The Uniform Resource Identifier (URI) and Uniform Resource Locator (URL) can be used to uniquely identify and locate a specific file in a publicly addressable space. There are a number of ways in which these can be used to identify a threat.

Top-level domains can be a useful indicator. The most common sites for most organizations will be hosted at .com or at national domains. Frequent visits to sites out of a locale may indicate a problem, especially if they are in country codes that have less stringent regulations.

Another indicator is the use of randomly generated domain names. These are very common for command-and-control servers, or for when malware checks whether it is in a sandbox environment. A caveat to this, though, is the use of extended sequences of numbers. These are often used in the Far East to remove transcription and/or transliteration issues.

A URL or URI may be associated with specific files on the internet that have previously been identified as malicious. When a file is detected as malware, the endpoint or network protection systems may add the URL or URI to a banned list. To use a non-computing example, it would be like a shop placing a ban on orders from a certain address if they have a history of non-payment.