Ignite & Activate: Outsmart  the Next Phishing Attack with Advanced URL Filtering

By: @ssingh29 

Co-Author: @tbolatiwa 

Attackers today are using sophisticated AI-driven tactics to evade traditional defenses and deceive even the most vigilant users. Phishing attacks, in particular, have become smarter, faster, and more convincing than ever before. As a result, organizations are recognizing the need for security that goes beyond static URL databases to provide real-time visibility and prevention across every web session.

At the end of the day, a single, successful phishing click is all it takes to trigger the complete unravelling of your business operations and the trust that underpins your business.

Consider the 2025 "Shai-Hulud" Worm attack that compromised hundreds of widely used software packages. This was not just a breach of the Node Package Manager (NPM) repository itself, but a surgical act of social engineering. Attackers used a highly convincing phishing email (impersonating official npm support) to trick package maintainers into updating their multi-factor authentication credentials on a newly registered, fake website.

Figure 1: "Shai-Hulud" Worm

That one successful credential harvest allowed the attacker to publish a malicious, self-replicating "worm" package that stole secrets, moved laterally to new targets, and spread rapidly across the software ecosystem.

How do you stop a zero-day phishing domain designed to stay live for only a few hours?

Traditional list-based security tools are simply unable to keep up. Traditional URL filtering solutions that still rely on reputation databases and scheduled updates result in gaps in detecting zero-day or rapidly evolving domains. A newly created phishing domain, such as the one used in this campaign, is, by definition, a zero-day URL. This creates a dangerous exposure window where the site can steal credentials and trigger a downstream attack long before it appears on any global blocklist. 

To close this gap, Palo Alto Networks’ Advanced URL Filtering (AURL), powered by Precision AI and real-time, inline deep learning detectors, can identify and block these never-before-seen phishing domains as they emerge, instantly preventing the account takeover that triggered the "Shai-Hulud" crisis.

Inside Advanced URL Filtering: Stopping Zero-Day Phishing in Real Time

Advanced URL filtering is a cloud-delivered security service that operates in-line with the Palo Alto Networks Next-Generation Firewall (NGFW) or Prisma Access. It allows administrators to govern and control user access to web content by defining access rules based on both predefined and custom URL categories, as well as external dynamic lists (EDLs). 

At the core of this capability is  Advanced URL Inline Categorization, which leverages real-time analysis from local and cloud-based machine learning models to deliver dynamic, AI-powered categorization in milliseconds. This rapid process instantly issues a block verdict for newly detected malicious URLs, preventing the initial connection to phishing pages and other threats. As a result, user credentials are protected and attacks are neutralized at their earliest stage.

Figure 2: Enable Cloud Inline Categorization Option

To illustrate the breadth of these fast-moving phishing techniques, here are just a few examples of the differentiated threats Advanced URL Filtering detects in real time:

• QR-code–based phishing pages that bypass email security
• Newly created fake MFA portals that are designed minutes before an attack
• Fingerprinting-based phishing pages that change content per user or device
• JavaScript-driven redirect chains and cloaking behaviors
• AI-generated phishing domains that have never been seen before

Step-by-Step Guide: Enabling Advanced URL Filtering

The essential steps for configuring an Advanced URL Filtering policy are outlined below to help you quickly enable protection, establish category-based controls, and activate real-time detection across your network. Existing customers should also verify that Advanced URL Filtering is properly licensed and fully enabled, and that the real-time detection category is set to “alert” and “Enable Cloud Inline Categorization” is enabled, to ensure they receive continuous protection from the latest phishing and web-based threats.

Activate on Panorama:

1. Verify License: Ensure that the Advanced URL Filtering service is licensed and active on the firewall.
2. Create a URL Filtering Profile: Select Objects -> Security Profiles -> URL Filtering and add or modify a URL Filtering profile. 
3. Define Site Access to Each URL Category: Select Categories, and then set Site Access:
• Select Allow to permit traffic destined for the URL category; this traffic is not logged.
• Select an alert to gain visibility into sites that users are accessing. Traffic matching the category is allowed, and a URL filtering log is generated.
• Select the block to deny access to traffic that matches the category and log this traffic.
• Select continue to display a response page to users that requires them to click Continue to proceed to a site in the category.
• To only allow access if users provide a configured password, select override.
4. Enable Real-Time Analysis: Configure Advanced URL Inline Categorization, which enables both local and cloud services, to facilitate real-time analysis of URL traffic and detect malicious phishing variants and JavaScript exploits.
5. Apply and Activate: Apply the URL Filtering profile to Security policy rules that allow web access. Finally, commit this policy to activate the changes. 

Activate Strata Cloud Manager (SCM):

1. Verify License: Ensure that the Prisma Access subscription covers Advanced URL Filtering.
2. Navigate to URL Access Management Dashboard: 
• Go to Configuration -> NGFW and Prisma Access -> Security Services -> URL Access Management.
• Move between the Access Control, Settings, and Best Practices tabs to explore the available URL filtering features.
3. Create a URL Access Management profile: 
• On the URL Access Management dashboard, add a profile and specify web access settings for each URL Category. 
4. Enable Real-Time Analysis: Utilize the Advanced URL Inline Categorization to enable and configure real-time web page analysis, as well as manage URL exceptions.
5. Apply and Activate: Apply the URL Access Management profile to a Security policy rule that allows web access. Finally, commit this policy to activate the changes.

Closing the Gaps in Traditional URL Filtering: Why It Matters

Advanced URL Filtering is a robust and reliable solution that detects and stops sophisticated social engineering attacks in real time.

• Preemptive Defense: By blocking the initial zero-day phishing site, Advanced URL filtering prevents credential theft, which is usually the trigger for massive attacks such as "Shai-Hulud".
• Stops Evasion: Attackers are increasingly using evasive techniques such as cloaking, CAPTCHA challenges, and polymorphic, single-use domains to bypass traditional URL filtering systems. Advanced URL filtering’s inline deep learning detectors are explicitly designed to identify unknown and highly evasive threats. 
• Real-Time Analysis: Palo Alto Networks' machine learning and cloud-delivered intelligence inspect traffic in real-time to detect and block new and unknown threats as they emerge, preventing them from impacting users or the network.

Take the next step in protecting your organization from today’s most advanced phishing and web-based attacks. Activate Advanced URL Filtering on your Palo Alto Networks Next Generation Firewall or Prisma Access to strengthen your defenses with real-time, AI-powered protection. 

Want to see how Advanced URL Filtering fits into your broader security strategy? Request a personalized security assessment and discover how Advanced URL Filtering works seamlessly with other Cloud Delivered Security Services to deliver complete supply chain defense.