Instant URL Analysis: Use Safebrowsing via ANY.RUN’s Extension

Instant URL Analysis: Use Safebrowsing via ANY.RUN’s Extension

/in

Phishing attempts, malicious redirects, and hidden malware can lurk in seemingly harmless links, putting your company’s data and systems at risk. To streamline threat detection and response, ANY.RUN has upgraded its browser extension, making the Safebrowsing feature free for all users. 

How Safebrowsing Works in ANY.RUN’s Extension 

The Welcome screen of ANY.RUN’s browser extension 

Safebrowsing from ANY.RUN provides a fully functional browser, allowing users to interact with potential threats safely. This is especially useful for investigating multi-stage phishing attacks and CAPTCHA-based fraud.  

Now, security teams can quickly analyze suspicious URLs without extra steps and launch analysis in ANY.RUN’s Safebrowsing instantly. This eliminates the hassle of copying and pasting links into the platform manually, making security investigations faster and more efficient! 

Most importantly, it’s completely free! 

How to Use Safebrowsing for Free 

ANY.RUN’s Safebrowsing feature is now available for all users at no cost—all you need is a registered account to start analyzing suspicious links instantly. 

  1. Install the ANY.RUN browser extension 
Safebrowsing extension inside the right-click menu 
  1. Right-click on any suspicious link 
  1. Select “Safebrowsing” to launch an instant analysis 

How Safebrowsing Helps Agasinst Cyber Attacks 

With the updated extension, businesses can take advantage of Safebrowsing’s capabilities to: 

Check suspicious links with a single click: No need to manually copy and paste URLs into the sandbox. Simply use the Safebrowsing option from your browser’s right-click menu, and the link will open in an isolated environment. 

Speed up threat analysis: The extension streamlines the process, allowing security teams to quickly assess a link’s behavior in a full-size virtual browser without interacting with the page on their own system. 

Ensure safe link browsing for employees: By testing unknown URLs in an isolated virtual browser before opening them on company devices, businesses can prevent malware infections, credential theft, and phishing attacks. 

Equip your security team with instant URL analysis 
Install ANY.RUN’s browser extension 



Try it now


Don’t have an ANY.RUN account yet? Sign up now.

Use Cases for Safebrowsing 

With Safebrowsing, security analysts can interact with the entire attack chain, observe network activity, and uncover hidden threats in a controlled environment. 

Multi-Stage Phishing Analysis 

In the following Safebrowsing example, we analyze a phishing attempt disguised as a TransferNow link — a free file transfer service that allows sending large documents up to 250GB. 

View Safebrowsing analysis session 

Right-clicking on the suspicious link instantly opens it in ANY.RUN’s isolated browser, eliminating the need to copy and paste URLs manually. 

The link leads to a fake TransferNow page, appearing to offer a free document download. After clicking the download file button, a PDF file opens instead. 

Transfernow page with malicious file 

The PDF mimics a SharePoint document, prompting the user to download yet another file. This staged approach is a common tactic in phishing schemes, forcing users into a series of seemingly harmless steps to lower suspicion. 

Malicious document displayed inside Safebrowsing 

Once the second file is downloaded, a Microsoft sign-in page appears. However, after closer inspection, we see that the URL has no connection to Microsoft. This is a clear indicator of a fraudulent attempt to steal login credentials. 

Fake Microsoft login page 

Additional red flags include a broken favicon, which often signals a hastily put-together phishing page lacking proper hosting configurations. 

CAPTCHA-Based Fraud Investigation 

Cybercriminals use CAPTCHA barriers to block automated scanners while still targeting real users. Safebrowsing lets you bypass these obstacles with automated interactivity and analyze what’s behind the CAPTCHA wall. 

View attack analysis inside Safebrowsing 

Suspicious link opening inside ANY.RUN’s Safebrowsing 

For this example, a suspicious link is right-clicked, and the “Safebrowsing” option is selected. The link automatically opens inside the Safebrowsing service, saving time and streamlining the investigation. 

The link initially loads a Cloudflare “Verify You’re Human” CAPTCHA page, a tactic often used to evade automated scanning tools. 

Cloudflare verification required to proceed 

After passing the CAPTCHA, the page redirects to what appears to be a Google login page. However, upon closer inspection, the URL is fake, having no connection to Google. 

Fake Google login page inside Safebrowsing 

Another major red flag is the broken Google favicon, a common sign of a poorly cloned phishing site. Legitimate websites rarely have favicon issues, making this a simple yet effective phishing indicator. 

The Network Inspector, located in Safebrowsing’s upper-right corner of the screen, provides a detailed view of network connections, HTTP requests, and potential threats triggered by Suricata rules.  

Network Inspector inside Safebrowsing 

This feature allows analysts to monitor outgoing and incoming traffic, inspect request headers and payloads, and identify malicious activity in real time.  

By using Suricata-based detection, security teams can quickly spot anomalies, detect exploit attempts, and track threat actor infrastructure, making network analysis faster and more effective.

Phishing domain triggered by Suricata rule 

These cases demonstrate how Safebrowsing allows businesses to quickly expose phishing schemes, track multiple attack stages, and analyze network behavior, all without putting corporate infrastructure at risk. 

Sandbox Analysis with the Extension 

For businesses and security teams, the full version of the extension offers even more powerful capabilities. Beyond Safebrowsing, users can launch analysis sessions inside ANY.RUN’s Interactive Sandbox to access: 

  • File and Link Analysis: Analyze files and links on fully interactive Windows (7-11 version) cloud virtual machines (VMs). 
  • Comprehensive Threat Reports: Generate detailed threat reports in JSON, MISP, and HTML formats, including IOCs and malware configurations. 
  • Malicious Behavior Monitoring: Observe samples’ malicious behavior and study tactics, techniques, and procedures (TTPs) using the MITRE ATT&CK Matrix. 
  • Customizable Settings: Adjust settings for system reboot, locale selection, and network features like MITM proxy and FakeNET. 
  • Extended Analysis: Run VMs for up to 1200 seconds for in-depth analysis. 

To utilize the sandbox functionality via the extension, you will need an active Hunter or Enterprise subscription. Each analysis session launched through the extension counts towards your API quota. 

Access all features of ANY.RUN’s Interactive Sandbox 



Get 14-day free trial


Conclusion 

With these enhanced features, security teams can streamline their workflow, uncover hidden threats, and improve detection accuracy, all from within their browser. Install ANY.RUN’s extension now to try it right away! 

About ANY.RUN

ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search, and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.

Request free trial of ANY.RUN’s services → 

The post Instant URL Analysis: Use Safebrowsing via ANY.RUN’s Extension appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More