK Matches (0)—

No KB/IOK detections were recorded for this scan.

Scanner blocked by cloudflare

This scan likely captured a block/challenge page, so the AI analysis may not reflect the real site victims see.

Instagram ( impersonation signals )

Unknown

finance | technology | ecommerce | telecommunications | other · 6/3/2026

Summary

The page presents WPP Careers content but the page title references Instagram, and domain intelligence signals impersonation of the Instagram brand. The hostname official.wpp-workforceresource.com is not the official Instagram domain, suggesting potential brand impersonation. The page loads multiple third-party analytics endpoints and off-domain resources, with a new domain age (6 days) and extensive external scripts, which increases risk but does not conclusively prove credential phishing on this host. The WAF block context indicates scanner blocking during analysis, further complicating definitive assessment from the page content alone.

Evidence Summary

▸Observed 2 capture stage(s); canonical stage is settled_render.

▸Off-domain submission or API endpoints observed: https://plausible.io/api/event, https://wpp.careersitecloud.com/module-swd8x8muywy?option_mode=skip&module_id=qs&module=search_job&module_tpl=v2_search_job_form&option_form_url=%2fsearch&type=module.

▸Distinctive asset clues: js, jquery-2.1.4.min.js, all.min.css, css-min-style.css, WPP-logo.svg, wpp_career-explorer.jpg.

Capture

Stages: 2

Canonical: Settled Render

Changed: No

Credential Signals

Forms: 2

Password fields: 0

Late-stage login UI: No

Resource Signals

Resources: 99

Hosts: 16

Domains: 12

Suspicious Endpoints

hxxps://plausible[.]io/api/event

hxxps://official[.]wpp-workforceresource[.]com/

hxxps://wpp[.]careersitecloud[.]com/module-swd8x8muywy?option_mode=skip&module_id=qs&module=search_job&module_tpl=v2_search_job_form&option_form_url=%2fsearch&type=module

Off-Domain Posts

hxxps://plausible[.]io/api/event

hxxps://wpp[.]careersitecloud[.]com/module-swd8x8muywy?option_mode=skip&module_id=qs&module=search_job&module_tpl=v2_search_job_form&option_form_url=%2fsearch&type=module

Attack Techniques (1)

Brand impersonation signals in page title (Instagram reference) on a non-official domain

Indicators of Compromise (1)

▸Page title includes 'Instagram' (impersonation signal)

Risk AssessmentUsed in abuse reports

The domain is very new and uses Instagram branding in the page title, which strongly suggests impersonation. The host is not the official Instagram domain, and the content appears to clone or resemble a corporate careers site with embedded analytics and off-domain endpoints. However, the actual credential collection events are not evident in the static HTML (no login form with password field). The presence of off-brand signals and WAF-blocked scan increases concern for abuse. Recommend treating as primary impersonation risk with high potential for credential phishing if victims are prompted to login on the page; continue monitoring and consider takedown actions if corroborated by abuse teams.

Recommended Action

Monitor

Cross-Reference8

URL Intelligence