Microsoft Defender Threat Intelligence now with hash and URL search

Sicherheit (Pexels, allgemeine Nutzung)[German]Small addendum: Microsoft expanded its Microsoft Defender Threat Intelligence (Defender TI) this week. Defender TI now includes functions that allow logged-in users to check file hash values. It also adds support for a URL search. This should allow security managers or security researchers to check whether URLs or files are malicious. Microsoft tries to counter Google's Virustotal, but requires a user login to use Defender TI.


The topic  would have passed me by if I hadn't seen this post from The Register. Microsoft outlined what's new as of April 17, 2023 in the Techcommunity post What's New: Hash and URL Search Intelligence.

Microsoft Defender Threat Intelligence

I once logged into Defender TI with my Microsoft account and got to see the above page. The search box menu allows you to select various categories such as searching for certificates or in the Whois database. In addition, some security articles are displayed in the search page.

Microsoft writes in the Techcommunity article that the Defender TI uses Microsoft's threat data through static and dynamic analysis of files and URLs inside and outside the ecosystem, providing comprehensive coverage of potential threats.

  • Static analysis examines the file's code without executing it,
  • while dynamic analysis runs the file in a controlled environment to observe its behavior.

This dual approach of Defender TI is intended to allow potential threats to be identified and categorized using static analysis techniques and actual behavior to be detected and analyzed using dynamic analysis techniques. Users can search any hash or URL with the displayed search bar.


The "Summary" tab displays the reputation value and basic information for the file hash or URL entities. A "Data" tab is where Defender TI provides detailed insights, Microsoft writes in its post. Integrating hash and URL values in Defender TI to use static and dynamic analysis has been one of the most requested features from customers, Microsoft writes. The new feature is intended to allow security professionals to obtain detailed information about specific hashes or URLs found on a network or the Internet.

I once tried to check some URLs, but was then more than disillusioned. For two URLs I got no hits (well, they were still fresh). Then I tried to check the URL parcel-delivered[.]com mentioned in my German pishing article LKA-Warnung vor SMS-Phishing wegen gescheiterter DHL-Paketzustellung (März 2023). My jaw dropped when I saw the following result.

Testing Defender TI

Can be summarized to "move along, nothing to see here" – and if you want to see something more detailed about the analysis under "Reputation", you have to be a licensed subscriber. Just for comparison, the results page at the same URL, which is displayed without subscription.

Virustotal result

Maybe the Defender TI contains some hidden goodies – but I stick to if I want to quickly check a URL or a file. Or did I miss something important ad-hoc now?

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *