DevToys Web Pro iconDevToys Web ProBlog
Übersetzt mit LocalePack logoLocalePack
Bewerten Sie uns:
Browser-Erweiterung ausprobieren:
← Back to Blog

Defang URL and IP Guide: IOC Conventions, hxxp, and Refanging

7 min read

Open any threat intelligence report from CrowdStrike, Mandiant, or Cisco Talos and you will see URLs like hxxps://malicious-site[.]com/payload instead of clickable links. That deliberate mangling is called defanging. Use the Defang URL tool to convert indicators instantly — and read on to understand why the convention exists, how it works, and when to reverse it.

What Defanging Is

Defanging means transforming a URL or IP address so it is no longer recognized as a clickable hyperlink or a routable address by email clients, chat platforms, browsers, and log parsers — while remaining human-readable enough to reconstruct the original indicator. The result is a neutralized indicator of compromise (IOC) that can be safely pasted into a Slack message, email, or PDF without triggering automated behavior.

The term comes from removing the "fangs" of a URL: the protocol scheme and the dots that make it actionable.

Defanging Conventions

There is no single enforced standard, but the following substitutions are widely understood across the security community:

OriginalDefanged formApplies to
httphxxpHTTP URLs
httpshxxpsHTTPS URLs
ftpfxxpFTP URLs
.[.] or (.)Domain labels, IPv4 octets
@[@]Email addresses, userinfo in URLs
://[://] or [:]//Scheme separator
127.0.0.1127[.]0[.]0[.]1Localhost and loopback references

The most common combination in practice is replacing http with hxxp and every . with [.]. A typical defanged IOC looks like:

hxxps://evil-domain[.]com/stage2/payload[.]exe
192[.]168[.]1[.]1
attacker[@]protonmail[.]com

Why It Matters

Three distinct failure modes motivate defanging, each with real consequences for analysts and organizations:

Accidental clicks. A raw URL in a Slack message, Teams chat, or email becomes a blue hyperlink. One misclick by a tired analyst opens a live malware distribution site or a phishing page, potentially in a browser running under corporate credentials. Even experienced practitioners click links reflexively.

Automatic link previews. Slack, Teams, Discord, and many email clients fetch a preview of every URL they detect. That request travels from your corporate network to the attacker's server, revealing your IP address and signaling that the indicator is under investigation. Sophisticated threat actors monitor access logs for exactly this pattern to detect when they have been discovered.

Telemetry and log poisoning. Security tools that ingest raw logs, SIEM rules, or threat feeds may automatically query or resolve URLs and IPs they encounter. A live malicious URL embedded in a log line can trigger outbound connections from your infrastructure. Defanged indicators pass through log pipelines safely.

Who Uses Defanging

Defanging is standard practice across every part of the security industry that deals with live indicators:

  • Threat intelligence reports — CrowdStrike, Mandiant, Cisco Talos, and nearly every vendor publish IOC appendices using defanged notation so reports can be shared and read safely in any context.
  • SOC Slack and Teams channels — analysts share IOCs during incident response without risking accidental navigation or preview fetches by team members.
  • Bug bounty submissions — researchers paste proof-of-concept URLs into reports on HackerOne, Bugcrowd, and similar platforms without triggering automated scanners or accidental visits by triage staff.
  • Malware analysis writeups — reverse engineers document C2 server addresses, download URLs, and dropper domains without embedding live links in public blog posts or conference papers.
  • OSINT and red team reports — defanged notation is used wherever hostile infrastructure must be documented without enabling easy access.

Refanging: Restoring Indicators for Analysis

When you need to actually investigate an indicator — submit it to VirusTotal, run it through urlscan.io, pivot in Shodan, or load it into a sandbox — you need the original, unmodified URL or IP. The reverse operation is called refanging.

The Defang URL tool handles both directions. Paste a defanged indicator and it reconstructs the original. CyberChef offers equivalent "Defang URL" and "Fang URL" recipes for pipeline use. Automated refanging matters when processing large IOC feeds where manual editing is impractical.

Always refang in an isolated environment — a dedicated analysis VM, a browser profile with no saved credentials, and ideally through a VPN or Tor exit node — so your real IP address and identity are not exposed to the attacker's infrastructure.

Formats That Break When Naively Defanged

Not every context handles defanged indicators gracefully. A few pitfalls to watch for:

  • Markdown. A URL wrapped in parentheses for a Markdown link — [text](https://example.com) — becomes [text](hxxps://example[.]com) after defanging. The outer parentheses are already part of Markdown syntax, and the inner [.] brackets may confuse renderers. Prefer defanging inline URLs in Markdown code spans instead.
  • JSON strings. URLs stored as JSON string values should be defanged as string content, not as structural elements. A naive replacement of . with [.] inside a JSON object is safe as long as only the string value is modified, not key names or separators.
  • Regex patterns. If an IOC feed uses regex to match domains, defanging the dots (which are regex wildcards) with [.] actually makes the pattern more precise — a useful side effect that is sometimes intentional in detection rules.

Machine-Readable IOC Formats

Structured threat intelligence formats — STIX (Structured Threat Information eXpression), MISP (Malware Information Sharing Platform), and OpenIOC — store indicators in typed fields rather than free text. A URL in a STIX 2.1 bundle is stored as a url attribute with its value in a dedicated field, not embedded in prose.

Because these formats use structured fields and are consumed by machines rather than read by humans, indicators are typically not defanged inside the structured data. The consuming tool knows the field type and does not auto-link it. Defanging is applied in the human-readable sections of reports — executive summaries, IOC appendices, blog posts — where the indicator will be rendered as text that tools may auto-link.

Code: Simple Defang and Refang Functions

For scripting pipelines, these minimal implementations cover the most common substitutions:

// JavaScript — defang and refang
function defang(indicator) {
  return indicator
    .replace(/https?/g, (m) => m.replace('tt', 'xx'))
    .replace(/ftp/g, 'fxxp')
    .replace(/./g, '[.]')
    .replace(/@/g, '[@]');
}

function refang(indicator) {
  return indicator
    .replace(/hxxps/g, 'https')
    .replace(/hxxp/g, 'http')
    .replace(/fxxp/g, 'ftp')
    .replace(/[.]/g, '.')
    .replace(/(.)/g, '.')
    .replace(/[@]/g, '@')
    .replace(/[:]/g, ':');
}

// Examples
defang('https://evil.com/payload');
// => 'hxxps://evil[.]com/payload'

refang('hxxps://evil[.]com/payload');
// => 'https://evil.com/payload'
import re

def defang(indicator: str) -> str:
    result = re.sub(r'https?', lambda m: m.group().replace('tt', 'xx'), indicator)
    result = result.replace('ftp', 'fxxp')
    result = result.replace('.', '[.]')
    result = result.replace('@', '[@]')
    return result

def refang(indicator: str) -> str:
    result = indicator.replace('hxxps', 'https').replace('hxxp', 'http')
    result = result.replace('fxxp', 'ftp')
    result = result.replace('[.]', '.').replace('(.)', '.')
    result = result.replace('[@]', '@')
    result = result.replace('[:]', ':')
    return result

# Examples
print(defang('https://evil.com/payload'))
# hxxps://evil[.]com/payload

print(refang('192[.]168[.]1[.]1'))
# 192.168.1.1

Pitfalls and Edge Cases

  • Over-defanging. Replacing every dot in a report — including dots in file names, version numbers, and prose — obscures meaning without adding security value. Defang only indicators that could be auto-linked: URLs, IP addresses, and email addresses.
  • Inconsistent conventions. Some analysts use [.], others use (.), and some omit the brackets entirely and use a space or underscore. Refanging tools that expect only one format will miss variants. The Defang URL tool normalizes to [.] on defang and handles multiple variants on refang.
  • Email addresses with defanged domains. If you share an email address like user[@]company[.]com and someone naively tries to use it as a real address without refanging, the email will fail. More subtly, SPF, DKIM, and DMARC validation in automated systems cannot resolve a defanged domain. Make clear in your reports whether a defanged email address is an IOC or a contact address.
  • IPv6 addresses. IPv6 uses colons, not dots, as separators. The colon replacement convention ([:]) conflicts with the port separator in IPv4 URLs. For IPv6 IOCs, use [:] to replace colons, but document the convention explicitly so readers know to refang correctly.

Convert URLs and IPs in both directions with the Defang URL tool — paste a list of raw indicators to defang for safe sharing, or paste defanged IOCs to refang before pivoting in VirusTotal or urlscan. See also Text Extractor Guide for pulling indicators from unstructured text, and Text Tools Guide for the broader text processing toolkit.