https://www-airwallex.mainst.biz/?utm_source=google&utm_medium=cpc&utm_campaign=24011657401&utm_content=201215669227_815770802391&utm_term=airwallex&gclid=CjwKCAjwpK3SBhASEiwAtV1SPP68kqta3CbezLVeblWVYfhkMQzZxuEa_BvH_xzNqe0nf8ucDN2_6BoCG_8QAvD_BwE&gad_source=1&gad_campaignid=24011657401&gbraid=0AAAAAD7G9KiIEDYT6Lzu9Tz_UgvkiD-E6&gclid=CjwKCAjwpK3SBhASEiwAtV1SPP68kqta3CbezLVeblWVYfhkMQzZxuEa_BvH_xzNqe0nf8ucDN2_6BoCG_8QAvD_BwE
104.21.9.96 · Cloudflare, Inc.
Toronto, Canada
8992 days
200 · 60.0s
Valid· WE1, Google Trust Services, US
COMPLETED

Title: "Airwallex: Open a Business Account In Minutes for Global Businesses"
Registered-domain escalation
Submit mainst.biz as the primary IOC, enriched with evidence from hostile subdomains like www-airwallex.mainst.biz.
No KB/IOK detections were recorded for this scan.
Scanner blocked by cloudflare
This scan likely captured a block/challenge page, so the AI analysis may not reflect the real site victims see.
finance | technology · 7/19/2026
The page is branded as Airwallex but is hosted on a suspicious subdomain (www-airwallex.mainst.biz) with a Cloudflare IP and a layout that resembles Airwallex. Static HTML shows no forms, but the page loads numerous scripts and an iframe pointing to a separate domain (web.sakshiinfoway.com) which hosts additional assets, suggesting obfuscated credential collection via a SPA. The presence of an iframe and external script sources, plus a suspicious hosting domain, indicates potential credential harvesting or phishing through a cloaked first-party brand facade, though the page could also be a legitimate marketing page obfuscated by a compromised or malicious host.
Capture
Stages: 3
Canonical: Late Render (+3s)
Changed: No
Credential Signals
Forms: 0
Password fields: 0
Late-stage login UI: No
Resource Signals
Resources: 206
Hosts: 4
Domains: 4
The scan indicates the page is attempting to proxy Airwallex branding from a non-official domain (mainst.biz subdomain) and loads an iframe to an external domain, which is a strong signal of impersonation/phishing setup. The absence of static forms but presence of dynamic script loads and an iframe suggests credential collection in a SPA environment. The page is hosted under a domain not affiliated with Airwallex, and there is evidence of anti-bot/anti-scraping mechanisms (challenge platform interactions) and a WAF block scenario, which is typical for sites attempting to evade scans while targeting victims. Given these indicators, this website should be treated as phishing/impersonation with potential credential harvesting, and the hosting domain appears malicious or suspicious.
Monitor