Phishing Prevention 101: Where to Sandbox Suspicious Links

By Investigator515 | Investigator515 | 9 Jun 2023


We’ve all been told to not click suspicious links…but what do you do when one hits your inbox?

Today’s article will be short, concise and straight to the point. We’ve spoken about how we like to provide tools and resources to people to assist in keeping them safe online. And we’ll continue to keep doing this, that’s exactly why we’re building our website. But if you’re an internet dweller unfortunately, you won’t have to wait long for suspicious looking links to start hitting your inbox. And if you use a smartphone, chances are it’s going to be even worse. 

Now the Cybersecurity advice is pretty clear in regards to this. Don’t click it! But sometimes clicking the link is simply unavoidable. Maybe it came from someone you know. Maybe you need or are expecting that attachment. Maybe you did it accidentally. Rather than comprising your machine entirely however, did you know there are ways to safely and easily check suspicious links and attachments with out putting your machine at risk?

It’s called Sandboxing and today we’ll give you an explanation on what it is, how it works and give you 4 sites with web interfaces that can quickly assist you to do this. But first, its over to the electronic brain for a quick assessment on the how’s and why’s of sandboxing. Chat GPT, Go!


Input: Explain Sandboxing and be detailed on why it’s important for cybersecurity and Phishing prevention

Output: Sandboxing is a technique used in cybersecurity to isolate potentially malicious or suspicious files, applications, or processes within a controlled and secure environment called a “sandbox.” The sandbox provides a virtualized or isolated environment where these files or programs can be executed and analyzed without posing any risk to the underlying system or network.

The primary purpose of sandboxing is to prevent malware, viruses, and other types of cyber threats from infecting the host system or network. Here’s how it works:

1. Isolation: Sandboxing involves executing untrusted files or programs in an isolated environment separate from the production network or user’s machine. This isolation prevents any malicious activities from affecting the underlying system.

2. Controlled environment: The sandbox is designed to mimic the real system environment, allowing the suspicious files or applications to run as they would on a regular system. This controlled environment allows security analysts or automated systems to observe and monitor the behavior of the file or application without risking the system’s integrity.

3. Behavior analysis: Once the file or application is executed within the sandbox, its behavior is closely monitored and analyzed. This includes tracking system calls, network activity, file modifications, registry changes, and any other interactions with the operating system. By observing these actions, security analysts can determine whether the file or application is malicious or exhibits suspicious behavior.

4. Detection and prevention: Sandboxing helps in detecting and preventing various types of cyber threats, including malware, ransomware, trojans, and phishing attacks. The behavior analysis within the sandbox can reveal indicators of compromise (IOCs) or malicious patterns that are characteristic of known threats. This information can be used to develop signatures or behavioral rules to detect and block similar threats in the future.

Now, let’s focus on the importance of sandboxing for phishing prevention:

1. Phishing threats: Phishing attacks are one of the most common and dangerous forms of cyber threats. They involve tricking users into revealing sensitive information like passwords, credit card details, or social security numbers by impersonating legitimate entities. Phishing attacks often use malicious files or URLs embedded in emails, websites, or attachments. Sandboxing can be utilized to safely open and analyze such suspicious files or URLs within an isolated environment, mitigating the risk of the phishing attack being successful.

2. URL analysis: Sandboxing can be used to analyze the behavior of URLs by visiting them within the sandboxed environment. This helps in identifying malicious websites that may be part of a phishing campaign. The sandbox can monitor the network activity, interactions with the website, and potential attempts to download or execute harmful files, giving security analysts insight into the website’s intent and identifying potential phishing attempts.

3. Malicious attachments: Phishing emails often contain malicious attachments such as infected documents, executable’s, or scripts. By executing these attachments within a sandbox, security analysts can observe their behavior and determine if they exhibit malicious actions like attempting to modify system files, connect to suspicious IP addresses, or launch unauthorized processes. This analysis helps in identifying and preventing phishing attacks that rely on malicious attachments.

4. Zero-day threats: Zero-day vulnerabilities are software vulnerabilities that are unknown to the software vendor or have no available patch. Attackers often exploit these vulnerabilities to carry out sophisticated phishing attacks. By executing suspicious files or applications within a sandbox, security analysts can detect potential zero-day threats by monitoring their behavior and identifying any anomalous or malicious actions that could indicate an unknown vulnerability or attack technique.

In summary, sandboxing is crucial for cybersecurity and phishing prevention as it provides a safe and controlled environment to analyze and detect malicious files, URLs, and attachments. By closely monitoring the behavior of these entities within the sandbox, security analysts can identify and mitigate potential threats, including phishing attacks, thereby protecting the integrity and security of systems and networks.


That looks pretty clear. So sandboxing basically gives us the opportunity to inspect directions, actions and threats linked to risky activity, in an environment that’s controlled, contained and generally low risk to the user. That sounds perfect for a secure, privacy conscious user like ourselves (and our readers). Now let’s have a look and see where we can find them. 


Launched in 2006, Phishtank gives users a safe environment for sandboxing and a community focused voice on whats malicious and whats not. Users submit their own Phishes and the community interacts with these submissions. Phishtank even has an API that can be used to implement anti phishing utilities into applications with little trouble. 

Phishtank can be found here

1*UcIuINqhZuEdTGO4OjO5BA.png PhishTank: Phishing protection available in your browser. 


Virus total differs from phishtank in that it allows users to submit files as well as URL’s. It has an active community and a well deserved reputation as an essential tool for cyber professionals. It’s also a little easier for beginners to use and navigate and like Phishtank has API access available to professionals, allowing partial automation of threat hunting and assessment. Check it out here

1*HUFlL2baIbraqD14-sNlXQ.png Virus Total

SafeBrowsing by Google:

Safebrowsing is a vast resource supplied by Google. Originating to secure Android devices, Safebrowsing now services over 5 billion devices each day, providing malware alerts, domain reputation and other diagnostic tools to its users. Google also provides enhanced safebrowsing which gives live, real time assessment of Malware, and phishing links and also includes the ability to provide real time protection to entire Google accounts, or specific individual parts of the google software packagle, like Gmail, Chrome and the like. 
If you have an android phone or are a Google products user you should see if safe browsing can provide extra protection to your device and accounts. Find it here

1*xb6T9d7OgGV0gxzrI3NU8w.png Safe Browsing can be an extremely useful tool for Google Product users.  1*Uv6iCBdajq-aBY95JKceCQ.png URLQuery is a simple usable anti phishing site with a good web interface

UrlQuery is quite similar to VirusTotal however with a much simpler albeit more limited web interface. Looking at the activity that a link induces will quickly give the user an idea of who they are dealing with. Additionally, it will provide a reputation score and information on which antivirus software has flagged the link and why. Like the other providers we’ve listed in this article there’s also an API available to power users, allowing automation for those who require it and there’s even a limited ability to tie the package in with intrusion detection systems giving real time threat analysis and protections. Check it out here

In Closing:

While it’s hard to eliminate all suspicious links, users can easily increase their online safety by using these sandboxing services when required. While it’s good practice to simply ignore suspicious links and correspondence, the ability to use sandboxing or reputation assesment services can give you an edge in assessing risks accurately and protecting your machine. While the layered approach to security tends to be the most popular, it’s often too easily forgotten that each layer should provide re enforcement to the others, working in harmony to protect networks devices and users. While the use of sandboxes is by no means a silver bullet approach in terms of risk mitigation, knowing how and when to use these services can turn a well crafted phishing attempt into a complete waste of time for the offender. Which is exactly how it should be. 

If you’d like to support us on medium you can join as a member here 

If you’d like free crypto for reading our content, join publish0x here

And if you’d like to recieve our latest content across all platforms, follow our telegram here



How do you rate this article?


Investigator515 Verified Member

I'm a professional investigator and osint analyst. I write on varying topics, usually based around cybersecurity, open source intelligence and counter surveillance and more. Follow our telegram channel for the latest blog posts:


We write about cybersecurity, technology, managing your privacy and open source intelligence. We're passionate about giving people the tools they need to feel empowered by technology, not overwhelmed. Did we also mention we're straight up nerds at heart? Get the latest information on blog posts and production information via our telegram:

Send a $0.01 microtip in crypto to the author, and earn yourself as you read!

20% to author / 80% to me.
We pay the tips from our rewards pool.