How to Analyse a Suspicious Email Link Without Getting Hacked
How to Analyse a Suspicious Email Link Without Getting Hacked
Receiving a suspicious email with an embedded link puts you in a difficult position: you need to determine whether it is malicious, but investigating it carelessly could compromise your device or network. This guide covers the safe techniques security analysts use to evaluate suspicious URLs without exposure.
The Golden Rule: Never Click Directly
The first principle of suspicious link analysis is to never click the link directly from your primary device or network. Even visiting a phishing page can trigger drive-by download exploits, browser fingerprinting, or credential pre-filling attacks.
Step 1: Extract the Raw URL
Before analysing anything, extract the actual URL. In most email clients, you can right-click a hyperlink and select "Copy link address" to get the raw URL without visiting it.
Be aware that:
- The displayed text and the actual URL are frequently different
- URLs may be wrapped by your email security gateway (e.g.,
https://safelinks.protection.outlook.com/?url=...) - URLs may be shortened (bit.ly, tinyurl, etc.)
Decode any URL-encoded characters (e.g., %2F = /, %40 = @) to see the actual destination.
Step 2: Check the URL Against Threat Intelligence Feeds
Before visiting any URL, check it against known malicious URL databases:
| Tool | What It Checks |
|---|---|
| VirusTotal | 70+ antivirus and URL scanning engines |
| Google Safe Browsing | Google's malware and phishing database |
| URLhaus | Malware distribution URLs |
| PhishTank | Community-verified phishing URLs |
| Cyber121 Phishing Analyser [blocked] | DNS blacklists, domain age, SPF/DKIM/DMARC, AI verdict |
If any tool flags the URL as malicious, treat it as confirmed phishing and report it immediately.
Step 3: Analyse the Domain
Even if the URL is not yet in threat intelligence databases (new phishing infrastructure is often not), you can assess the domain itself:
Check Domain Registration Age
Newly registered domains (less than 30–90 days old) sending email from major brands are inherently suspicious. Use WHOIS lookup tools or the Cyber121 Phishing Analyser [blocked] to check registration date.
Verify DNS Records
Check whether the domain has legitimate email infrastructure:
dig TXT example.com # SPF record
dig TXT _dmarc.example.com # DMARC record
dig MX example.com # Mail servers
dig TXT example.com # SPF record
dig TXT _dmarc.example.com # DMARC record
dig MX example.com # Mail servers
A domain with no SPF, no DMARC, and no MX records is unlikely to be a legitimate business.
Check SSL Certificate
Use crt.sh to view the SSL certificate history for a domain. Phishing domains often have certificates issued within days of the campaign launch.
Step 4: Use a URL Sandbox
If you need to see what the URL actually does without visiting it from your device, use an online sandbox:
| Sandbox | Capability |
|---|---|
| urlscan.io | Screenshots, redirect chain, DOM analysis, network requests |
| Any.run | Interactive malware sandbox with full browser simulation |
| Joe Sandbox | Advanced behavioural analysis |
| Browserling | Live browser in an isolated environment |
urlscan.io is the most useful for phishing analysis — it takes a screenshot of the landing page, shows the full redirect chain, and lists all network requests made by the page, often revealing credential harvesting endpoints.
Step 5: Inspect the Page Source (If Necessary)
If you need to go deeper, you can retrieve the raw HTML of a suspicious page without executing any JavaScript:
curl -L -A "Mozilla/5.0" "https://suspicious-url.com" -o page.html
curl -L -A "Mozilla/5.0" "https://suspicious-url.com" -o page.html
Look for:
- Form fields with
actionattributes pointing to attacker-controlled endpoints - JavaScript that exfiltrates data
- Credential pre-filling code
- Redirect scripts
Step 6: Document Your Findings
For any investigation that may require escalation or reporting, document:
- The original URL and any redirects
- Domain registration date and registrar
- Hosting IP address and ASN
- Threat intelligence verdicts
- Screenshot of the landing page (from sandbox)
- Any IOCs (domains, IPs, URLs) for blocking
The Cyber121 Phishing Investigation Toolkit [blocked] includes a pre-built Excel IOC tracker with fields for all of the above, plus automated risk scoring.
What to Do After Analysis
If confirmed phishing:
- Do not click the link from any production device
- Block the domain and IP at your email gateway and firewall
- Report to your security team and submit to threat intelligence feeds (PhishTank, Google Safe Browsing)
- If the email impersonates a legitimate brand, report to that brand's abuse team
- Notify affected users if the email was distributed internally
If inconclusive: Treat it as suspicious and apply the precautionary principle — block it and monitor for related activity.
Published by the Cyber121 team. Cyber121 is a cybersecurity community platform providing free security tools, CVE intelligence, and professional training resources.
The Cyber121 team is a group of cybersecurity practitioners building community tools, training resources, and threat intelligence for security professionals.