How to Defang URLs, IP Addresses, & Email Addresses
When sharing suspicious or malicious URLs, IP addresses, and email addresses, you don’t want people to accidentally click those links. To prevent this, you defang the URLs or IP addresses, so that software doesn’t convert them into clickable links.
This is a good practice when sharing IoCs in cyber threat intelligence, and is useful in any area of InfoSec that involves sharing suspicious or malicious links.
When needed, URLs, IP addresses, and email addresses can be refanged (turned back into clickable links) by reversing the defanging process, manually or by using software.
How to Defang URLs
- Replace http(s) with hXXp(s): hXXps://malicious[.]com
- Replace (s)ftp(s) with (s)fXp(s): fXp://malicious[.]com
- Surround the period before the TLD with brackets (and optionally all periods): hXXps://nefarious.malicious[.]com
How to Defang IP Addresses
- Surround the final period with brackets (and optionally all periods): 103.56.53[.]120
How to Defang Email Addresses
- Replace @ with AT: nefariousATmalicious[.]com
- Surround the period before the TLD with brackets (and optionally all periods): nefarious.malevolentATmalicious[.]com
Don't Let the Nuts and Bolts of Threat Intel Trip You Up. Defang that URL! | Cyware | Blog
As cybersecurity and robust threat defense management comes to the forefront in the battle against cybercrime, there is…
Blocking Email Links: Why we use HXXP in emails
This practice, also known as URL defanging, is in use to discourage the clicking of links in emails. Many malicious…