Sign in to the console

Security operations, protected access
Demo mode, backend not connected
Averox Secure / Dashboard
--

Threat overview

Every external link across your estate, checked before it reaches a user. Last 24 hours.

--:--:-- PKT
Links checked
48,217
▲ 6.2% vs yesterday
Isolated
1,043
2.16% of all clicks
Blocked
312
▲ 11% confirmed phishing
Credentials saved
27
form entry blocked in isolation

Live Verdict stream

real time · all channels

Verdict breakdown

24h
--allowed
Allowed--
Isolated--
Blocked--
By channel

Most impersonated brands

View threat log

Most targeted users

24h

Threat log

Isolated and blocked links, newest first. Click any row to open the full session record.

All channels Last 24h
VerdictURLUserChannelReasonSeverityTime

Isolation sessions

Suspicious pages rendered in disposable containers. Nothing from these sites reached the endpoint.

4 active now
Active containers
4
capacity: 60 concurrent
Sessions today
1,043
avg 42s each
Form entry blocked
27
read-only mode saves

Live sessions

gVisor · isolated segment
SessionRenderingTargetUserModeDurationContainer

Policies

Rules apply per user group, synced from your directory. Changes push to agents within 60 seconds.

Isolation aggressiveness

PermissiveIsolate only low-reputation and known-bad domains
Balanced (recommended)Isolate unknown, newly registered and lookalike domains
StrictIsolate everything outside the corporate allow list

Session controls

Read-only renderingDisable keyboard entry on suspected credential pages. Defeats credential theft even if a user proceeds.
Block downloads in isolationFiles are detonated in the sandbox and released only as sanitised PDFs.
Disable clipboardPrevent copy out of isolated sessions.
Record sessions for SOCKeep a screenshot timeline of every isolated session for investigation.

Allow list

trusted, opens direct

Offline agent behaviour

Fail closed on unknown domainsWhen the agent cannot reach the verdict engine, isolate anything not in the local allow list cache.
Tamper protectionRequire a password to stop or uninstall the endpoint agent.
Consume PKCERT and nCERT feedsIngest national advisories into the verdict engine every 6 hours.

Endpoints

Machines running the Phishing Protector agent as the default link handler.

1,284 protected
11 need update
6 offline
Coverage 99.1%
HostUserOSAgentDefault handlerLast seenStatus

User experience

What your people see. Safe links open instantly in their normal browser, risky ones in protected mode.

Block page — confirmed phishing
secure-askari-verify.top/login

This page was blocked

Averox Phishing Protector stopped this link because it impersonates Askari Bank to steal your sign-in details.

Requestedsecure-askari-verify.top
ReasonLookalike domain, 2 days old
Arrived viaWhatsApp Desktop
Isolation — read-only mode
account-review-portal.info
You are viewing this page safely in isolation read only

Reports

Board-ready exposure summaries and per-department risk scoring.

Scheduled reports appear here

Monthly phishing exposure report generates on the 1st. Next run: 1 August.

Help & Training

White paper, operational guide, and step-by-step training for your security team.

Averox Phishing Protector is an enterprise-grade, on-premises phishing prevention platform that intercepts every external link clicked across an organisation before it reaches a browser — evaluating it in under 200 ms and either allowing it, rendering it safely in an isolated container, or blocking it entirely. It operates transparently on the endpoint: users click links normally and the system protects silently in the background.

1 — Platform Overview

What it protects

Phishing is the leading initial access vector in cyberattacks worldwide and the dominant threat facing Pakistani enterprises and government organisations. The system protects against: credential harvesting pages (fake banking, M365, government portals), malware delivery via weaponised documents, adversary-in-the-middle (AiTM) kits that bypass MFA, and brand impersonation attacks targeting employees across all communication channels.

What it protects against — by channel

ChannelThreat typeHow protection works
EmailPhishing links in messages, HTML redirects, QR code linksAgent intercepts clicks before Outlook or Thunderbird open the browser
WhatsApp DesktopSocial engineering links, parcel lures, fake bank alertsDefault link handler intercepts WhatsApp link-open events
Microsoft TeamsCollaboration platform phishing, fake SharePoint linksTeams protocol handler redirected through agent verdict check
SMS / system browserSmishing links opened on the same machineSystem default browser replaced by agent-wrapped browser
Documents (PDF, Office)Embedded hyperlinks in attachmentsOffice and Acrobat link handler overridden by agent

Who operates it

The system is designed for two audiences. SOC analysts use the console to monitor the live threat stream, investigate blocked and isolated sessions, manage policies per user group, and review endpoint coverage. IT administrators deploy and manage the lightweight endpoint agent across the fleet using group policy, MDM, or manual installation scripts.

2 — Architecture

Three components

ComponentRoleDeployment
Endpoint AgentIntercepts link clicks OS-wide, sends URL to verdict engine, enforces the verdict (allow / open isolated / block)Installed per machine; Windows, macOS, Linux
Verdict EngineScores URLs in under 200 ms using a multi-stage pipeline; stores all verdicts and session recordsOn-premises Flask/Python server with SQLite or PostgreSQL
SOC ConsoleReal-time dashboard, threat log, isolation management, policy editor, fleet managementWeb UI served by the same backend; no external dependencies

Data flow

① User clicks a link in any application → ② Agent intercepts the OS open-URL event before the browser receives it → ③ Agent sends the URL to the verdict engine API (POST /api/v1/verdict) → ④ Engine scores the URL and returns a verdict within 200 ms → ⑤ Agent enforces the verdict: safe links open in the normal browser, suspect links open in an isolated container, confirmed phishing is blocked with a block-page. All events are logged and visible in the console within seconds.

3 — The Verdict Engine

The engine evaluates every URL through a deterministic three-phase pipeline. No machine learning model is involved — every scoring decision is auditable and reproducible.

Phase 1 — Instant verdicts (no scoring needed)

URLs matching the tenant allow list are immediately allowed. URLs matching the global or tenant block list, or confirmed in active threat feeds (PhishTank, OpenPhish, PKCERT national advisories), are immediately blocked. These checks complete in under 5 ms.

Phase 2 — Heuristic scoring (0–100 risk score)

URLs not resolved in Phase 1 are scored across multiple independent signal groups. Signals are additive — each one that fires increases the risk score.

SignalWhat it detectsRisk weight
domain_ageDomain registered less than 7 days ago — strongest single indicator of phishing infrastructureHigh (35 pts)
lookalikeTyposquatting and homoglyph attacks (e.g. askarlbank.com, аskaribank.com with Cyrillic а)High (30 pts)
suspicious_tldFree or abused top-level domains: .tk .ml .ga .cf .xyz .top .click .pwMedium (20 pts)
credential_keywordsWords like login, verify, secure, confirm, update in the URL path — common phishing lure vocabularyMedium (15 pts)
entropyHigh Shannon entropy in hostname — characteristic of domain-generation algorithm (DGA) malware C2Medium (18 pts)
punycodeInternationalised domain encoding used to make look-alike characters appear identical in browsersHigh (25 pts)
ip_as_hostURL uses a raw IP address instead of a domain — no legitimate business links to raw IPsHigh (30 pts)
excess_subdomainsMore than 3 subdomain levels — used to impersonate legitimate domains (login.secure.bank.tk)Low (10 pts)
at_symbol@ in URL — exploits browser parsing to hide the real destination (user@attacker.com/fake)High (28 pts)

Phase 3 — Content analysis (optional, configurable)

When CONTENT_ANALYSIS=1, the engine fetches the target page (SSRF-guarded, 1.5 MB cap, 6-second timeout) and scores its content for additional signals: headline sensationalism, emotional and urgency language density, author attribution quality, citation quality, and presence of credential-capture forms. Content analysis adds 0–45 points to the score and degrades gracefully if the page is unreachable.

Verdict thresholds

Score rangeVerdictAction
0 – 24ALLOWLink opens normally in the user's default browser
25 – 59ISOLATELink opens in a disposable browser container; read-only if credential page detected
60 – 100BLOCKLink is blocked; user sees the Averox block page with reason and reporting option

Thresholds shift per policy group aggressiveness: Permissive (isolate ≥40, block ≥70), Balanced (isolate ≥25, block ≥60), Strict (isolate ≥10, block ≥50).

4 — Browser Isolation Technology

Isolation is the capability that separates Averox from URL-filtering-only products. Rather than simply blocking suspect links — which creates friction and false positives — the system allows users to safely view the content of suspect pages without any risk reaching their endpoint.

Two rendering modes

ModeHow it worksUse case
DOM modePage is fetched and rendered in a headless browser inside the isolation container. The rendered DOM is sanitised — scripts and form actions are removed — and served to the user as a read-only view.Low–medium risk URLs; fast, low resource cost
Pixel modePage is fully rendered in the container and only pixel screenshots are streamed to the user's browser — nothing from the remote page's code reaches the endpoint at all.High-risk URLs; air-gap level isolation

Read-only enforcement

When the verdict engine detects a credential-capture form on the isolated page (password fields, login forms), it automatically enables read-only mode. Keyboard entry on the isolated page is disabled, preventing the user from typing their password even if they try. The system logs every such save as a "credential saved" event visible on the dashboard.

5 — Public Link Checker

In addition to the enterprise agent-based protection, the platform exposes a public link checker at /check — accessible to anyone without login or installation. Citizens, journalists, and government analysts can paste any URL and receive a full parameter-level verdict within seconds. All public submissions are logged with channel=public and visible in the SOC threat log. Per-IP rate limiting (20 requests per minute) prevents abuse.

This guide walks your SOC team through every part of the console, step by step. No prior experience required. Each section covers what you will see, what the data means, and what action to take.
1

Signing in

Navigate to the console URL provided by your administrator. Enter your work email and password, then click Sign in. The system uses short-lived JWT tokens — sessions expire after 8 hours and you will be returned to the login screen automatically.

Demo credentials: soc@averox.com / Averox@123 — for training and evaluation environments only.
2

Understanding the Dashboard

The dashboard shows the last 24 hours of link activity across your entire organisation. The four KPI cards at the top show:

  • Links checked — total URLs evaluated by the verdict engine across all channels and endpoints
  • Isolated — links opened in sandboxed containers because they were suspicious but not confirmed phishing
  • Blocked — confirmed phishing links stopped before any browser opened them
  • Credentials saved — times read-only mode prevented a user from entering their password on a phishing page inside isolation

The Live verdict stream updates every 2.5 seconds showing real-time link decisions. The Verdict breakdown donut shows the allow/isolate/block ratio. Most impersonated brands shows which organisations attackers are pretending to be.

What to watch: A sudden spike in blocked verdicts or an unusually high number of credentials-saved events indicates an active phishing campaign targeting your organisation. Investigate immediately using the Threat Log.
3

Reading and Using the Threat Log

Navigate to Threat Log in the sidebar. This shows every isolated and blocked link — each row contains the verdict, the URL, the user who clicked it, the channel it arrived through (email, WhatsApp, Teams), the reason it was flagged, a severity score, and the timestamp.

  • Use the All / Blocked / Isolated filter buttons to focus on confirmed threats
  • Use the Export button to download the current view as a CSV for reporting or SIEM ingestion
  • The reason column explains exactly which signal triggered the verdict — e.g. "lookalike domain, 2 days old" or "impersonates HBL"
Investigation tip: If the same user appears repeatedly in the blocked or isolated log, they may be a targeted victim or may have clicked a malicious link that is auto-loading from their email client. Notify their manager and check the isolation session for what they saw.
4

Isolation Sessions

Navigate to Isolation Sessions. This view shows all currently active isolation containers — live sandbox environments where users are safely viewing suspicious pages right now. Each row shows the session ID, rendering mode (DOM or Pixel), the target hostname, the user, and whether read-only mode is active.

  • DOM mode sessions are lower risk — the page is sanitised and rendered safely
  • Pixel mode sessions are higher risk — only screenshots are shown, nothing from the page code reaches the endpoint
  • Read-only ON means the system detected a credential-capture form and has disabled keyboard entry
Action: If you see a Pixel-mode read-only session, a user is actively looking at a high-risk phishing page right now. Consider contacting them directly to explain why the link was suspicious.
5

Managing Policies

Navigate to Policies. Policies control how aggressively the verdict engine treats uncertain URLs for each user group. Use the group tabs at the top to switch between groups (All staff, Finance, Executives, Branch network, Contractors).

  • Permissive — only clearly malicious links are isolated or blocked. Suitable for IT staff who need broad internet access.
  • Balanced — the recommended setting for most users. Newly registered, lookalike, and unknown domains are isolated.
  • Strict — everything not on the allow list is isolated. Recommended for Finance and Executives who are high-value phishing targets.

The Allow list panel lets you add trusted domains that will never be isolated (e.g. your banking portal, intranet, partner sites). Type the domain and press Enter to add. Click × to remove.

Always click Save changes after editing. Changes push to all agents in the group within 60 seconds.

6

Managing Endpoints

Navigate to Endpoints. This view shows every machine running the Phishing Protector agent. The fleet summary at the top shows how many machines are protected, how many need an agent update, and how many are offline.

  • Status: OK — agent is running, up to date, and checking in normally
  • Status: Update — agent is running but an update is available. Schedule an update at the next maintenance window.
  • Status: Offline — agent has not checked in for more than 30 minutes. Investigate whether the machine is powered off or the agent has been stopped.
  • Default handler: unknown — the agent is installed but not set as the system default link handler. URLs will NOT be intercepted on this machine. Re-run the installer with administrator rights to fix.

Click Deploy agent to get installation commands for new machines.

7

User Experience — What Users See

Navigate to User Experience. This preview shows exactly what your employees see when a link is blocked or isolated. It is important that your users understand these screens so they do not panic or try to bypass them.

  • Block page — a clear, branded screen explaining why the link was stopped. It shows the site name, the reason (e.g. "impersonates Askari Bank"), and the channel it arrived from. Users can report a mistake if they believe it is a false positive.
  • Isolation banner — a thin orange banner at the top of the isolated page reminding the user they are in a protected sandbox. The "read only" badge appears when typing is disabled.
Recommended: Send your employees a short communication explaining these screens before rollout. Users who understand the system co-operate with it. Users who do not may try to use personal devices or mobile browsers to bypass protection.
8

Public Link Checker (/check)

The public checker at /check allows anyone — no login, no agent — to paste a URL and get an instant verdict with a full parameter breakdown. Share this link with employees, management, or the public as a self-service awareness tool.

  • Paste any suspicious URL and click Check link
  • The result card shows the risk score (0–100), the verdict (Allow / Caution / Block), and a breakdown of every signal that contributed to the score
  • Each signal shows what was found and why it matters — designed to be understandable by non-technical users
Use case: An employee receives a suspicious WhatsApp message but is on their personal phone. They can visit /check on any browser, paste the link, and get an immediate independent verdict without installing anything.
The endpoint agent is a lightweight background service (under 12 MB, <0.1% CPU at idle) that registers itself as the system default URL handler. All link clicks — from any application — pass through it before reaching a browser. Installation takes under 2 minutes per machine and can be scripted via Group Policy, Intune, or Ansible.

Requirements

PlatformMinimum versionRequirements
WindowsWindows 10 1903+.NET 6 Runtime, administrator rights for install
macOSmacOS 12 Monterey+Administrator password for install, System Preferences approval for background service
LinuxUbuntu 20.04 / Debian 11+sudo access, systemd, libgtk-3 for isolation renderer

Installation

Windows — PowerShell (run as Administrator)

Invoke-WebRequest -Uri "https://pp.averox.com/pp/latest/win/install.ps1" ` -OutFile install.ps1 .\install.ps1 -TenantKey YOUR_TENANT_KEY -ServerUrl https://YOUR_SERVER:8000

macOS — Terminal

curl -sSL https://pp.averox.com/pp/latest/macos/install.sh \ | sudo bash -s -- \ --tenant-key YOUR_TENANT_KEY \ --server-url https://YOUR_SERVER:8000

Linux (Debian / Ubuntu)

wget -qO- https://pp.averox.com/pp/latest/linux/install.sh \ | sudo bash -s -- \ --tenant-key YOUR_TENANT_KEY \ --server-url https://YOUR_SERVER:8000

Silent deployment via Group Policy / Intune

msiexec /i AveroxPP.msi /quiet \ TENANT_KEY="YOUR_TENANT_KEY" \ SERVER_URL="https://YOUR_SERVER:8000" \ SET_DEFAULT_HANDLER=1

Verification

After installation, open a terminal and run:

averox-agent status

Expected output:

Averox Phishing Protector Agent v4.2.1 Status: running Default handler: registered Server: https://YOUR_SERVER:8000 (reachable) Tenant: tnt_averox_demo Last verdict: 2.1s ago

The machine will appear in the Endpoints view of the console within 60 seconds of a successful first check-in. If it does not appear, verify network connectivity to the server URL and confirm the tenant key is correct.

Uninstallation

If tamper protection is enabled in the policy, a password is required to uninstall. Contact your SOC administrator for the tamper protection password before proceeding.

# Windows (PowerShell as Administrator) .\uninstall.ps1 # macOS / Linux sudo averox-agent uninstall