context safety score
A score of 36/100 indicates multiple risk signals were detected. This entity shows patterns commonly associated with malicious intent.
hidden instruction
high hidden content ratio detected in DOM
encoded payload
suspicious base64-like blobs detected in page content
brand impersonation
The domain halifax-online.co.uk is impersonating Halifax Bank (a UK financial institution). The page renders a full Halifax Commercial Banking UI including the Halifax logo (embedded as base64 SVG/PNG), Halifax-branded CSS classes (csl-header, lloydsBankJack fonts referencing Lloyds Banking Group), 'Safe & Secure Internet Banking guarantee' branding, and footer links pointing to www.halifax.co.uk. The domain is not halifax.co.uk or halifax-online.co.uk under Lloyds Banking Group ownership — it is a lookalike domain designed to pass as the authentic Halifax online banking portal. (location: https://halifax-online.co.uk — page title, header logo, footer links, CSS font references (lloydsBankJackLight, lloydsBankJackMedium))
phishing
The site presents a convincing Halifax Commercial Banking error page ('Something went wrong') on a non-Halifax domain (halifax-online.co.uk). This is a classic phishing tactic: mimic a bank's authenticated session error page to capture credentials or redirect users. The error page displays a realistic AkamaiGhost-style error reference (AK_REF, Error 1007 ID: 18.44b01302.1772639873.19fed67e) to appear legitimate. Users searching for Halifax online banking or redirected here would believe they are on the real Halifax site. (location: https://halifax-online.co.uk — <title> tag ('Halifax Commercial Banking: Something went wrong'), main content error card, AK_REF error ID in page body)
social engineering
The page instructs users to call '0345 602 0000', presented as a Halifax customer service number. On a fraudulent domain, this phone number could be a vishing (voice phishing) number operated by attackers. Presenting a seemingly legitimate phone number on a spoofed bank page is a social engineering technique to harvest sensitive information over the phone. The urgency framing ('unable to process your request') pressures users to call. (location: page.html line 2332 — <strong class='csl-strong'> 0345 602 0000 </strong> and page-text.txt line 21)
malicious redirect
Footer links on this non-Halifax domain point to www.halifax.co.uk (sitemap, cookies, accessibility, legal information). This creates a false sense of legitimacy by associating the phishing domain with the real Halifax domain. However, the primary page content is served from the fraudulent domain. The combination of a fake domain with outbound links to the real bank is a standard phishing-kit technique designed to evade detection and reassure victims. (location: page.html lines 2346-2356 — footer anchor tags href='https://www.halifax.co.uk/sitemap.asp', 'https://www.halifax.co.uk/securityandprivacy/cookies/', etc.)
hidden content
The Halifax and Lloyds Banking Group logos are entirely embedded as large base64-encoded data URIs (data:image/vnd.microsoft.icon;base64 and data:image/png;base64) directly in the HTML rather than loaded from external URLs. This technique avoids external network requests that could reveal the fraudulent hosting infrastructure, making it harder for security scanners to detect resource loading from non-Halifax servers. All brand assets are self-contained to evade URL-based detection. (location: page.html lines 8 (favicon base64), 12-13 (logo background-image base64 PNG in CSS), 2310 (.csl-header__logo div))
curl https://api.brin.sh/domain/halifax-online.co.ukCommon questions teams ask before deciding whether to use this domain in agent workflows.
halifax-online.co.uk currently scores 36/100 with a suspicious verdict and low confidence. The goal is to protect agents from high-risk context before they act on it. Treat this as a decision signal: higher scores suggest lower observed risk, while lower scores mean you should add review or block this domain.
Use the score as a policy threshold: 80–100 is safe, 50–79 is caution, 20–49 is suspicious, and 0–19 is dangerous. Teams often auto-allow safe, require human review for caution/suspicious, and block dangerous.
brin evaluates four dimensions: identity (source trust), behavior (runtime patterns), content (malicious instructions), and graph (relationship risk). Analysis runs in tiers: static signals, deterministic pattern checks, then AI semantic analysis when needed.
Identity checks source trust, behavior checks unusual runtime patterns, content checks for malicious instructions, and graph checks risky relationships to other entities. Looking at sub-scores helps you understand why an entity passed or failed.
brin performs risk assessments on external context before it reaches an AI agent. It scores that context for threats like prompt injection, hijacking, credential harvesting, and supply chain attacks, so teams can decide whether to block, review, or proceed safely.
No. A safe verdict means no significant risk signals were detected in this scan. It is not a formal guarantee; assessments are automated and point-in-time, so combine scores with your own controls and periodic re-checks.
Re-check before high-impact actions such as installs, upgrades, connecting MCP servers, executing remote code, or granting secrets. Use the API in CI or runtime gates so decisions are based on the latest scan.
Learn more in threat detection docs, how scoring works, and the API overview.
Assessments are automated and may contain errors. Findings are risk indicators, not confirmed threats. This is a point-in-time assessment; security posture can change.
integrate brin in minutes — one GET request is all it takes. query the api, browse the registry, or download the full dataset.