🔐

URL Tools for Cybersecurity Analysts

Investigate phishing campaigns, map multi-hop redirect infrastructure, bulk-expand IOC URL lists, and conduct safe link analysis — all server-side so your system never touches the payload.

🔍 Expand a URL 📦 Bulk IOC Expansion

Phishing Campaign Investigation

URL expansion is a foundational technique in phishing investigation workflows. When a suspicious URL is reported — whether from an end user complaint, a security information and event management (SIEM) alert, or a threat intelligence feed — expanding it reveals the complete redirect infrastructure used by the attacker, not just the first-hop domain.

Modern phishing campaigns rarely point directly from the lure URL to the final payload. Instead, attackers use multi-layer redirect architectures to: evade email gateway URL scanners (which typically only check the first URL), make takedown more difficult (taking down one hop in the chain doesn't destroy the campaign), enable real-time routing flexibility (redirect to different payloads by geography, device, or time), and create attribution complexity for defenders mapping the infrastructure.

Our URL expander follows up to 20 redirect hops, detects HTTP 301/302/307/308 redirects, meta-refresh redirects, and JavaScript-based redirects — providing complete infrastructure mapping from a single entry point URL. The chain visualization shows every intermediate domain with HTTP status codes and response times.

Server-Side Analysis: Zero Risk to Your Endpoint

A critical property of our URL expander for security analysis is that all expansion happens server-side on our infrastructure. When you paste a URL to expand, our server makes the HTTP requests to follow the redirect chain — your workstation, browser, and IP address never contact the potentially malicious destination. This is essential for:

  • Drive-by download prevention: Some malicious URLs deliver exploits via drive-by downloads targeting browser vulnerabilities. Server-side expansion means your browser is never exposed to these payloads.
  • IP anonymity: Sophisticated attackers monitor who visits their infrastructure. Server-side expansion prevents analysts' IP addresses from appearing in attacker access logs, maintaining operational security.
  • Credential protection: Some phishing pages use JavaScript to fingerprint and track visitors before serving the credential-harvesting form. Server-side requests do not trigger JavaScript execution, preventing fingerprinting.
  • Safe IOC extraction: The expanded destination URL and intermediate hop domains can be safely extracted as Indicators of Compromise (IOCs) for inclusion in threat intelligence feeds, SIEM rules, and firewall block lists.

JavaScript and Meta-Refresh Redirect Detection

A significant capability gap in many URL analysis tools is the inability to follow JavaScript-based redirects and meta-refresh redirects. Services like shorturl.at, some threat actors' redirect infrastructure, and certain malvertising chains use JavaScript window.location assignments or HTML meta-refresh tags instead of HTTP Location headers.

Standard cURL-based URL expansion tools and many enterprise email security gateways only follow HTTP-level redirects. This means a malicious URL that uses JavaScript redirection will appear to resolve to a benign-looking landing page in these tools, while actually redirecting real users to malicious content in a JavaScript-enabled browser context.

URLExpander.org v3 specifically addresses this gap by downloading the HTML body of each hop and scanning for meta-refresh patterns and common JavaScript redirect patterns (window.location.href, window.location.replace(), document.location). This provides a more complete picture of redirect chains that evade HTTP-only analysis tools.

Bulk IOC URL Expansion

Threat intelligence workflows frequently involve large numbers of suspect URLs extracted from malicious email samples, threat feeds, SIEM alerts, or open source intelligence (OSINT) sources. Our Bulk URL Expander handles up to 100 URLs simultaneously with parallel processing, making it practical to expand entire IOC lists in a single operation.

The CSV export from the bulk expander provides structured data including original URL, final destination URL, hop count, and HTTP status codes — in a format ready for import into threat intelligence platforms, ticketing systems, or SIEM enrichment pipelines. This eliminates manual URL expansion bottlenecks in phishing triage workflows.

IOC Extraction from Redirect Chains

Every domain in a redirect chain is a potential Indicator of Compromise. For a typical phishing campaign, a single lure URL might reveal: the URL shortener used for distribution (e.g., bit.ly), intermediate redirect domains (often compromised legitimate websites or bulletproof hosting), tracking and analytics infrastructure (geo-routing services, click-tracking platforms), and the final payload domain (the credential-harvesting or malware delivery page).

Each of these intermediate domains can be investigated further — WHOIS data, passive DNS records, and hosting infrastructure can reveal relationships to other known malicious campaigns and help attribute attacks to known threat actor groups. The redirect chain visualization our tool provides gives you all these domains in a single view.

Safety Score Integration

Our safety scoring system provides a quick triage signal for expanded URLs by combining three data sources:

  • Google Safe Browsing: Real-time check against Google's threat intelligence database covering malware, phishing, and unwanted software. This database covers billions of URLs and is updated continuously. When configured with an API key (set via server environment variable GSB_API_KEY), this provides the most up-to-date automated threat intelligence available.
  • PhishTank: Community-curated database of confirmed phishing URLs, particularly strong for credential-harvesting page detection.
  • Heuristic analysis: Pattern analysis covering high-risk TLDs, IP-as-hostname, excessive subdomains, executable file extensions, and known phishing keyword patterns in URL structure.

For additional URL analysis beyond our tool, external resources include VirusTotal (70+ engine scanning), urlscan.io (full browser rendering and screenshot), and ANY.RUN (interactive malware sandbox for URL payloads).

Recommended Tools for Cybersecurity Analysts