3.2 URL

📖 Overview

The URL submodule under the Analyzed section provides a full history of all URLs extracted from emails, including body content, headers, attachments, or redirection paths. Each link is automatically scanned and classified based on its security reputation and behavior.

This module is essential for identifying phishing pages, malicious redirects, C2 infrastructure, and other web-based threats embedded in email messages.

🛡️ Every clickable link in a received email is a potential phishing trap. This module helps you stop threats before users ever click them.

🧠 What You’ll See

Column

Description

URL Address

The full extracted URL from the email

Analysis Time

Date and time the URL was scanned

Verdict

Classification (MALICIOUS, SUSPICIOUS, CLEAN)

Actions

View context, related message, or take remediation

🧪 Verdict Types

Verdict

Meaning

MALICIOUS

Confirmed phishing, malware delivery, or C2 domain

SUSPICIOUS

Unusual behavior or structure, flagged for caution

CLEAN

Verified safe through sandbox and intelligence checks

Each link is analyzed using a combination of:

Static pattern matching
Heuristic content scoring
Threat intelligence feeds
Redirect chain inspection
Embedded JavaScript or form behavior detection

🔍 Use Cases

Scenario

Benefit

Detect phishing campaigns

Identify credential harvesting sites targeting users

Block malicious redirectors

Trace shortened or obfuscated URLs

Investigate advanced threats

Analyze links leading to download-based malware

Monitor new infrastructure

Spot newly registered or zero-day phishing domains

🧩 Common Threat Sources Detected

Lookalike login pages (micros0ft-login[.]com)
Fake bank or finance domains
One-click tracker URLs from mail marketing platforms
URLs embedded in file attachments
Obfuscated links with suspicious redirections (bit.ly, t.co, custom cloakers)

⚙️ Analyst Tools

Filter by verdict to isolate risky URLs
Use timestamps to identify campaign patterns
Click the actions icon to:
- View email message where the URL appeared
- Block the associated domain
- View sandbox or reputation context

📤 Remediation

If a URL is confirmed as dangerous:

Add it to ShieldsGuard's internal blocklist
Trigger auto-block on similar URLs in future
Notify affected users
Add sender domain to email block policy (see 3.4 Domain)

🧠 Best Practices

Best Practice

Why It Matters

Monitor “SUSPICIOUS” verdicts closely

These often turn malicious in short time

Cross-correlate URLs with sender domain

Helps spot coordinated phishing infrastructure

Track repeat URL patterns

Identify campaigns across multiple recipients

Regularly blacklist high-risk domains

Prevent future compromise

🎯 The URL module gives you a forensic window into phishing infrastructure — empowering your team to stop web-based threats long before a user clicks the link.

Previous3.1 Files Next3.3 Mail

Last updated 9 days ago

3.2 URL

📖 Overview

This module is essential for identifying phishing pages, malicious redirects, C2 infrastructure, and other web-based threats embedded in email messages.

🛡️ Every clickable link in a received email is a potential phishing trap. This module helps you stop threats before users ever click them.

🧠 What You’ll See

Column

Description

URL Address

The full extracted URL from the email

Analysis Time

Date and time the URL was scanned

Verdict

Classification (MALICIOUS, SUSPICIOUS, CLEAN)

Actions

View context, related message, or take remediation

🧪 Verdict Types

Verdict

Meaning

MALICIOUS

Confirmed phishing, malware delivery, or C2 domain

SUSPICIOUS

Unusual behavior or structure, flagged for caution

CLEAN

Verified safe through sandbox and intelligence checks

Each link is analyzed using a combination of:

Static pattern matching
Heuristic content scoring
Threat intelligence feeds
Redirect chain inspection
Embedded JavaScript or form behavior detection

🔍 Use Cases

Scenario

Benefit

Detect phishing campaigns

Identify credential harvesting sites targeting users

Block malicious redirectors

Trace shortened or obfuscated URLs

Investigate advanced threats

Analyze links leading to download-based malware

Monitor new infrastructure

Spot newly registered or zero-day phishing domains

🧩 Common Threat Sources Detected

Lookalike login pages (micros0ft-login[.]com)
Fake bank or finance domains
One-click tracker URLs from mail marketing platforms
URLs embedded in file attachments
Obfuscated links with suspicious redirections (bit.ly, t.co, custom cloakers)

⚙️ Analyst Tools

Filter by verdict to isolate risky URLs
Use timestamps to identify campaign patterns
Click the actions icon to:
- View email message where the URL appeared
- Block the associated domain
- View sandbox or reputation context

📤 Remediation

If a URL is confirmed as dangerous:

Add it to ShieldsGuard's internal blocklist
Trigger auto-block on similar URLs in future
Notify affected users
Add sender domain to email block policy (see 3.4 Domain)

🧠 Best Practices

Best Practice

Why It Matters

Monitor “SUSPICIOUS” verdicts closely

These often turn malicious in short time

Cross-correlate URLs with sender domain

Helps spot coordinated phishing infrastructure

Track repeat URL patterns

Identify campaigns across multiple recipients

Regularly blacklist high-risk domains

Prevent future compromise

🎯 The URL module gives you a forensic window into phishing infrastructure — empowering your team to stop web-based threats long before a user clicks the link.

Previous3.1 Files Next3.3 Mail

Last updated 9 days ago