0/100

medium Risk

pilercode.com

https://pilercode.com/

172.67.219.250 · Cloudflare, Inc.

Location

Toronto, Canada

Domain Age

4 days ⚠

HTTP

403 · 32.2s

SSL

Valid· E8, Let's Encrypt, US

Status

COMPLETED

Visual Evidence

Zoom

Title: "Suspected Phishing | Cloudflare"

Save

Linked Phishing Report

This scan is attached to a vendor submission report

Brand

ATO

Vendors

27/31

Status

partial

✓ yandex✓ eset✓ microsoft✓ polyswarm✗ threatyeti✗ chainpatrol✗ bitdefender✗ norton✓ spamhaus✓ urlquery✓ netcraft✓ urlscan✓ apple✓ sophos✓ apwg✓ phishreport✓ phishtank✓ cisa✓ isitphish✓ openphish✓ virustotal✓ brightcloud✓ avg✓ mcafee✓ emsisoft✓ drweb✓ avast✓ urlabuse✓ kaspersky✓ google✓ fortiguard

KB/IOK Matches (0)—

No KB/IOK detections were recorded for this scan.

Scanner blocked by cloudflare

This scan likely captured a block/challenge page, so the AI analysis may not reflect the real site victims see.

ATO

Unknown

technology | finance | ecommerce | other · 6/3/2026

Summary

The scan targets ATO, a very new domain (4 days old) behind Cloudflare. The page analyzed appears to be a Cloudflare block page rather than the actual target content, indicating scanner blockage. Evidence shows a suspicious setup: a 403 response, a new domain, and references to phish-bypass endpoints and Turnstile reCAPTCHA integration, suggesting an attempt to bypass defenses; however, due to the scanner block, no definitive phishing page content was retrieved from the domain itself. The combination of a new domain and anti-scanner behavior warrants caution and monitoring rather than definitive phishing confirmation from the captured content.

Evidence Summary

▸Observed 2 capture stage(s); canonical stage is settled_render.

▸POST targets observed during capture: https://challenges.cloudflare.com/cdn-cgi/challenge-platform/h/g/flow/ov1/2146660297:1780070423:1HL1IgqMznD6Ds4kwLGOE4kSTGrzPY7xN1qfq0a37y4/a036f3349f68da06/Hv928H.IeCADzIk0HgDoxA..TU7bGgzk28chcx5f5ug-1780072922-1.2.1.1-YJBz9N_5ah0pUVQ1L3VozDKeP41tMv5.5fNwVjLF6hO9LuNkSMWND8TwpvJyprwb.

▸Distinctive asset clues: api.js, cf.errors.css, icon-exclamation.png, 1.

Capture

Stages: 2

Canonical: Settled Render

Changed: No

Credential Signals

Forms: 1

Password fields: 0

Late-stage login UI: No

Resource Signals

Resources: 12

Hosts: 2

Domains: 2

Suspicious Endpoints

hxxps://pilercode[.]com/cdn-cgi/phish-bypass

Attack Techniques (1)

phish-bypass endpoint indicators

Indicators of Compromise (1)

▸Form with action /cdn-cgi/phish-bypass in static HTML (on block page, not actual content)

Risk AssessmentUsed in abuse reports

The domain ATO is very new and is currently presenting a Cloudflare block page, indicating the site operator actively evades automated scanners. The presence of phish-bypass endpoints and Turnstile integration alongside a 403 response and scanner-block context constitutes suspicious activity. However, due to the block page content, there is no conclusive evidence within this scan that the site is actively hosting phishing content for victims. The combination of a new domain, anti-scan behavior, and configurable phish-bypass indicators warrants heightened monitoring and potential follow-up with domain intelligence and hosting provider checks.

Recommended Action

Monitor

Cross-Reference9

URL Intelligence