Someone forwards you a phishing email. The link goes to a suspicious URL that looks like a Microsoft 365 login page. You want to investigate without exposing your real machine, fingerprint the kit, and report it for takedown. This is the workflow I run, end to end, with the free or low-cost tools I trust.
Step 1: Don’t click. Submit it instead
Never visit the URL from your real browser. Submit it to urlscan.io, they fetch the page from their own infrastructure, render it in a sandboxed browser, capture screenshots, network requests, JavaScript behaviour, and resolve every domain involved. Free for public scans; private scans need a paid account.
Within 30 seconds urlscan returns: a screenshot of what the page actually looks like, the full DOM, every domain the page loaded resources from, every cookie set, and the IP infrastructure hosting it. That’s enough to make most determinations without ever touching the URL yourself.
Step 2: Confirm the kit fingerprint
Phishing kits leave traces. The most common Microsoft 365 kit families in 2026 (Mamba, Greatness, Tycoon, EvilProxy) each have distinctive markers, specific JavaScript file names, specific image hashes, specific URL path patterns. urlscan’s “Indicators” tab surfaces hashes you can search.
Cross-reference with PhishTank (free public phishing-URL database), OpenPhish, and VirusTotal‘s URL search. If the URL or the JS hashes appear in any of these, you’ve confirmed it’s part of an active campaign.
Step 3: Look at the email body via Sublime
Sublime Security publishes a free, open-source detection rule platform, sublime-security/sublime-rules on GitHub, that catches most modern phishing patterns. Even if you don’t deploy Sublime, the rules are excellent reading material.
Run the suspicious email through the message structure: who is the From address actually, what does the Reply-To say, what’s the SPF/DKIM/DMARC posture, are there hidden tracking pixels, does the visible link text match the actual href? Common phishing tells: legitimate-looking sender domain that fails DMARC, links pointing to short URLs or odd subdomains, urgency language in the subject.
Step 4: Map the infrastructure
The urlscan report shows you the IP and hosting provider. Phishing kits often share infrastructure across campaigns. Pivot:
urlscan search: click the IP in the urlscan result to see other malicious URLs hosted on the same IP recently. AlienVault OTX and Shodan can give additional context on the IP’s history.
WHOIS for the domain: use WhoisXML or Whoxy. Many phishing domains are registered minutes-to-hours before the campaign launches; that creation date is itself a signal.
Certificate transparency: crt.sh shows every certificate issued for the domain. Sometimes you find related subdomains or sister-domains the operator registered around the same time.
Step 5: Report for takedown
Submit to multiple takedown channels simultaneously, they have different speeds.
- Google Safe Browsing, fastest. Once flagged, Chrome and Firefox warn users immediately.
- Microsoft SmartScreen, same for Edge and Outlook.
- APWG (Anti-Phishing Working Group), industry-wide coalition. Slower but feeds many tools.
- Hosting provider abuse contact (look up via WHOIS), sometimes faster than browser blocklists.
- The brand being impersonated, Microsoft has
[email protected], most major banks have an abuse address. They have lawyers; they get takedowns done.
Step 6: If you’re an admin, write the rule
Take the indicators (URLs, IPs, JS hashes, sender domains) and add them to your email gateway, your firewall block list, and your DNS sinkhole. If you use Sublime or another rule-based system, write a rule that catches the kit’s structural pattern, not just this URL, the operator will rotate URLs within hours but the kit fingerprint stays stable for weeks.
The bigger value
One investigated phishing kit yields indicators that protect every user in your environment for that campaign. Build the muscle of doing this once a week and you’ll catch most of the kit families before they’re widely distributed. The skills generalise to malware investigation, fraud campaigns, and any other adversary infrastructure work.