Netskope Help

Malicious Sites

Netskope can detect malicious sites both inline and via Risk Insights. Detected sites are shown in the Netskope UI (Incidents > Malicious Sites).

The main features of the Malicious site detection engine are:

  • Backed by Netskope Threat Research Labs, with a dedicated team focused on new cloud threats.

  • Includes threat intel curated from 40+ external feeds.

  • Detects communications with malicious URLs, IPs, and command and control servers.

  • Provides global and collective protection against new cloud threats, and is continually updated with newly detected cloud threats.

Malicious Site Categories & Security Risks

Following are the Netskope Threat Intelligence categories for malicious sites:



Security Risk

Sites that are pervasive and can pose a direct threat to business availability. A risk management site is essential for managing vulnerabilities and other risks. This category includes all the Security Risk types in the table below.

Newly Registered Domain

The newly registered domain category contains domains that were registered in the last 30 days. Domains under this category are frequently used in malicious activities.

Following are the different security risk types:

Security Risk Type


Ad Fraud

Sites that are being used to commit fraudulent online display advertising transactions using different ad impression boosting techniques, including but not limited to ads stacking, iframe stuffing, and hidden ads. Sites that have high non-human web traffic and with rapid, large, and unexplained changes in traffic. Web analysts should not use this category.


Sites that attempt to gain unauthorized access to information resources or services or cause harm or damage to information systems.


Sites or compromised web servers running software that is used by hackers to send spam, phishing attacks, and denial of service attacks.

Command and Control Server

Internet servers and compromised command and control (C2 or C&C) servers and centers used to send commands to infected machines called bots. And sites that are a security risk because call-home malware is detected.

Compromised/Malicious Sites

Sites that appear to be legitimate, but house malicious code or link to malicious websites hosting malware. These sites have been compromised by someone other than the site owner. If Firefox blocks a site as malicious, use this category. Examples are defaced, hacked by, etc.

Cryptocurrency Mining

Sites that use cryptocurrency mining technology without user permission. This is considered a malicious category.


Domains that are generated algorithmically using a domain generation algorithm (DGA). These domains are used by DGA-based malware as their C2 channel, and they aim to hide the location of the active C2 server.


Sites with information or tools specifically intended to assist in online crime, such as the unauthorized access to computers, but also pages with tools and information that enables fraud and other online crime.

Malware Distribution Point

Sites that host viruses, exploits, and other malware are considered Malware Distribution Points. Web analysts might use this category if their antivirus program triggers on a particular website. Other categories should also be added if applicable.


All security risk indicators that aren't mapped to any of the other listed security risk types (e.g., high risk, medium risk, and possible risk).


Sites that impersonate other web pages, usually with the intent of stealing passwords, credit card numbers, or other information. Also includes websites that are part of scams such as a 419 scam where a person is convinced to hand over money with the expectation of a big payback that never comes (e.g., con, hoax, scam, etc.).

Spam Sites

URLs that frequently occur in spam messages. Web analysts shouldn't use this.

Spyware and Questionable Software

Software that reports information back to a central server such as spyware or keystroke loggers. It also includes software that may have legitimate purposes, but some people may object to having on their system. Web analysts shouldn't use this category.

Viewing Malicious Sites

To view the malicious sites that were contacted by your internal hosts, go to Incidents > Malicious Sites.


Primary metrics appear in the panels on top, and a table provides more specific information. The search field on top allows you to filter the malicious sites shown on the page by entering key words. The information shown on this page includes:

  • Sites Allowed: Sites that your users visited and were not blocked.

  • Total Malicious Sites: The total number of malicious sites that users have visited.

  • Users Allowed: The total number of users not blocked from visiting a malicious site.

  • Site: The IP address or URL associated with the malicious site.

  • Severity: The severity rating for the malicious site: Critical, High, Medium, or Low.

  • Category: The type of malicious site detected.

  • Site Destination: The location where the malware was downloaded.

Click an item on the page to see more comprehensive details. This page provides more information about the site you selected. The information shown on this page includes:

  • Site: The IP address or URL associated with the malicious site and associated categories.

  • Severity: The severity rating for the malicious site: Critical, High, Medium, or Low.

  • Site Allowed: Static display showing this site is an allowed site.

  • Users Allowed: The total number of users not blocked from visiting this malicious site.

  • Users Blocked: The total number of users blocked from visiting this malicious site.

  • Attribute/Value: Specific information about the site, like reputation, first seen, etc. Hover your mouse over the Attribute to view descriptions.

  • Users Affected: The name of the offending user in your system associated with the particular malicious site.

  • Action: The action taken based on the quarantine profile you selected, like allow or block.

  • Date: The last date the user visited the malicious site.

  • IP Host: the IP address of the malicious site.

  • Site Destination: The country of the malicious site.

  • Region: The region of the malicious site.

To export this information to a file, click Export CSV.