Lesson 4.3

Let a Robot Click for You

12 minutes

When hovering and copying aren’t enough, and the URL looks plausible but you’re still not sure — there are services that will open the URL for you, in a safe isolated browser somewhere else on the internet, and report back on what happens. They take the screenshots, record the network traffic, and capture the forms the page tried to show. You get to see what the URL does without your browser ever visiting it. These services are called sandboxes.

What a Sandbox Is

A sandbox is a server somewhere that opens URLs on your behalf, in an isolated browser inside a virtual machine, and reports back on the result. Screenshots of the landing page. A list of every external resource the page loaded. Any forms the page displayed. Any files the page tried to serve to the visitor. DNS lookups, HTTP headers, redirect hops, and a record of anything that would have executed in a real user’s browser. The point is that the sandbox takes the risk and gives you the report — your own browser, your own machine, and your own identity never go near the suspicious URL. If the page is malicious, the sandbox gets hit. You get the screenshot.

Three Sandboxes (Free, Web-Based)

All three are legitimate tools used by professional analysts. None require install or a paid account for basic use.

urlscan.io

Paste a URL into the search box, click Public Scan, and wait about 30 seconds. You get back a rich report: a screenshot of the rendered page, full HTTP headers, a list of every external resource loaded (images, scripts, fonts, API calls), a domain history (“this domain was first seen N days ago”), and an indicators tab flagging anything known-malicious. Free public scans are the default — note the word public: your URL and the full scan result become searchable by anyone on urlscan.io.

any.run

Originally a malware-focused sandbox for suspicious files — attachments, executables, documents — but it handles URLs too. Its distinctive feature is a live video recording of the sandbox session, so you can watch the fake login page render, watch the fake “loading” spinner, watch the form post credentials off to the attacker’s server. The free tier is limited to public interactive sessions but is sufficient for basic URL investigation.

Browserling

Less of a threat-intel tool, more of a quick cross-browser testing service that happens to double as a sandbox. Paste a URL, pick a browser and OS, and watch the page render in a remote virtual browser. Fewer indicators, less forensic detail, but it’s fast and useful when you just need to see what the page actually looks like before you judge it.

Walking Through a urlscan.io Scan

Here is the end-to-end flow for investigating a suspicious URL — for example, the spoofed Chase URL from our Lesson 3.2 header sample.

  1. Go to urlscan.io in your browser.
  2. Paste the suspicious URL into the search/scan box at the top of the page.
  3. Choose Visibility: Public is fine when the URL is generic phishing. Pick Unlisted or Private (requires a free account) if the URL contains identifying information like an email in a parameter, a session token, or an internal brand link you shouldn’t expose to search.
  4. Click Public Scan (or Unlisted/Private Scan).
  5. Wait roughly 30 seconds while the sandbox loads the page.
  6. When the report loads, open the Screenshot tab first. Is this the real Chase login, or is it a lookalike page that’s almost right but hosted on the wrong domain?
  7. Open the Domain tab and check the first seen date. A brand-new domain (registered days or weeks ago) claiming to be a major bank is a massive red flag — real banks’ domains are decades old.
  8. Open the Indicators tab and scan for anything flagged as known-malicious. urlscan cross-references public threat feeds; if your URL has been reported before, it’ll show up here.

Thirty seconds of work for a forensic-quality picture of where the URL actually leads.

Privacy Consideration

urlscan’s public scans are public. Anyone can search them. If your URL contains anything identifying — your email address in a URL parameter, an internal brand URL that reveals something about your employer, a session token, a unique tracking ID — use an Unlisted or Private scan (requires a free account) or pick a paid sandbox that doesn’t publish scans. When in doubt, redact sensitive parameters before pasting, or use Browserling or any.run’s non-indexed modes. The point of the sandbox is to protect you, not to leak your URL to the world.

When to Stop Investigating

If the sandbox confirms the URL is serving malware, harvesting credentials, or impersonating a known brand — stop investigating and escalate. You’ve confirmed the threat. Your forensic job ends the moment you have enough evidence to report. Further digging — reverse-engineering the malware payload, tracing the attacker’s infrastructure, identifying the campaign — is a SOC analyst’s job, not yours. Your value to the response process is the report you hand in: the URL, the screenshots, the sandbox verdict. Not the deep-dive. You will slow down the people who need the evidence if you sit on it trying to learn more.

Your training told you "never click suspicious links." Great advice. Here's what you can do instead of nothing: let a robot click for you, in a place where it can't hurt you.

Key Takeaways

  1. A sandbox is a web service that opens URLs in an isolated remote browser and reports back on screenshots, resources loaded, and indicators of malice — so you don’t have to visit the URL yourself.
  2. Three free options: urlscan.io (best for threat intel and indicators), any.run (best for live-recorded interaction), Browserling (best for a quick “just show me the page”).
  3. urlscan public scans are public — use Unlisted or Private scans if the URL contains anything identifying.
  4. Once the sandbox confirms the threat, escalate, don’t dig deeper. Your value is in the report, not in reverse-engineering.