ms25h22-update.pro

https://ms25h22-update.pro/?utm_term=wn_ts3&utm_medium=paid&utm_source=fb&utm_id=120248158982650779&utm_content=120248159047570779&utm_campaign=120248158982650779

45.249.90.182 · Evoxtenterprise LA

Location

Los Angeles, United States

Domain Age

10 days

HTTP

200 · 61.7s

SSL

Valid· R13, Let's Encrypt, US

Status

COMPLETED

Visual Evidence

Zoom

Title: "Download Windows 11 Pro"

Save

Take this site down

Report to 50+ vendors instantly

KB/IOK Matches (1)Mar 5, 2026, 02:15 AM UTC

windows-11-installation-kit

high

Directives: skipAi, skipUnblocker, skipMobileVariant

Microsoft (Windows 11 Pro Installation Assistant page)

Credential Phishing

technology | software_distribution | ecommerce | finance | other · 4/5/2026

Summary

The page at ms25h22-update.pro presents a Windows 11 Pro installation assistant with a page title and UI closely mirroring Microsoft's Windows 11 download experience. The domain is newly registered (10 days) and not owned by Microsoft, yet the page visually imitates Microsoft branding and uses multiple Microsoft assets in the page (fonts, logo references, and external scripts). This is a typosquat/cloned Microsoft Windows 11 download flow designed to harvest credentials or other user data by mimicking the official site. The page explicitly mimics Microsoft content while hosting on a suspicious, unrelated domain.

Attack Techniques (5)

Typosquat/brand impersonation: domain ms25h22-update.pro impersonates Microsoft Windows 11 download pageCloned SPA-style UI: 0 static forms but heavy JavaScript delivery implying dynamic credential captureBrand asset loading: external Microsoft-related scripts and assets loaded from non-official domain pathsCredential capture via dynamic forms: SPA rendered login/credential fields likely injected by JavaScript bundlesWidespread tracking/analytics: multiple third-party analytics and OneCollector endpoints observed

Indicators of Compromise (7)

▸Domain: ms25h22-update.pro (recently registered, 10 days old)

▸Page title: Download Windows 11 Pro (matches Microsoft product) but on a non-Microsoft domain

▸Iframes and external scripts referencing microsoft domains (vlscppe.microsoft.com, fpt.microsoft.com, ms.monitor, ov-df.microsoft.com, etc.)

▸Static HTML contains 0 forms; SPA likely renders credential capture via loaded JS bundles

▸SSL: Let's Encrypt certificate valid Feb–May 2026; new cert on a new domain

▸Network requests to Microsoft tracking endpoints and analytics (OneCollector) from non-official host

▸Visual branding in screenshot mirrors Microsoft Windows 11 design

Risk AssessmentUsed in abuse reports

High risk; this is a clear impersonation of a Microsoft Windows 11 download page hosted on a newly registered domain. The page uses Microsoft branding cues and loads Microsoft assets and analytics scripts to appear legitimate, while the domain ms25h22-update.pro is not owned by Microsoft. The SPA-style implementation and absence of static forms suggest client-side credential collection via JavaScript bundles. This domain age (10 days) and the heavy external script load increase the likelihood of credential harvesting or malware distribution. The combination of brand impersonation, legitimate-looking UI, and WAF-likely evasion signals indicates a high threat to users attempting to download Windows 11 from this page.

Recommended Action

Monitor

Cross-Reference8

URL Intelligence