How to Defang URLs, IP Addresses, & Email Addresses

When sharing suspicious or malicious URLs, IP addresses, and email addresses, you don’t want people to accidentally click those links. To prevent this, you defang the URLs or IP addresses, so that software doesn’t convert them into clickable links.

This is a good practice when sharing IoCs in cyber threat intelligence, and is useful in any area of InfoSec that involves sharing suspicious or malicious links.

When needed, URLs, IP addresses, and email addresses can be refanged (turned back into clickable links) by reversing the defanging process, manually or by using software.

Photo by Balaji Malliswamy on Unsplash

How to Defang URLs

• Replace http(s) with hXXp(s): hXXps://malicious[.]com
• Replace (s)ftp(s) with (s)fXp(s): fXp://malicious[.]com
• Surround the period before the TLD with brackets (and optionally all periods): hXXps://nefarious.malicious[.]com

You can use CyberChef’s Defang URL operation to defang URLs in bulk. Thanks to Jonathan Braley for pointing this out.

How to Defang IP Addresses

• Surround the final period with brackets (and optionally all periods): 103.56.53[.]120

You can use CyberChef’s Defang IP Addresses operation to defang URLs in bulk. Thanks to Jonathan Braley for pointing this out.

How to Defang Email Addresses

• Replace @ with AT: nefariousATmalicious[.]com
• Surround the period before the TLD with brackets (and optionally all periods): nefarious.malevolentATmalicious[.]com

Additional Resources

Don't Let the Nuts and Bolts of Threat Intel Trip You Up. Defang that URL! | Cyware | Blog

Blocking Email Links: Why we use HXXP in emails

IOC Fang: Indicator of Compromise (De)Fanging Project