Hunting With URLscan: Part 1

Estimated read time 3 min read

Today, we’re going to focus on using, a powerful tool to hunt for phishing attacks. This guide will help you understand the process better and improve your defensive strategy.

Hunting With URLscan: Part 1Get to know the basics
Hunting With URLscan: Part 2Filenames and Hashes
Hunting With URLscan: Part 3Search Operators
Hunting with URLscan: Part 4Query Builder

What is

URLscan report of a Paypal phishing page
URLscan report of a Paypal phishing page is a free online service that allows you to analyze and scrutinize websites, identifying potential threats such as phishing, malware, and more. It generates detailed reports about the content and behavior of a scanned URL.

Let’s dive into what you can find in URLscan reports:

1. Summary Info

This is a brief overview of a scanned URL. It includes data like IP addresses, server type, location, and more. Here, you can quickly gauge if something looks out of the ordinary.

2. Web Requests

This section lists all web requests made when the page was loaded. It shows the requested URLs, methods (like GET or POST), and status codes. This can help spot strange requests that shouldn’t be there.

3. Redirects

Here, records all redirections that occurred while loading the webpage. Malicious sites often use redirects to hide their true location or purpose.

4. Links

This section shows all the links found on the webpage. Pay close attention to outbound links, which could lead to harmful sites.

5. Behavior

This unique feature shows what happens when the page loads. If it sets cookies, makes requests, or triggers downloads, you’ll see it here.

6. Indicators

Indicators provide information on anything suspicious about the site. This could include IP addresses linked to malicious activity or unusual script behavior.

7. DOM (Document Object Model)

Here you’ll find how the webpage is structured. Anomalies in the DOM can indicate malicious intent.

8. Content

This section shows the webpage’s visible text. Phishing sites often contain unusual or poorly written content.

Now, let’s move on to how we can use to hunt for phishing attacks.

Hunting Phishing Attacks

Searching with is straightforward. You can search using different parameters like IP, URL, ASN, domain.

For instance, if you want to search for all pages containing the word ‘paypal,’ you’d type ‘paypal*‘ in the search bar.

To hunt for phishing attacks specifically, you can use queries that focus on known phishing indicators. For example, to search for pages mimicking Facebook, you could use ‘page.url:facebook*login‘ and then look for suspicious URLs in the results.

Reza Rafati

Reza Rafati, based in the Netherlands, is the founder of An industry professional providing insightful commentary on infosec, cybercrime, cyberwar, and threat intelligence, Reza dedicates his work to bolster digital defenses and promote cyber awareness.

You May Also Like

More From Author