About urlquery.net
URL analysis for security research
urlquery.net helps analysts, researchers, and defenders understand what a URL does when it is opened in a real browser.
Submit a URL and urlquery runs it inside an isolated browser environment, records the network and page activity, extracts useful artifacts, and produces a report that can be searched, shared, reviewed, and used for investigation.
Analyze URLs
Open suspicious or unknown links in a controlled browser and see what actually loads, redirects, downloads, or executes.
Investigate reports
Review screenshots, HTTP traffic, domains, IPs, certificates, scripts, extracted files, detections, and indicators.
Search activity
Find related reports by tag, domain, IP, URL path, hash, artifact, response header, or text found in captured content.
How a scan works
Browser execution
The submitted URL is loaded in an instrumented browser inside an isolated sandbox. This captures behavior that only appears after rendering, redirects, JavaScript execution, or user-facing page loads.
Network capture
Reports include HTTP requests and responses, DNS and IP information, redirect chains, TLS certificate metadata, downloaded resources, and response metadata.
Page evidence
Screenshots and page metadata help show what a visitor would see, while captured documents and JavaScript make it possible to inspect the underlying content.
Artifact processing
Downloaded and embedded files are processed for hashes, file type, archive contents, PDF data, Windows shortcut metadata, strings, alerts, and other useful indicators.
What reports are useful for
Phishing triage
Inspect landing pages, redirects, brand impersonation, credential collection flows, and related infrastructure.
Malware delivery
Track downloads, archive contents, scripts, file hashes, response metadata, and follow-on network activity.
Infrastructure research
Pivot across domains, IPs, certificates, paths, response headers, tags, detections, and repeated content.
Artifact discovery
Find extracted files, script hashes, PDF characteristics, shortcut metadata, leaked tokens, and other report artifacts.
Detection validation
Compare detections with page evidence, network behavior, file metadata, YARA alerts, and reputation signals.
Historical lookup
Search previous reports to see when indicators first appeared, how long activity has been ongoing, and how campaigns, templates, infrastructure, or behavior changed over time.
Detection and enrichment
Multiple signal types
urlquery combines browser behavior, network observations, content analysis, reputation data, YARA rules, extracted indicators, and internal enrichment to highlight suspicious activity.
Analyst-first output
Reports are designed to show evidence, not just a verdict. The goal is to make it easier to understand why something looks suspicious and where to pivot next.
Privacy, access, and retention
Report visibility
Public reports are visible to all users. Restricted and private reports are only visible to users with the required access, the submitter, or the submitter's team.
Limited retention
Scan results are retained for a limited time to support investigations, service delivery, operational stability, and research.
Review requests
Public reports include a Request Review option for removal, redaction, reclassification, or privacy concerns.
Contact
General questions
Feedback, service questions, research collaboration, and technical inquiries are welcome here.
contact@urlquery.netReport phishing
Send suspected phishing URLs, active campaigns, or related indicators for review.
phishing@urlquery.netAbuse or removal
Abuse reports, privacy concerns, removal requests, and report reclassification requests go here.
abuse@urlquery.net