Why Automate Defanging
In security operations, analysts frequently encounter potentially malicious URLs in emails, logs, and threat intelligence feeds. Manually defanging URLs (replacing characters to prevent accidental clicks) is tedious and error-prone. Automation increases efficiency, reduces human error, and improves consistency across the organization.
Basic Automation Approaches
Python Script for Batch Defanging:
import re
def defang_url(url):
"""Convert URL to defanged format"""
defanged = url.replace('http://', 'hxxp://')
defanged = defanged.replace('https://', 'hxxps://')
defanged = defanged.replace('.', '[.]')
return defanged
def refang_url(defanged):
"""Convert defanged back to normal"""
refanged = defanged.replace('hxxp://', 'http://')
refanged = refanged.replace('hxxps://', 'https://')
refanged = refanged.replace('[.]', '.')
return refanged
# Process bulk URLs
urls = [
"https://malicious.example.com/payload",
"http://phishing.domain.com/login",
"https://attacker.net/c2/command"
]
for url in urls:
print(defang_url(url))
# Output:
# hxxps://malicious[.]example[.]com/payload
# hxxp://phishing[.]domain[.]com/login
# hxxps://attacker[.]net/c2/command
Bash Script with sed:
#!/bin/bash
# Bulk defang URLs from a file
INPUT_FILE="$1"
OUTPUT_FILE="${INPUT_FILE%.txt}_defanged.txt"
cat "$INPUT_FILE" | \
sed 's/https:\/\//hxxps:\/\//g' | \
sed 's/http:\/\//hxxp:\/\//g' | \
sed 's/\./[.]/g' > "$OUTPUT_FILE"
echo "Defanged URLs saved to $OUTPUT_FILE"
Integration with Email Security
Email Parser with Automatic Defanging:
import email
from email import policy
import re
def extract_and_defang_urls(message_content):
"""Extract URLs from email and return defanged versions"""
# Simple regex for URLs
url_pattern = r'https?://[^\s\)<>\]"]+'
urls = re.findall(url_pattern, message_content)
defanged_urls = {}
for url in urls:
defanged = url.replace('http://', 'hxxp://')\
.replace('https://', 'hxxps://')\
.replace('.', '[.]')
defanged_urls[url] = defanged
return defanged_urls
# Usage with email
email_message = """
User reported suspicious email with links:
- https://click-here-to-verify.example.com/login
- https://verify-account.domain.com/urgent
"""
urls = extract_and_defang_urls(email_message)
for original, defanged in urls.items():
print(f"Original: {original}")
print(f"Defanged: {defanged}")
SIEM Integration
Splunk Query with Defanging:
index=main sourcetype=email
| regex body="https?://[^\s]+"
| rex field=body "(?<urls>https?://[^\s\),\]]+)"
| eval defanged_url=replace(urls, "https?://", "hxxp://"),
defanged_url=replace(defanged_url, "\.", "[.]")
| table src_user, body, urls, defanged_url
| stats count by urls, defanged_url
This Splunk query:
- Finds emails with URLs
- Extracts URLs using regex
- Creates defanged versions
- Displays both original and defanged
ELK Stack (Elasticsearch/Kibana):
{
"index_patterns": ["security-logs"],
"template": {
"settings": {
"analysis": {
"analyzer": {
"url_analyzer": {
"type": "custom",
"tokenizer": "url_tokenizer"
}
},
"tokenizer": {
"url_tokenizer": {
"type": "pattern",
"pattern": "[:/.]"
}
}
}
},
"mappings": {
"properties": {
"url": { "type": "text" },
"defanged_url": {
"type": "text",
"analyzer": "url_analyzer"
}
}
}
}
}
Then use a Logstash filter to automatically defang:
filter {
if [url] {
mutate {
add_field => {
"defanged_url" => "%{url}"
}
}
mutate {
gsub => [
"defanged_url", "https?://", "hxxp://",
"defanged_url", "\.", "[.]"
]
}
}
}
Integration with Threat Intelligence Platforms
Defanging in Threat Intelligence Feeds:
import requests
import json
def process_threat_feed(feed_url):
"""Process threat intelligence feed and defang URLs"""
response = requests.get(feed_url)
indicators = response.json()
defanged_indicators = []
for indicator in indicators:
if indicator['type'] == 'url':
original_url = indicator['value']
# Defang
defanged = original_url.replace('http://', 'hxxp://')\
.replace('https://', 'hxxps://')\
.replace('.', '[.]')
defanged_indicators.append({
'original': original_url,
'defanged': defanged,
'type': 'url',
'threat_level': indicator.get('severity'),
'source': indicator.get('source')
})
else:
defanged_indicators.append(indicator)
return defanged_indicators
# Save processed feed
feed = process_threat_feed('https://threat-feed.example.com/indicators.json')
with open('processed_indicators.json', 'w') as f:
json.dump(feed, f, indent=2)
Webhook-Based Automation
Slack Integration:
from flask import Flask, request
import requests
import re
app = Flask(__name__)
def defang_for_display(text):
"""Defang URLs for safe Slack display"""
urls = re.findall(r'https?://[^\s\)<>\]"]+', text)
for url in urls:
defanged = url.replace('http://', 'hxxp://')\
.replace('https://', 'hxxps://')\
.replace('.', '[.]')
text = text.replace(url, f"`{defanged}`") # Backticks for code formatting
return text
@app.route('/slack/report_url', methods=['POST'])
def receive_url_report():
"""Receive URL from Slack, defang, and post back"""
data = request.json
user = data['user']
text = data['text']
# Extract and defang URLs
defanged = defang_for_display(text)
# Post to Slack
slack_message = {
'channel': '#security-alerts',
'text': f"URL report from <@{user}>",
'blocks': [
{
'type': 'section',
'text': {
'type': 'mrkdwn',
'text': f"*Original message:*\n{text}"
}
},
{
'type': 'section',
'text': {
'type': 'mrkdwn',
'text': f"*Defanged for safety:*\n{defanged}"
}
}
]
}
response = requests.post(
'https://hooks.slack.com/services/YOUR/WEBHOOK/URL',
json=slack_message
)
return {'status': 'success'}, 200
API Endpoint for Defanging
Flask REST API:
from flask import Flask, jsonify, request
import re
app = Flask(__name__)
@app.route('/api/defang', methods=['POST'])
def defang_api():
"""API endpoint for defanging URLs"""
data = request.json
if 'url' not in data:
return {'error': 'Missing URL'}, 400
url = data['url']
# Defang
defanged = url.replace('http://', 'hxxp://')\
.replace('https://', 'hxxps://')\
.replace('.', '[.]')
return jsonify({
'original': url,
'defanged': defanged
})
@app.route('/api/defang/batch', methods=['POST'])
def defang_batch():
"""Batch defang multiple URLs"""
data = request.json
if 'urls' not in data:
return {'error': 'Missing URLs'}, 400
results = []
for url in data['urls']:
defanged = url.replace('http://', 'hxxp://')\
.replace('https://', 'hxxps://')\
.replace('.', '[.]')
results.append({
'original': url,
'defanged': defanged
})
return jsonify(results)
# Usage
# curl -X POST http://localhost:5000/api/defang \
# -H "Content-Type: application/json" \
# -d '{"url": "https://malicious.example.com"}'
Scheduled Defanging Tasks
Cron Job for Email Analysis:
#!/bin/bash
# Daily script to extract and defang URLs from suspicious emails
LOG_FILE="/var/log/security/suspicious_emails.log"
OUTPUT_FILE="/var/log/security/defanged_urls_$(date +%Y-%m-%d).log"
# Extract URLs from email log and defang
grep -oP 'https?://[^\s]+' "$LOG_FILE" | \
sed 's/https:\/\//hxxps:\/\//g' | \
sed 's/http:\/\//hxxp:\/\//g' | \
sed 's/\./[.]/g' | \
sort -u > "$OUTPUT_FILE"
# Email report to security team
mail -s "Daily Defanged URLs Report" [email protected] < "$OUTPUT_FILE"
Add to crontab:
0 9 * * * /usr/local/bin/daily_defang.sh
Data Loss Prevention Integration
Monitor and Defang Sensitive Content:
import re
from datetime import datetime
class SecurityMonitor:
def __init__(self):
self.suspicious_patterns = [
r'https?://[^\s]+', # URLs
r'\b\d{4}-\d{4}-\d{4}-\d{4}\b', # Credit cards
r'\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}\b' # Emails
]
def scan_content(self, content):
"""Scan content and defang/mask sensitive data"""
report = {
'timestamp': datetime.now().isoformat(),
'urls_found': [],
'defanged_urls': [],
'other_sensitive': []
}
urls = re.findall(r'https?://[^\s]+', content)
for url in urls:
report['urls_found'].append(url)
defanged = url.replace('http://', 'hxxp://')\
.replace('https://', 'hxxps://')\
.replace('.', '[.]')
report['defanged_urls'].append(defanged)
return report
# Usage
monitor = SecurityMonitor()
sensitive_content = "User visited https://malicious.example.com on 2024-01-01"
report = monitor.scan_content(sensitive_content)
print(report)
Best Practices for Automation
- Preserve Original Context - Keep both original and defanged versions for reference
- Logging - Log all defanging operations for audit trails
- Consistency - Use standardized defanging rules across all systems
- Documentation - Document defanging conventions used in your organization
- Reversibility - Maintain ability to refang URLs when needed
- Performance - Use efficient algorithms for bulk processing
- Validation - Verify defanged URLs are properly formatted
Using URL Defanger Tool in Workflows
The URL Defanger tool helps:
- Verify defanging logic matches your automation
- Test edge cases before implementation
- Train team members on defanging patterns
- Manual defanging for non-automated scenarios
Use it as a reference or spot-check tool alongside automation.
Conclusion: Automation Improves Security Workflows
Automating URL defanging transforms it from a tedious manual task to an invisible process. By integrating defanging into email analysis, SIEM systems, threat intelligence platforms, and incident response workflows, you improve consistency and speed. The approaches outlined—from Python scripts to API endpoints to SIEM integration—give you options for your specific environment. Start with simple scripting, then advance to integration with your existing security infrastructure.
