Threat overview
Every external link across your estate, checked before it reaches a user. Last 24 hours.
Live Verdict stream
real time · all channelsVerdict breakdown
24hMost impersonated brands
View threat logMost targeted users
24hThreat log
Isolated and blocked links, newest first. Click any row to open the full session record.
| Verdict | URL | User | Channel | Reason | Severity | Time |
|---|
Isolation sessions
Suspicious pages rendered in disposable containers. Nothing from these sites reached the endpoint.
Live sessions
gVisor · isolated segment| Session | Rendering | Target | User | Mode | Duration | Container |
|---|
Policies
Rules apply per user group, synced from your directory. Changes push to agents within 60 seconds.
Isolation aggressiveness
Session controls
Allow list
trusted, opens directOffline agent behaviour
Endpoints
Machines running the Phishing Protector agent as the default link handler.
| Host | User | OS | Agent | Default handler | Last seen | Status |
|---|
User experience
What your people see. Safe links open instantly in their normal browser, risky ones in protected mode.
This page was blocked
Averox Phishing Protector stopped this link because it impersonates Askari Bank to steal your sign-in details.
Sign in
Reports
Board-ready exposure summaries and per-department risk scoring.
Scheduled reports appear here
Monthly phishing exposure report generates on the 1st. Next run: 1 August.
Help & Training
White paper, operational guide, and step-by-step training for your security team.
1 — Platform Overview
What it protects
Phishing is the leading initial access vector in cyberattacks worldwide and the dominant threat facing Pakistani enterprises and government organisations. The system protects against: credential harvesting pages (fake banking, M365, government portals), malware delivery via weaponised documents, adversary-in-the-middle (AiTM) kits that bypass MFA, and brand impersonation attacks targeting employees across all communication channels.
What it protects against — by channel
| Channel | Threat type | How protection works |
|---|---|---|
| Phishing links in messages, HTML redirects, QR code links | Agent intercepts clicks before Outlook or Thunderbird open the browser | |
| WhatsApp Desktop | Social engineering links, parcel lures, fake bank alerts | Default link handler intercepts WhatsApp link-open events |
| Microsoft Teams | Collaboration platform phishing, fake SharePoint links | Teams protocol handler redirected through agent verdict check |
| SMS / system browser | Smishing links opened on the same machine | System default browser replaced by agent-wrapped browser |
| Documents (PDF, Office) | Embedded hyperlinks in attachments | Office and Acrobat link handler overridden by agent |
Who operates it
The system is designed for two audiences. SOC analysts use the console to monitor the live threat stream, investigate blocked and isolated sessions, manage policies per user group, and review endpoint coverage. IT administrators deploy and manage the lightweight endpoint agent across the fleet using group policy, MDM, or manual installation scripts.
2 — Architecture
Three components
| Component | Role | Deployment |
|---|---|---|
| Endpoint Agent | Intercepts link clicks OS-wide, sends URL to verdict engine, enforces the verdict (allow / open isolated / block) | Installed per machine; Windows, macOS, Linux |
| Verdict Engine | Scores URLs in under 200 ms using a multi-stage pipeline; stores all verdicts and session records | On-premises Flask/Python server with SQLite or PostgreSQL |
| SOC Console | Real-time dashboard, threat log, isolation management, policy editor, fleet management | Web UI served by the same backend; no external dependencies |
Data flow
① User clicks a link in any application → ② Agent intercepts the OS open-URL event before the browser receives it → ③ Agent sends the URL to the verdict engine API (POST /api/v1/verdict) → ④ Engine scores the URL and returns a verdict within 200 ms → ⑤ Agent enforces the verdict: safe links open in the normal browser, suspect links open in an isolated container, confirmed phishing is blocked with a block-page. All events are logged and visible in the console within seconds.
3 — The Verdict Engine
The engine evaluates every URL through a deterministic three-phase pipeline. No machine learning model is involved — every scoring decision is auditable and reproducible.
Phase 1 — Instant verdicts (no scoring needed)
URLs matching the tenant allow list are immediately allowed. URLs matching the global or tenant block list, or confirmed in active threat feeds (PhishTank, OpenPhish, PKCERT national advisories), are immediately blocked. These checks complete in under 5 ms.
Phase 2 — Heuristic scoring (0–100 risk score)
URLs not resolved in Phase 1 are scored across multiple independent signal groups. Signals are additive — each one that fires increases the risk score.
| Signal | What it detects | Risk weight |
|---|---|---|
| domain_age | Domain registered less than 7 days ago — strongest single indicator of phishing infrastructure | High (35 pts) |
| lookalike | Typosquatting and homoglyph attacks (e.g. askarlbank.com, аskaribank.com with Cyrillic а) | High (30 pts) |
| suspicious_tld | Free or abused top-level domains: .tk .ml .ga .cf .xyz .top .click .pw | Medium (20 pts) |
| credential_keywords | Words like login, verify, secure, confirm, update in the URL path — common phishing lure vocabulary | Medium (15 pts) |
| entropy | High Shannon entropy in hostname — characteristic of domain-generation algorithm (DGA) malware C2 | Medium (18 pts) |
| punycode | Internationalised domain encoding used to make look-alike characters appear identical in browsers | High (25 pts) |
| ip_as_host | URL uses a raw IP address instead of a domain — no legitimate business links to raw IPs | High (30 pts) |
| excess_subdomains | More than 3 subdomain levels — used to impersonate legitimate domains (login.secure.bank.tk) | Low (10 pts) |
| at_symbol | @ in URL — exploits browser parsing to hide the real destination (user@attacker.com/fake) | High (28 pts) |
Phase 3 — Content analysis (optional, configurable)
When CONTENT_ANALYSIS=1, the engine fetches the target page (SSRF-guarded, 1.5 MB cap, 6-second timeout) and scores its content for additional signals: headline sensationalism, emotional and urgency language density, author attribution quality, citation quality, and presence of credential-capture forms. Content analysis adds 0–45 points to the score and degrades gracefully if the page is unreachable.
Verdict thresholds
| Score range | Verdict | Action |
|---|---|---|
| 0 – 24 | ALLOW | Link opens normally in the user's default browser |
| 25 – 59 | ISOLATE | Link opens in a disposable browser container; read-only if credential page detected |
| 60 – 100 | BLOCK | Link is blocked; user sees the Averox block page with reason and reporting option |
Thresholds shift per policy group aggressiveness: Permissive (isolate ≥40, block ≥70), Balanced (isolate ≥25, block ≥60), Strict (isolate ≥10, block ≥50).
4 — Browser Isolation Technology
Isolation is the capability that separates Averox from URL-filtering-only products. Rather than simply blocking suspect links — which creates friction and false positives — the system allows users to safely view the content of suspect pages without any risk reaching their endpoint.
Two rendering modes
| Mode | How it works | Use case |
|---|---|---|
| DOM mode | Page is fetched and rendered in a headless browser inside the isolation container. The rendered DOM is sanitised — scripts and form actions are removed — and served to the user as a read-only view. | Low–medium risk URLs; fast, low resource cost |
| Pixel mode | Page is fully rendered in the container and only pixel screenshots are streamed to the user's browser — nothing from the remote page's code reaches the endpoint at all. | High-risk URLs; air-gap level isolation |
Read-only enforcement
When the verdict engine detects a credential-capture form on the isolated page (password fields, login forms), it automatically enables read-only mode. Keyboard entry on the isolated page is disabled, preventing the user from typing their password even if they try. The system logs every such save as a "credential saved" event visible on the dashboard.
5 — Public Link Checker
In addition to the enterprise agent-based protection, the platform exposes a public link checker at /check — accessible to anyone without login or installation. Citizens, journalists, and government analysts can paste any URL and receive a full parameter-level verdict within seconds. All public submissions are logged with channel=public and visible in the SOC threat log. Per-IP rate limiting (20 requests per minute) prevents abuse.
Signing in
Navigate to the console URL provided by your administrator. Enter your work email and password, then click Sign in. The system uses short-lived JWT tokens — sessions expire after 8 hours and you will be returned to the login screen automatically.
Understanding the Dashboard
The dashboard shows the last 24 hours of link activity across your entire organisation. The four KPI cards at the top show:
- Links checked — total URLs evaluated by the verdict engine across all channels and endpoints
- Isolated — links opened in sandboxed containers because they were suspicious but not confirmed phishing
- Blocked — confirmed phishing links stopped before any browser opened them
- Credentials saved — times read-only mode prevented a user from entering their password on a phishing page inside isolation
The Live verdict stream updates every 2.5 seconds showing real-time link decisions. The Verdict breakdown donut shows the allow/isolate/block ratio. Most impersonated brands shows which organisations attackers are pretending to be.
Reading and Using the Threat Log
Navigate to Threat Log in the sidebar. This shows every isolated and blocked link — each row contains the verdict, the URL, the user who clicked it, the channel it arrived through (email, WhatsApp, Teams), the reason it was flagged, a severity score, and the timestamp.
- Use the All / Blocked / Isolated filter buttons to focus on confirmed threats
- Use the Export button to download the current view as a CSV for reporting or SIEM ingestion
- The reason column explains exactly which signal triggered the verdict — e.g. "lookalike domain, 2 days old" or "impersonates HBL"
Isolation Sessions
Navigate to Isolation Sessions. This view shows all currently active isolation containers — live sandbox environments where users are safely viewing suspicious pages right now. Each row shows the session ID, rendering mode (DOM or Pixel), the target hostname, the user, and whether read-only mode is active.
- DOM mode sessions are lower risk — the page is sanitised and rendered safely
- Pixel mode sessions are higher risk — only screenshots are shown, nothing from the page code reaches the endpoint
- Read-only ON means the system detected a credential-capture form and has disabled keyboard entry
Managing Policies
Navigate to Policies. Policies control how aggressively the verdict engine treats uncertain URLs for each user group. Use the group tabs at the top to switch between groups (All staff, Finance, Executives, Branch network, Contractors).
- Permissive — only clearly malicious links are isolated or blocked. Suitable for IT staff who need broad internet access.
- Balanced — the recommended setting for most users. Newly registered, lookalike, and unknown domains are isolated.
- Strict — everything not on the allow list is isolated. Recommended for Finance and Executives who are high-value phishing targets.
The Allow list panel lets you add trusted domains that will never be isolated (e.g. your banking portal, intranet, partner sites). Type the domain and press Enter to add. Click × to remove.
Always click Save changes after editing. Changes push to all agents in the group within 60 seconds.
Managing Endpoints
Navigate to Endpoints. This view shows every machine running the Phishing Protector agent. The fleet summary at the top shows how many machines are protected, how many need an agent update, and how many are offline.
- Status: OK — agent is running, up to date, and checking in normally
- Status: Update — agent is running but an update is available. Schedule an update at the next maintenance window.
- Status: Offline — agent has not checked in for more than 30 minutes. Investigate whether the machine is powered off or the agent has been stopped.
- Default handler: unknown — the agent is installed but not set as the system default link handler. URLs will NOT be intercepted on this machine. Re-run the installer with administrator rights to fix.
Click Deploy agent to get installation commands for new machines.
User Experience — What Users See
Navigate to User Experience. This preview shows exactly what your employees see when a link is blocked or isolated. It is important that your users understand these screens so they do not panic or try to bypass them.
- Block page — a clear, branded screen explaining why the link was stopped. It shows the site name, the reason (e.g. "impersonates Askari Bank"), and the channel it arrived from. Users can report a mistake if they believe it is a false positive.
- Isolation banner — a thin orange banner at the top of the isolated page reminding the user they are in a protected sandbox. The "read only" badge appears when typing is disabled.
Public Link Checker (/check)
The public checker at /check allows anyone — no login, no agent — to paste a URL and get an instant verdict with a full parameter breakdown. Share this link with employees, management, or the public as a self-service awareness tool.
- Paste any suspicious URL and click Check link
- The result card shows the risk score (0–100), the verdict (Allow / Caution / Block), and a breakdown of every signal that contributed to the score
- Each signal shows what was found and why it matters — designed to be understandable by non-technical users
Requirements
| Platform | Minimum version | Requirements |
|---|---|---|
| Windows | Windows 10 1903+ | .NET 6 Runtime, administrator rights for install |
| macOS | macOS 12 Monterey+ | Administrator password for install, System Preferences approval for background service |
| Linux | Ubuntu 20.04 / Debian 11+ | sudo access, systemd, libgtk-3 for isolation renderer |
Installation
Windows — PowerShell (run as Administrator)
macOS — Terminal
Linux (Debian / Ubuntu)
Silent deployment via Group Policy / Intune
Verification
After installation, open a terminal and run:
Expected output:
The machine will appear in the Endpoints view of the console within 60 seconds of a successful first check-in. If it does not appear, verify network connectivity to the server URL and confirm the tenant key is correct.
Uninstallation
If tamper protection is enabled in the policy, a password is required to uninstall. Contact your SOC administrator for the tamper protection password before proceeding.