context safety score
A score of 31/100 indicates multiple risk signals were detected. This entity shows patterns commonly associated with malicious intent.
encoded payload
suspicious base64-like blobs detected in page content
js obfuscation
JavaScript contains heavy hex-escape encoding typical of obfuscation
brand impersonation
The domain spotify.net is hosting an Okta-powered login page styled to impersonate Spotify (title: 'Spotify - Prod - Sign In', app logo alt text 'spotify.net', message 'Sign in with your account to access spotify.net'). spotify.net is not an official Spotify domain; Spotify's legitimate domain is spotify.com. This page clones Spotify's SSO login experience to deceive users into submitting credentials. (location: page.html:24, page.html:119, page.html:121 — <title>Spotify - Prod - Sign In</title> and 'Sign in with your account to access spotify.net')
phishing
The page at spotify.net presents a full credential-capture login interface (Okta Sign-In Widget) branded as Spotify's production SSO portal. Users believing they are authenticating to Spotify are instead submitting credentials to a third-party domain (spotify.net), a classic phishing pattern. (location: page.html:24 — title 'Spotify - Prod - Sign In'; page.html:108 — hidden form posting to /login/cert with SAML fromURI for 'spotifyprod_spotifynet_1')
credential harvesting
An Okta Sign-In Widget is embedded on spotify.net with a hidden form POSTing to '/login/cert' with a SAML assertion target ('spotifyprod_spotifynet_1'). The page captures username/password credentials under the guise of Spotify authentication and forwards them via SAML to an Okta org (orgId: 00owh7l1hDPHLDP7X1t6) not affiliated with official Spotify infrastructure. (location: page.html:107-109 — <form action='/login/cert' method='post' id='x509_login'>; page.html:28 — okta-signin-widget loaded)
social engineering
The page uses authoritative Spotify branding language ('Connecting to', 'Sign in with your account to access spotify.net') and displays a Spotify logo image to create false legitimacy. The 'Powered by Okta' footer lends additional credibility, increasing the likelihood that victims will trust and complete the login form. (location: page.html:116-122 — applogin-banner with 'Connecting to' and 'Sign in with your account to access spotify.net')
hidden content
A hidden form element with id='x509_login' and class='hide' contains an encoded fromURI value ('/app/spotifyprod_spotifynet_1/exk6vfwgijPqP7VZg1t7/sso/saml') that is not visible to the user but controls post-authentication SAML redirect behavior, obscuring where credentials and session tokens are forwarded. (location: page.html:107-109 — <form action='/login/cert' method='post' id='x509_login' class='hide'>)
obfuscated code
JavaScript variables 'stateToken' and 'modelDataBag' contain large base64/JWE-encoded blobs with hex-escaped characters (\x2D, \x7B, \x22, etc.). The modelDataBag encodes the full state token JSON with hex escaping to obscure its contents from casual inspection. This obfuscation hides session state and potentially sensitive parameters being passed to the Okta rendering engine. (location: page.html:218-224 — var stateToken and var modelDataBag with \x-encoded content)
curl https://api.brin.sh/domain/spotify.netCommon questions teams ask before deciding whether to use this domain in agent workflows.
spotify.net currently scores 31/100 with a suspicious verdict and low confidence. The goal is to protect agents from high-risk context before they act on it. Treat this as a decision signal: higher scores suggest lower observed risk, while lower scores mean you should add review or block this domain.
Use the score as a policy threshold: 80–100 is safe, 50–79 is caution, 20–49 is suspicious, and 0–19 is dangerous. Teams often auto-allow safe, require human review for caution/suspicious, and block dangerous.
brin evaluates four dimensions: identity (source trust), behavior (runtime patterns), content (malicious instructions), and graph (relationship risk). Analysis runs in tiers: static signals, deterministic pattern checks, then AI semantic analysis when needed.
Identity checks source trust, behavior checks unusual runtime patterns, content checks for malicious instructions, and graph checks risky relationships to other entities. Looking at sub-scores helps you understand why an entity passed or failed.
brin performs risk assessments on external context before it reaches an AI agent. It scores that context for threats like prompt injection, hijacking, credential harvesting, and supply chain attacks, so teams can decide whether to block, review, or proceed safely.
No. A safe verdict means no significant risk signals were detected in this scan. It is not a formal guarantee; assessments are automated and point-in-time, so combine scores with your own controls and periodic re-checks.
Re-check before high-impact actions such as installs, upgrades, connecting MCP servers, executing remote code, or granting secrets. Use the API in CI or runtime gates so decisions are based on the latest scan.
Learn more in threat detection docs, how scoring works, and the API overview.
Assessments are automated and may contain errors. Findings are risk indicators, not confirmed threats. This is a point-in-time assessment; security posture can change.
integrate brin in minutes — one GET request is all it takes. query the api, browse the registry, or download the full dataset.