AI-powered phishing detection. Open threat database.
Norn Labs builds tools to catch phishing pages that blocklists miss. Muninn is a Chrome extension that scans pages in real time using AI. Yggdrasil is the open database of reported phishing URLs that anyone can search and contribute to.
Muninn (Chrome extension)
- • Scans every page you visit automatically.
- • AI catches threats not on any blocklist yet.
- • Warns you before you enter passwords or payment info.
Yggdrasil (open database)
- • Look up any URL to see if it's been reported.
- • Submit suspicious links for AI analysis and review.
- • URLs clearly labeled: phishing / clean / pending.
Free during beta. Create an account to unlock all features.
Is this link safe?
Paste a URL to check it against the Yggdrasil database.
Not in the database? That doesn't mean it's safe, just that nobody has reported it yet. Create a free account to submit URLs for AI analysis and review.
See Muninn in action
This phishing page wasn't flagged by Chrome. Muninn caught it.
Recent entries in Yggdrasil
Open full view| URL | Status | Submitted |
|---|---|---|
| https://verticeuniaocred.s3.us-east-005.backblazeb2.com/aumento.html Entity: Nubank | The page is hosted on a generic cloud storage domain (backblazeb2.com) rather than an official Nubank domain.; The content uses Nubank branding and a 'credit increase' lure to entice users, which is a common phishing tactic to steal financial credentials. | Phishing | 2/25/2026, 8:41:06 PM |
| https://1drvsthebluebookd0c20260225966a58bd117272.s3.us-east-1.amazonaws.com/scanned-pdf-file2026022588/doc220283564645420260223 The URL is hosted on an Amazon S3 bucket with a suspicious name ('1drvs...') designed to impersonate OneDrive or other legitimate document services.; The page uses a generic 'Secure Document Access' template to solicit email addresses, a common pattern for credential harvesting and phishing attacks. | Phishing | 2/25/2026, 8:40:54 PM |
| https://docs.google.com/forms/d/e/1FAIpQLSccGxH8-KLt165_zHEaBfm8riSFozXky3WP_R_n0s1HcvupUA/viewform The form uses a public Google Forms URL to collect sensitive credit card-related information, which is a common phishing tactic to harvest financial data.; Legitimate businesses and financial institutions never use free, unbranded document-sharing tools like Google Forms to process or collect credit card details due to security and compliance standards. | Phishing | 2/25/2026, 8:37:32 PM |
| https://tinyurl.com/35xjnuf9 Entity: Telstra | The site is hosted on a prototyping platform (framer.app) instead of an official Telstra domain, which is a common phishing tactic.; The use of a URL shortener (tinyurl.com) to reach a sensitive login page is highly suspicious and indicative of a phishing attempt. | Phishing | 2/25/2026, 8:23:10 PM |
| https://cultural-account-972143.framer.app Entity: Telstra | The site is hosted on a prototyping platform (framer.app) instead of an official Telstra domain, which is a common phishing tactic.; The use of a URL shortener (tinyurl.com) to reach a sensitive login page is highly suspicious and indicative of a phishing attempt. | Phishing | 2/25/2026, 8:23:10 PM |
| https://amazon-clone-orcin-ten.vercel.app Entity: Amazon | The URL explicitly mentions an 'amazon-clone' on a free hosting platform (vercel.app), which is a major indicator of phishing or unauthorized brand impersonation.; The page displays an active security warning from a safety service stating the site has been flagged for potentially stealing sensitive information. | Phishing | 2/25/2026, 8:22:59 PM |
| https://power-spark-crow.vercel.app Entity: Phantom | The website uses the Phantom cryptocurrency wallet's logo and branding but is hosted on a generic 'vercel.app' subdomain rather than the official 'phantom.app' domain.; The combination of a free hosting platform and a loading screen mimicking a wallet connection is a common pattern for phishing attacks designed to steal private keys or recovery phrases. | Phishing | 2/25/2026, 8:22:49 PM |
| https://vertosofts.com/OuTl-PrEvIeW-I3qsWffpJqFjH5GzbGq3VHPrmBDuMGoECxSRYWRvTzJtLj3mrnzCrCWCTFWGQI-bwiz59SbQlf6iyrQ4V2CGg9ZlNwoWMwfVt7PwtAQ0qUl1G9_kmhp5EKyY7KGcg-sJ7mE1T0_08VwjFbCPxJiC7O8_4Tqh30i0h7U7npUM3HWXYyBznSca41PhpOOZ/OqaHhc4C5NQ1 | Phishing | 2/25/2026, 7:46:07 PM |
| https://document.vertosofts.com/EhT4-SpReAdShEeT-TxTUHlx9I40Pf_Sk954aBAG-GfgrXYnOZ9_ZMzcTv61bsuL78pFYsFeD0l0AH-AO0aM8ZSzWdI0yAA6IpxGRn3lWSFNHoVUM3QRVtNv3AIeybZw2cc41so8NOOfJpGCYTswQuTguLyxq6Ptn2nD_InbB50nbxaa33C94fn4RpMyxDOTOst8a3nZdegD0m0d/ruAHY4izwKBO | Phishing | 2/25/2026, 7:42:01 PM |
| https://creeeewwjapussssss.s3.us-east-1.amazonaws.com/SharedPdf.html The website is hosted on a public cloud storage platform (AWS S3) with a nonsensical bucket name, which is a common tactic for hosting temporary phishing pages.; The page uses a generic 'Secure Document Access' template to solicit email addresses, a classic social engineering technique for credential harvesting or email validation. | Phishing | 2/25/2026, 6:57:00 PM |
The Muninn extension checks against Yggdrasil plus AI analysis that can catch threats not in the database yet. Submitting URLs requires logging in.