URL Analysis

Systematically analyze suspicious URLs to identify phishing attempts, brand impersonation, and malicious infrastructure. Essential for evaluating links reported by users or detected in email security alerts.

⚡ Takes ~2–3 minutes 📊 Output: Summary + IOCs 🔒 No login required

No setup needed — just paste and run

  • Suspicious URL reported by user
  • Phishing link detected in email
  • Unknown domain in proxy logs
1

URL Structure Analysis

You are a SOC analyst investigating a potentially malicious URL. Assume an enterprise environment unless I specify otherwise. Analyze the URL structure below. Identify: 1. Base domain, subdomain, and TLD — are any suspicious? 2. URL path — does it contain phishing keywords? (login, verify, secure, account, update, confirm) 3. Query parameters — are any encoded, obfuscated, or redirecting to another URL? 4. Brand impersonation — does any part of the URL mimic a legitimate company? 5. URL length and complexity — unusually long URLs with random strings are a phishing indicator Present findings as a structured table: | Component | Value | Suspicious? | Reason | URL: [PASTE URL HERE]
2

Domain Intelligence

Evaluate the domain from a threat intelligence perspective. Analyze: 1. Does the domain use a suspicious TLD? (.top .xyz .click .tk .pw .cc are high risk) 2. Does the domain resemble a legitimate brand through typosquatting or homograph attack? (Examples: paypa1.com, arnazon.com, microsoft-login.com, micosoft.com) 3. Is the domain likely newly registered? (Short random strings, no established presence) 4. Is it hosted on infrastructure commonly used for phishing? (Free hosting, bulletproof hosting, compromised legitimate sites) 5. Does the domain appear randomly generated? Output: Domain Risk Level: Low / Medium / High Confidence: High / Medium / Low Key Risk Factors: [list] Note: If you cannot verify domain age or hosting in real time, recommend checking: - VirusTotal (virustotal.com) - URLScan.io - Whois lookup
3

Phishing Campaign Indicators

Based on Steps 1 and 2, evaluate whether this URL is part of a phishing campaign. First, analyze all available signals before producing findings. Look for: - Login or credential harvesting indicators in the path - Redirect chains or URL shortener abuse - Brand impersonation combined with urgency keywords - Subdomain abuse of legitimate services (e.g. malicious.github.io, evil.blob.core.windows.net) - Phishing kit fingerprints in URL structure - Base64 or hex encoded parameters hiding redirect destinations For each indicator detected: - State the specific evidence from the URL - Explain why it is suspicious - Rate confidence: High / Medium / Low If no indicators are found, state explicitly: "No phishing indicators detected in URL structure alone. Recommend dynamic analysis before marking as benign."
4

SOC Action Recommendation

Generate a final SOC verdict and response recommendation. VERDICT: Malicious / Suspicious / Likely Benign CONFIDENCE: High / Medium / Low RISK FACTORS SUMMARY: [Top 3 factors that influenced the verdict] RECOMMENDED ACTIONS: ⚠️ Immediate (HIGH PRIORITY): - [e.g. Block domain at web proxy and email gateway] - [e.g. Search email logs for distribution of this URL] Investigative: - [e.g. Check proxy logs for users who clicked this link] - [e.g. Submit to VirusTotal and URLScan.io] User-Facing: - [e.g. Notify affected users if clicks are confirmed] IOCS | IOC Type | Value | Context | | Domain | login-microsoft-secure.com | Phishing domain | | Full URL | [url] | Credential harvesting page | | IP | [if resolvable] | Hosting infrastructure | TICKET SUMMARY: [2-3 sentence professional summary for case management]

Example Output

Here's what you can expect after completing this workflow:

STEP 1: URL STRUCTURE ANALYSIS ================================ URL: https://login-microsoft-secure.com/verify?id=72838&redirect=aHR0cHM6Ly9vdXRsb29rLmNvbQ== | Component | Value | Suspicious? | Reason | |-----------|-------|-------------|--------| | Protocol | https | No | Uses HTTPS, but this alone doesn't indicate legitimacy | | Subdomain | login | Yes | Common phishing keyword suggesting credential harvesting | | Base Domain | microsoft-secure | Yes | Brand impersonation - Microsoft doesn't use this domain | | TLD | .com | No | Common legitimate TLD, but also popular for phishing | | Path | /verify | Yes | Phishing keyword indicating account verification scam | | Parameter: redirect | aHR0cHM6Ly9vdXRsb29rLmNvbQ== | Yes | Base64 encoded redirect destination (decodes to: https://outlook.com) | STEP 4: SOC ACTION RECOMMENDATION =================================== VERDICT: MALICIOUS CONFIDENCE: HIGH RISK FACTORS SUMMARY: 1. Direct Microsoft brand impersonation via domain name (login-microsoft-secure.com) 2. Classic phishing kit structure with credential harvesting indicators (login/verify paths) 3. Obfuscated redirect to legitimate outlook.com after credential theft RECOMMENDED ACTIONS: Block domain "login-microsoft-secure.com" at web proxy and email gateway immediately. Search email logs for any messages containing this domain in the past 30 days. TICKET SUMMARY: Severity: HIGH Classification: Phishing - Credential Harvesting Disposition: True Positive - Confirmed Malicious Analysis of reported URL login-microsoft-secure.com confirms active Microsoft credential phishing campaign. Domain impersonates Microsoft branding, uses credential harvesting keywords (login/verify), and contains Base64-encoded redirect to legitimate outlook.com to evade detection. Domain has been blocked at email gateway and web proxy. Email log search initiated to identify potential victims. Any users who clicked this link require immediate password reset and MFA enforcement.

Generate SOC Investigation Summary

Populate a ready-to-paste investigation report for your ticket or incident log.

Copied!