context safety score
A score of 38/100 indicates multiple risk signals were detected. This entity shows patterns commonly associated with malicious intent.
encoded payload
suspicious base64-like blobs detected in page content
brand impersonation
Domain zohocloud.ca impersonates Zoho Corporation (zoho.com) by incorporating the brand name 'Zoho' in a .ca TLD domain. The page serves content mirroring the official Zoho homepage including identical title, description, og:tags, and structured data, while the canonical URL and og:url both point to https://www.zoho.com/, indicating the site is masquerading as or proxying the official Zoho brand from a non-official domain. (location: domain: zohocloud.ca; metadata canonical href=https://www.zoho.com/; og:url=https://www.zoho.com/)
malicious redirect
The page sets canonical and og:url to https://www.zoho.com/ while being served from zohocloud.ca. All static assets (scripts, images, fonts) are loaded from zohowebstatic.com and zohocdn.com — official Zoho CDN domains. This pattern is consistent with a transparent reverse-proxy or cloaking setup where the fake domain proxies the real Zoho site, potentially to intercept credentials or session tokens entered by users who believe they are on the legitimate Zoho platform. (location: page.html line 1: canonical href=https://www.zoho.com/; scripts from //www.zohowebstatic.com)
credential harvesting
zohocloud.ca appears to fully proxy or mirror the official Zoho login and product pages. Users navigating to this domain and signing into any Zoho product would submit credentials to an attacker-controlled domain (zohocloud.ca) rather than the legitimate zoho.com. The seamless mirroring of branding, content, and CDN assets makes this highly convincing and difficult to detect without inspecting the URL bar. (location: domain: zohocloud.ca; page content mirrors zoho.com login and product suite)
phishing
The site at zohocloud.ca presents itself as the official Zoho Cloud Software Suite homepage, replicating Zoho branding, product listings, testimonials, and calls-to-action such as 'Get Started For Free'. This is a classic phishing setup targeting Zoho's 130M+ user base by luring users to a lookalike domain to steal credentials or session data. (location: page-text.txt line 1: 'Your life's work, powered by our life's work'; page.html title='Zoho | Cloud Software Suite for Businesses')
curl https://api.brin.sh/domain/zohocloud.caCommon questions teams ask before deciding whether to use this domain in agent workflows.
zohocloud.ca currently scores 38/100 with a suspicious verdict and low confidence. The goal is to protect agents from high-risk context before they act on it. Treat this as a decision signal: higher scores suggest lower observed risk, while lower scores mean you should add review or block this domain.
Use the score as a policy threshold: 80–100 is safe, 50–79 is caution, 20–49 is suspicious, and 0–19 is dangerous. Teams often auto-allow safe, require human review for caution/suspicious, and block dangerous.
brin evaluates four dimensions: identity (source trust), behavior (runtime patterns), content (malicious instructions), and graph (relationship risk). Analysis runs in tiers: static signals, deterministic pattern checks, then AI semantic analysis when needed.
Identity checks source trust, behavior checks unusual runtime patterns, content checks for malicious instructions, and graph checks risky relationships to other entities. Looking at sub-scores helps you understand why an entity passed or failed.
brin performs risk assessments on external context before it reaches an AI agent. It scores that context for threats like prompt injection, hijacking, credential harvesting, and supply chain attacks, so teams can decide whether to block, review, or proceed safely.
No. A safe verdict means no significant risk signals were detected in this scan. It is not a formal guarantee; assessments are automated and point-in-time, so combine scores with your own controls and periodic re-checks.
Re-check before high-impact actions such as installs, upgrades, connecting MCP servers, executing remote code, or granting secrets. Use the API in CI or runtime gates so decisions are based on the latest scan.
Learn more in threat detection docs, how scoring works, and the API overview.
Assessments are automated and may contain errors. Findings are risk indicators, not confirmed threats. This is a point-in-time assessment; security posture can change.
integrate brin in minutes — one GET request is all it takes. query the api, browse the registry, or download the full dataset.