Analyze URL Details

The URLs icon in an investigation shows how many URLs were found in a message header.

The URLs icon shows how many URLs were found in an investigation.
The URLs icon shows how many URLs were found in an investigation.

An investigation with one or more URLs considered malicious will display a count of both the total number of URLs found to be malicious and the total number of URLs found, and the URLs icon will have a red background:

The URLs icon has a red background when one ore more found URLs are considered malicious.
The URLs icon has a red background when one ore more found URLs are considered malicious.

If you hover over a URLs icon with a red background, you will see a summary of the first two malicious issues found:

If you hover over the URLs icon when it has a red background, a summary appears listing the basic details of the first two malicious URLs found in the investigation, including the URLs and the scanning engines that discovered maliciousness.
If you hover over the URLs icon when it has a red background, a summary appears listing the basic details of the first two malicious URLs found in the investigation, including the URLs and the scanning engines that discovered maliciousness.

If you hover over a URLs icon with a red background in a selected investigation, it will turn a darker red, and you can click on the darker red URLs icon to view details of the URLs found in the investigation:

When the URLs icon has a darker red background when you hover over it, the investigation is selected, and you can click on the URLs icon to get further details of the URLs in an investigation.
When the URLs icon has a darker red background when you hover over it, the investigation is selected, and you can click on the URLs icon to get further details of the URLs in an investigation.

A URL is considered malicious when at least two scanning engines consider it malicious or when at least two scanning services consider it malicious. Each URL is evaluated automatically by Agari URI Scanner (if you have automatic scanning selected in organization settings, see Phishing Response Settings for details) and for blacklist existence, known threat profile, whitelist existence, known malware, and known spam. The result is a determination of Clean or Malicious.

To analyze URL details

  1. Click on an investigation to select it.
  2. Click on the URLs icon in the selected investigation. You will see the investigation details page with the URIs tab selected. (If it is not selected, click the Details tab, and then click the URIs tab.) The URIs tab lists all URLs found in all the messages in an investigation.
  3. Click a URL to view more information about that URL. The details panel for a selected URL shows:
    • The full URL that you can select and copy.
    • Information returned from any systems that scanned the URL. If VirusTotal scanned the URL, you can click More details to view additional details about the scan.
    • The date and time that the URL was initially scanned.
    • The result of the scan.
    • A screen shot of the URL destination if the URL was found to be malicious and if the scanning engine was able to make it available.

Phishing Response can use multiple systems to scan URLs:

  • Agari URI Scanner, an Agari-developed tool that searches for malicious URIs
  • VirusTotal, a multi-engine static scan where the URL is analyzed and checked against a number of malicious URL databases and can be set to automatically scan all URLs
  • NOTE: When a URL is submitted for scan or rescan with VirusTotal, APR removes the query parameters to avoid using personally identifiable information(PII). This results in a different view being generated by Virus Total for the scan initiated within APR than when you manually enter full URLs details directly into Virus Total.
  • Hybrid Analysis, a sandbox scanner offering in-depth static and hybrid analysis

The sandbox scanners activate the URLs in isolated sandbox environments. These in-depth analyses typically take 5-10 minutes, and the results are displayed when the scan is finished and the page is refreshed. The results include a Threat Score and a list of any threats found.

You can scan or rescan a URL using any of the systems at any time. See Scan a URL Manually for details.