context safety score
A score of 52/100 indicates minor risk signals were detected. The entity may be legitimate but has characteristics that warrant attention.
credential harvesting
Login form collects account/username, password, CAPTCHA code, phone number, SMS verification code, and hidden user_id/mobile fields. Credentials are submitted via AJAX POST to /api/do-login and /login/phoneLogin on an opaque short-domain (e.3yit.com) with no clear organizational identity. The 19 credential form fields flagged by Tier 2 analysis are confirmed across two login form variants (input-check and phone-check). (location: page.html:196-332, /api/do-login endpoint, /login/phoneLogin endpoint)
phishing
The site presents as '智慧云信' (Zhihui Yunxin / Smart Cloud Messaging) — a Chinese SMS/messaging platform — hosted on an opaque short domain e.3yit.com with no visible branding connection to the ICP registration '蒙ICP备2024008196号-3'. The domain uses a 3-character random-looking subdomain pattern typical of phishing infrastructure. A hidden div (#shansuma-info) references a separate brand '闪速码' (Shansuma) and redirects users to http://sms.shansuma.com, suggesting this page may be impersonating or aggregating multiple SMS platform brands. (location: page.html:9, 189, 251, 341)
brand impersonation
The HTML contains a hidden section (#shansuma-info, display:none) promoting '闪速码' (Shansuma) brand, describing a platform migration and linking to http://sms.shansuma.com. This hidden brand content is distinct from the visible '智慧云信' branding, suggesting the page may be used to impersonate or redirect users between two different SMS platform brands, potentially harvesting credentials intended for one platform on behalf of another. (location: page.html:248-252, div#shansuma-info)
hidden content
A div with id='shansuma-info' is set to display:none and contains promotional messaging for the '闪速码' brand and a link to http://sms.shansuma.com. This hidden content is not visible to users but may be revealed programmatically. Additionally, the page contains a large HTML comment block (lines 841-1382) embedding a complete alternate version of the login page with different branding ('WOLIAN' / '智慧云信平台管理系统'), representing a second hidden login form variant inside commented-out code. (location: page.html:248-252 (hidden div), page.html:841-1382 (HTML comment block))
malicious redirect
The hidden #shansuma-info div contains a link to http://sms.shansuma.com (plain HTTP, not HTTPS), directing users to an off-domain site. On successful login, both form handlers redirect to window.location.href='/' without validation. The iframe-escape code (top.location = self.location) forces top-level navigation. Five JS redirect patterns were flagged in Tier 2 analysis, all confirmed as iframe-break and post-login redirects rather than malicious exfiltration, except the off-domain HTTP link to sms.shansuma.com. (location: page.html:251 (http://sms.shansuma.com), page.html:477-479, page.html:775-779)
social engineering
The hidden #shansuma-info div (not normally visible to users) contains messaging claiming a platform migration since June 22, 2024, urging users to use a 'new platform' with enhanced features. This social engineering message could be revealed to specific users or user-agents to redirect them to sms.shansuma.com, potentially harvesting credentials under the guise of a platform upgrade notification. (location: page.html:248-252, div#shansuma-info)
hidden content
A third-party analytics/tracking script from https://static.ahc.ink/hecong.js is dynamically injected with channel ID '7fyW8Z', alongside Baidu analytics (hm.baidu.com). The ahc.ink domain ('_AIHECONG') is an unrecognized third-party tracker being loaded asynchronously. This represents undisclosed user tracking by an opaque third-party service. (location: page.html:830, page-text.txt:568)
curl https://api.brin.sh/domain/e.3yit.comCommon questions teams ask before deciding whether to use this domain in agent workflows.
e.3yit.com currently scores 52/100 with a caution verdict and medium confidence. The goal is to protect agents from high-risk context before they act on it. Treat this as a decision signal: higher scores suggest lower observed risk, while lower scores mean you should add review or block this domain.
Use the score as a policy threshold: 80–100 is safe, 50–79 is caution, 20–49 is suspicious, and 0–19 is dangerous. Teams often auto-allow safe, require human review for caution/suspicious, and block dangerous.
brin evaluates four dimensions: identity (source trust), behavior (runtime patterns), content (malicious instructions), and graph (relationship risk). Analysis runs in tiers: static signals, deterministic pattern checks, then AI semantic analysis when needed.
Identity checks source trust, behavior checks unusual runtime patterns, content checks for malicious instructions, and graph checks risky relationships to other entities. Looking at sub-scores helps you understand why an entity passed or failed.
brin performs risk assessments on external context before it reaches an AI agent. It scores that context for threats like prompt injection, hijacking, credential harvesting, and supply chain attacks, so teams can decide whether to block, review, or proceed safely.
No. A safe verdict means no significant risk signals were detected in this scan. It is not a formal guarantee; assessments are automated and point-in-time, so combine scores with your own controls and periodic re-checks.
Re-check before high-impact actions such as installs, upgrades, connecting MCP servers, executing remote code, or granting secrets. Use the API in CI or runtime gates so decisions are based on the latest scan.
Learn more in threat detection docs, how scoring works, and the API overview.
Assessments are automated and may contain errors. Findings are risk indicators, not confirmed threats. This is a point-in-time assessment; security posture can change.
integrate brin in minutes — one GET request is all it takes. query the api, browse the registry, or download the full dataset.