Listen to this Post

Introduction:
Modern URL phishing has evolved far beyond static landing pages. Attackers now deploy dynamic credential-harvesting flows, multi-stage redirect chains, client-side JavaScript obfuscation, and iframe-based content injection—all designed to evade traditional security tools that rely on static analysis or network logs alone. ANY.RUN’s new in-browser data inspection capability addresses this gap by merging static and dynamic analysis into a single workflow, giving SOC analysts real-time visibility into script execution, DOM mutations, and redirect behavior as they happen. This approach not only eliminates the blind spots that attackers exploit but also reduces mean time to respond (MTTR) by up to 21 minutes per phishing case, fundamentally changing how security teams conduct URL triage.
Learning Objectives:
- Understand the technical limitations of traditional URL analysis and why browser-level visibility is essential for modern phishing detection
- Master the in-browser data inspection workflow within ANY.RUN’s Interactive Sandbox, including DOM change tracking, redirect chain reconstruction, and HTTP request analysis
- Learn how to operationalize browser telemetry for detection engineering, threat hunting, and incident response automation
- The Visibility Gap: Why Static URL Analysis Fails Against Modern Phishing
Traditional URL investigation workflows force analysts to piece together evidence across multiple disjointed tools. A suspicious URL arrives, the analyst scans it for basic WHOIS and reputation data, submits it to a sandbox, traces redirects manually, inspects network traffic, and then attempts to reconstruct the full attack sequence from disparate screenshots and logs. This fragmented approach leaves critical gaps:
- Analysts may see a screenshot of the final phishing page but miss the redirect chain, intermediate page states, iframe activity, and script-driven DOM changes that led there
- Limited visibility into forms, user-facing content, and dynamically loaded elements means investigators often cannot determine what data the victim actually submitted
- Reliance on static page analysis instead of a dynamic, step-by-step view of real browser behavior fails to capture post-load JavaScript execution
- No automatically collected DOM history means analysts cannot inspect how the page evolved across different execution stages
These visibility gaps create significant operational challenges. Fragmented workflows force analysts to manually reconstruct webpage behavior across multiple tools, increasing investigation time and delaying response. When Tier 1 analysts lack sufficient evidence to classify a URL confidently, they escalate benign links to senior team members, consuming valuable senior analyst resources. Solutions focused on file or network activity often miss critical phishing context, leaving investigators without sufficient browser-level evidence to make informed decisions.
Key Takeaway: Static analysis and network logs alone cannot reveal what actually executes inside the browser. Without DOM-level visibility, you are essentially investigating phishing with one hand tied behind your back.
2. Step-by-Step: Conducting an In-Browser Phishing Investigation
ANY.RUN’s in-browser data inspection consolidates all browser telemetry, page content, behavioral evidence, and threat intelligence into a single investigation experience. Here is how to use it effectively:
Step 1: Submit the Suspicious URL
Navigate to ANY.RUN’s Interactive Sandbox and submit the suspicious URL for analysis. The page executes in a real browser environment, capturing everything that matters—redirects, scripts, DOM changes, and user-facing content—in a single view.
Step 2: Open the Browser Data Tab
Once the analysis completes, open the Browser Data tab. This provides a complete, dynamic view of the web page execution tree, from the initial URL to the final page view, featuring all redirects and activated iframes. Color highlights and tags point to the pages responsible for triggering detections, allowing you to accelerate triage by immediately identifying the most relevant stages for further analysis.
Step 3: Reconstruct the Redirect Chain
Navigate to the HTTP Requests section to gain complete visibility into redirects, requests, and responses generated during page execution. This allows you to reconstruct the full redirect chain and collect evidence for IDS detections and network-based hunting rules.
Step 4: Analyze DOM Changes
Go to the HTML DOM Changes tab to see which code fragments were added to the DOM after the page loaded. This reveals what static analysis misses—hidden forms, deobfuscated scripts, and dynamically injected content that only become visible during actual browser execution.
Step 5: Extract Indicators and Expand the Investigation
Collected indicators include URLs, domains, IP addresses, and hashes of web content associated with the analyzed page. Use these to expand your investigation beyond a single sample by developing pivoting hypotheses and uncovering attacker-controlled infrastructure. Content extracted from web page snapshots can also be used to create custom hunting and detection rules backed by ANY.RUN Threat Intelligence.
Practical CLI Equivalent (Linux/macOS):
While ANY.RUN automates this process, here is how you might manually inspect some of these elements using command-line tools:
Extract all redirect URLs from a suspicious domain using curl with verbose output curl -v -L --max-redirs 10 https://suspicious-domain.example 2>&1 | grep -i "location" Extract all script sources from a fetched HTML page curl -s https://suspicious-domain.example | grep -oP 'src=["'\'']\K[^"'\'' ]+' | grep -E '.js$' Check for iframe inclusions curl -s https://suspicious-domain.example | grep -i ' < iframe' Extract all form actions and input fields curl -s https://suspicious-domain.example | grep -i ' < form' -A 20 | grep -E 'action=|input'
Practical CLI Equivalent (Windows PowerShell):
Fetch webpage and extract redirect locations
Invoke-WebRequest -Uri "https://suspicious-domain.example" -MaximumRedirection 0 -ErrorAction SilentlyContinue | Select-Object -ExpandProperty Headers | Select-Object -ExpandProperty Location
Extract all script sources
(Invoke-WebRequest -Uri "https://suspicious-domain.example").Links | Where-Object { $_.href -like ".js" } | Select-Object -ExpandProperty href
Extract all iframe sources
(Invoke-WebRequest -Uri "https://suspicious-domain.example").Links | Where-Object { $_.outerHTML -like "iframe" } | Select-Object -ExpandProperty href
3. Automating Phishing Triage with ANY.RUN APIs
For SOC teams handling high volumes of phishing alerts, manual submission is not scalable. ANY.RUN provides a REST API that allows you to automate URL submission, analysis retrieval, and indicator extraction directly into your SOAR or SIEM workflows.
API Authentication:
Set your API key (obtain from ANY.RUN dashboard)
API_KEY="your_api_key_here"
Submit a URL for analysis
curl -X POST "https://api.any.run/v1/analysis" \
-H "Authorization: Bearer $API_KEY" \
-H "Content-Type: application/json" \
-d '{
"obj_type": "url",
"obj_url": "https://suspicious-domain.example/phishing-page",
"env_version": "win10",
"env_bitness": 64
}'
Retrieve analysis results once complete (replace TASK_ID with actual task ID)
curl -X GET "https://api.any.run/v1/analysis/TASK_ID" \
-H "Authorization: Bearer $API_KEY"
Extract browser-level telemetry from completed analysis
curl -X GET "https://api.any.run/v1/analysis/TASK_ID/export/ioc" \
-H "Authorization: Bearer $API_KEY"
SOAR Integration Snippet (Python):
import requests
import time
import json
API_KEY = "your_api_key_here"
BASE_URL = "https://api.any.run/v1"
def submit_url_for_analysis(url):
headers = {"Authorization": f"Bearer {API_KEY}", "Content-Type": "application/json"}
payload = {"obj_type": "url", "obj_url": url, "env_version": "win10"}
response = requests.post(f"{BASE_URL}/analysis", headers=headers, json=payload)
return response.json().get("data", {}).get("taskid")
def wait_for_completion(task_id):
headers = {"Authorization": f"Bearer {API_KEY}"}
while True:
response = requests.get(f"{BASE_URL}/analysis/{task_id}", headers=headers)
status = response.json().get("data", {}).get("status")
if status in ["done", "error"]:
return response.json()
time.sleep(5)
def extract_phishing_indicators(task_id):
headers = {"Authorization": f"Bearer {API_KEY}"}
response = requests.get(f"{BASE_URL}/analysis/{task_id}/export/ioc", headers=headers)
return response.json()
Example workflow
task_id = submit_url_for_analysis("https://suspicious-domain.example")
results = wait_for_completion(task_id)
indicators = extract_phishing_indicators(task_id)
print(json.dumps(indicators, indent=2))
Key Takeaway: Automating URL submission and indicator extraction through APIs allows you to integrate browser-level telemetry directly into your existing security stack, reducing manual effort and enabling near-real-time phishing triage at scale.
4. Strengthening Detection Engineering with Browser Telemetry
The browser-level evidence collected through in-browser data inspection provides a new source of intelligence for building custom detections, hunting hypotheses, and phishing signatures based on real-world attack behavior.
Creating YARA Rules from Phishing Pages
ANY.RUN’s Threat Intelligence Lookup allows you to create YARA rules from a single phishing page and identify related samples across the platform. In one example, a YARA rule created from a single phishing page identified 145 related samples within Threat Intelligence Lookup.
Example YARA Rule for Phishing Detection:
rule Phishing_Credential_Harvesting_Form {
meta:
description = "Detects common phishing form patterns"
author = "SOC Team"
date = "2026-06-20"
strings:
$form_action = /<form[^>]action\s=\s["']?https?:\/\/[^"']+["']?/ nocase
$input_password = /<input[^>]type\s=\s["']?password["']?/ nocase
$input_email = /<input[^>]type\s=\s["']?email["']?/ nocase
$post_method = /<form[^>]method\s=\s["']?post["']?/ nocase
$obfuscated_script = /<script[^>]>.?(?:atob|fromCharCode|eval|document.write).?<\/script>/ nocase
condition:
($form_action and $input_password) or
($form_action and $input_email and $post_method) or
($obfuscated_script and ($input_password or $input_email))
}
Building Suricata/Snort Rules for Redirect Chains
Extract redirect domains from ANY.RUN analysis and create Suricata rules Example rule to detect redirects to known phishing infrastructure alert http $HOME_NET any -> $EXTERNAL_NET any ( msg:"PHISHING Redirect Chain Detected"; flow:established,to_server; http.uri; content:"/redirect"; nocase; http.response_header; content:"Location"; nocase; pcre:"/Location:\shttps?:\/\/[a-z0-9-]+.(?:top|xyz|click|link)/i"; classtype:policy-violation; sid:1000001; rev:1; )
Key Takeaway: Browser telemetry transforms phishing investigations from reactive incident response to proactive detection engineering. By extracting DOM patterns, redirect behaviors, and obfuscation techniques, you can build resilient detections that catch attacks before they reach end users.
5. Operationalizing Browser-Level Evidence for SOC Workflows
In-browser data inspection delivers tangible operational improvements across the entire SOC workflow:
Faster Triage and Fewer Unnecessary Escalations
With immediate access to browser-level evidence, Tier 1 analysts can validate suspicious URLs faster and escalate fewer benign cases. The complete evidence package—including redirect chains, DOM changes, form submissions, and screenshots—provides sufficient context for confident classification without senior analyst involvement.
Smoother Handoff and Incident Response
When escalation is required, Tier 2 analysts receive a complete evidence package rather than disconnected indicators. This accelerates validation and reduces MTTR by eliminating the need to reconstruct the attack sequence from scratch.
Structured Reporting for Stakeholder Communication
Built-in SOC-ready reports transform complex investigations into decision-ready intelligence, simplifying triage, escalation, response, and stakeholder communication. Reports include all browser-level evidence, verdicts, and recommended next steps in a format that non-technical stakeholders can understand.
Scaling Security Operations
For enterprises and MSSPs, these operational improvements translate into faster investigations, more efficient use of analyst resources, stronger phishing defenses, and the ability to scale security operations without proportionally increasing workload.
Key Takeaway: Browser-level visibility is not just a technical improvement—it is an operational force multiplier that allows SOC teams to do more with less, reducing burnout and improving security outcomes simultaneously.
6. Hardening Defenses: Complementary Controls and Best Practices
While in-browser data inspection provides powerful investigative capabilities, a defense-in-depth approach remains essential. Consider these complementary controls:
Email Gateway Configuration (Microsoft 365)
Block URLs with known malicious patterns using Microsoft 365 Defender
Connect to Exchange Online PowerShell
Connect-ExchangeOnline
Create a mail flow rule to block URLs containing common phishing TLDs
New-TransportRule -1ame "BlockPhishingTLDs" `
-Priority 10 `
-Enabled $true `
-Comments "Blocks URLs with suspicious TLDs" `
-SubjectOrBodyContainsWords @(".top", ".xyz", ".click", ".link", ".work", ".date", ".download") `
-RejectMessageReasonText "This URL has been blocked due to suspicious TLD" `
-RejectMessageEnhancedStatusCode "550 5.7.1"
DNS Sinkhole Configuration (Linux – Pi-hole/AdGuard)
Add suspicious domains to DNS sinkhole (Pi-hole example)
echo "suspicious-phishing-domain.top" >> /etc/pihole/blacklist.txt
echo "credential-harvester.xyz" >> /etc/pihole/blacklist.txt
pihole -g Update gravity
Query DNS logs for suspicious lookups
grep -E ".(top|xyz|click|link)" /var/log/pihole.log | awk '{print $6}' | sort | uniq -c | sort -1r
WAF Rule Tuning (ModSecurity Example)
Detect and block credential harvesting attempts at the WAF level SecRule REQUEST_URI "@contains /login" \ "id:100002,phase:2,t:none,block,msg:'Credential harvesting attempt detected',\ severity:CRITICAL" Block requests containing obfuscated JavaScript patterns SecRule REQUEST_BODY "@rx (?:fromCharCode|atob|eval\s()" \ "id:100003,phase:2,t:none,block,msg:'Obfuscated JavaScript detected',\ severity:CRITICAL"
Key Takeaway: In-browser data inspection is most effective when integrated into a broader security architecture that includes email filtering, DNS protection, WAF controls, and endpoint detection—creating multiple layers of defense that catch phishing at every stage of the attack chain.
What Undercode Say:
- Browser-level visibility is non-1egotiable for modern phishing defense. Static analysis and network logs cannot capture what actually executes in the browser. ANY.RUN’s in-browser data inspection closes this gap by providing DOM-level telemetry, redirect chain reconstruction, and real-time script execution visibility—transforming phishing investigations from guesswork into evidence-based decision-making.
-
Automation is the force multiplier that makes this capability scalable. By integrating ANY.RUN’s API with SOAR platforms, SOC teams can automate URL submission, analysis retrieval, and indicator extraction, reducing manual effort and enabling near-real-time triage at enterprise scale. This is particularly critical for MSSPs handling thousands of phishing alerts daily.
-
Detection engineering benefits as much as incident response. The browser telemetry collected through in-browser data inspection provides a rich source of intelligence for building custom YARA rules, Suricata signatures, and hunting hypotheses based on real-world attack behavior. This shifts the security posture from reactive to proactive.
-
The operational impact is measurable. With MTTR reductions of up to 21 minutes per case and fewer unnecessary escalations, SOC teams can reallocate senior analyst time to high-priority threats rather than routine triage. This improves both security outcomes and analyst retention by reducing burnout.
-
Adoption requires minimal friction. The capability is available to all ANY.RUN users and integrates directly into the existing Interactive Sandbox interface—no additional tools, training, or infrastructure required. This low barrier to entry makes it accessible to SOC teams of all sizes.
-
The phishing landscape is evolving faster than traditional defenses. As attackers increasingly rely on client-side scripts, multi-stage redirects, and dynamic content injection, the ability to inspect browser-level behavior in real time is no longer a luxury—it is a fundamental requirement for effective phishing defense.
Prediction:
-
+1 In-browser data inspection will become a standard feature across all major sandboxing and URL analysis platforms within 18–24 months, as competitive pressure forces vendors to close the browser-level visibility gap that currently exists in most security tools.
-
+1 The integration of browser telemetry with SOAR and SIEM platforms will accelerate, enabling fully automated phishing triage pipelines that require minimal human intervention for 70–80% of alerts by 2027.
-
-1 Attackers will respond by developing more sophisticated evasion techniques specifically designed to defeat browser-level inspection, including time-based payload delivery, geofencing, and CAPTCHA-protected phishing pages that only render for specific user agents or IP ranges.
-
-1 Organizations that fail to adopt browser-level visibility will experience increasingly severe phishing breaches, as attackers shift their focus to targets with weaker investigative capabilities—creating a widening gap between security leaders and laggards.
-
+1 The democratization of browser-level telemetry will enable smaller SOC teams to achieve investigative outcomes previously only possible for well-funded enterprises, leveling the playing field in the fight against phishing.
-
+1 Threat intelligence sharing will improve as browser-level artifacts (DOM patterns, redirect chains, obfuscation techniques) become standardized indicators of compromise, enabling faster threat intelligence dissemination and more effective community defense.
▶️ Related Video (78% Match):
https://www.youtube.com/watch?v=0NMAEMG056I
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
IT/Security Reporter URL:
Reported By: Cut Url – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


