July 11, 2026
Investigating a Phishing Email Like a SOC Analyst — Part 4: URL Analysis
Phishing emails often rely on malicious links rather than malicious attachments. Attackers attempt to convince users to click a hyperlink…
By Najeebparkar
3 min read
Phishing emails often rely on malicious links rather than malicious attachments. Attackers attempt to convince users to click a hyperlink that redirects them to credential harvesting pages or malware-hosting websites.
In this investigation, I analyzed the embedded URL inside a phishing email impersonating Chase Bank. Instead of clicking the link directly, I followed a safe SOC investigation methodology to determine whether the URL was legitimate or malicious.
Initial Observation
The email claimed to be from Chase Bank and informed the recipient that their bank account had been blocked because of unusual activities.
The email attempted to create urgency by asking the user to immediately reactivate their account.
A large button was displayed with the text:
Reactivate Your Account
Creating panic and urgency is one of the most common social engineering techniques used in phishing campaigns.
Step 1 — Inspecting the Email Source
Rather than clicking the button, I just move my cursor over it and it shows me actual link.
Inside the source, I located the hyperlink associated with the Reactivate Your Account button.
The URL appeared to be encoded using Quoted-Printable encoding, which is commonly used for formatting HTML emails.
The encoded hyperlink looked like this:
https://dsgo.to/CQECQECnpqY3NDSGtODt9ft2qtxzcXGU...https://dsgo.to/CQECQECnpqY3NDSGtODt9ft2qtxzcXGU...Immediately, one thing stood out.
The domain was:
dsgo.to
which has absolutely no relation to Chase Bank.
Legitimate Chase emails normally redirect users to official domains such as:
- chase.com
- secure.chase.com
This immediately raised suspicion.
Step 2 — Decoding the URL
Since the email used Quoted-Printable encoding, I needed to decode it before continuing the investigation.
To do this safely, I used CyberChef.
CyberChef is one of the most useful tools for SOC analysts because it allows encoded data to be decoded without executing any potentially malicious content.
After decoding the email, the embedded URL remained:
This confirmed that the hyperlink genuinely pointed to an unrelated domain.
Step 3 — Safe Website Analysis
At this stage, I had enough evidence to suspect the link was malicious.
However, clicking the URL directly would expose my system to unnecessary risk.
Instead, I used URLScan.io.
URLScan visits websites inside an isolated sandbox and provides valuable information such as:
- Page screenshots
- Redirect chains
- Requested resources
- Network activity
- Domain information
- Security observations
This allows analysts to inspect suspicious websites without opening them in a local browser.
Step 4 — Reviewing the Website Screenshot
After submitting the decoded URL to URLScan.io, the generated screenshot immediately revealed another major indicator.
The webpage looked nothing like an official Chase Bank portal.
There was:
- No Chase branding
- No official Chase logo
- No Chase login page
- No legitimate banking interface
Instead, the website appeared completely unrelated to the organization that the email claimed to represent.
This confirmed that the email was attempting to deceive recipients into trusting an unrelated website.
Indicators of Phishing
Several phishing indicators were identified during the investigation:
- The hyperlink pointed to an unrelated domain (dsgo.to).
- The URL was encoded to make manual inspection more difficult.
- The email attempted to create urgency using account suspension warnings.
- URLScan confirmed that the destination page had no connection with Chase Bank.
Each of these indicators significantly increased confidence that the email was malicious.
Security Best Practices Followed
Throughout the investigation, I avoided interacting with the malicious infrastructure directly.
Instead, I followed safe SOC investigation practices by:
- Inspecting the HTML source instead of clicking links.
- Decoding the URL using CyberChef.
- Analyzing the destination safely using URLScan.io.
- Comparing the destination domain with the legitimate organization's domain.
- Verifying the webpage through screenshots rather than visiting it locally.
This workflow allowed the investigation to be completed without exposing the investigation machine to risk.
Final Verdict
Based on the collected evidence, this email was confirmed to be a credential phishing attack.
Although the email impersonated Chase Bank, the embedded hyperlink redirected victims to an unrelated domain that had no affiliation with the organization.
The attacker relied on social engineering, urgency, and deceptive hyperlinks to trick recipients into interacting with a fraudulent website.
Key Takeaways
This investigation reinforced several important lessons for phishing analysis:
- Never trust the text displayed on a button or hyperlink.
- Always inspect the actual destination URL.
- Decode encoded email content before analysis.
- Use sandbox services such as URLScan.io to safely inspect suspicious websites.
- Verify that domains belong to the organization being impersonated.
- Even professionally designed phishing emails often expose themselves through their URLs.
By following a structured URL analysis methodology, I was able to safely identify the phishing attempt without interacting directly with the attacker's infrastructure.