SOC105 โ Suspicious URL Request (Bitly Redirect โ Benign Activity)
by
๐ง Summary
This investigation was triggered by a SOC105 โ Requested T.I. URL Address alert involving a shortened URL (bit.ly/TAPSCAN).
Initial threat intelligence flagged the URL as suspicious; however, deeper analysis revealed that it redirected to a legitimate Google Play Store application (TapScanner).
Further validation using VirusTotal, AnyRun, and Hybrid Analysis showed no malicious behavior.
The activity was determined to be benign user activity, and the alert was classified as a False Positive.
๐จ Alert Overview
- Event ID: 75
- Rule: SOC105 โ Requested T.I. URL Address
- Severity: High
- Source Host: MarksPhone
- Source IP: 10.15.15.12
- Destination IP: 67.199.248.10
- Destination Domain: bit.ly
- User: Mark
- Action: Allowed
๐ Investigation Steps
1๏ธโฃ URL Analysis
https://bit.ly/TAPSCAN
- VirusTotal:
- 1/95 detections
- Tagged as:
- Phishing (single vendor)
โ ๏ธ Observation: Very low detection โ requires deeper validation.
2๏ธโฃ Sandbox Analysis (AnyRun)
- URL opened in sandbox environment
- Observed behavior:
- Redirected to Google Play Store
- No malicious scripts or payload execution
- No suspicious processes
โ Conclusion: No malicious behavior detected.
3๏ธโฃ Hybrid Analysis
- Latest sandbox analysis (2024):
- No malicious indicators
- Clean behavior on Windows environment
โ Conclusion: No evidence of malicious activity.
4๏ธโฃ IP Reputation Analysis
-
Destination IP:
67.199.248.10 - VirusTotal:
- 2/94 detections
- Ownership:
- Bitly Inc (URL shortening service)
โ Conclusion: Trusted infrastructure (Bitly service).
5๏ธโฃ Traffic Behavior Analysis
- Process involved:
msedge.exe(browser)
- HTTP logs show:
- Normal web traffic
- Successful request (200 OK)
- No suspicious downloads or execution
โ Conclusion: Standard user browsing activity.
โ ๏ธ Final Verdict
| Category | Result |
|---|---|
| URL Reputation | Low Risk |
| Sandbox Result | Clean |
| IP Reputation | Trusted (Bitly) |
| Behavior | Redirect to Legitimate App |
| Impact | None |
| Severity | Low |
| Verdict | โ False Positive |
๐ก๏ธ Actions Taken
- ๐ Investigated URL and redirection behavior
- ๐งช Performed sandbox analysis (AnyRun, Hybrid Analysis)
- ๐ Verified IP reputation
- ๐ Classified alert as False Positive
๐ Conclusion
This alert represents a false positive triggered by a shortened URL.
The investigation confirmed:
Bitly URL โ Redirect โ Legitimate Google Play Page โ No Threat
Despite initial suspicion, the activity was purely benign user interaction with a trusted service.
This case highlights the importance of:
- ๐ Expanding shortened URLs before judgment
- ๐ง Validating behavior through sandbox analysis
- โ ๏ธ Avoiding reliance on single-engine detections
- ๐ Understanding common services like Bitly
tags: