Method: projects.uris.submit

Submits a URI suspected of containing malicious content for review. Returns a google.longrunning.Operation, which is updated with a result after the review is complete. You can use the Pub/Sub API to receive notifications for the returned Operation. If the review confirms malicious content, Google adds the site to Google's Social Engineering lists to help protect users from this threat. To obtain access, contact Sales or your customer engineer.

HTTP request

POST https://webrisk.googleapis.com/v1/{parent=projects/*}/uris:submit

The URL uses gRPC Transcoding syntax.

Path parameters

Parameters
parent

string

Required. The name of the project that is making the submission. This string is in the format "projects/{project_number}".

Request body

The request body contains data with the following structure:

JSON representation 
{
  "submission": {
    object (Submission)
  },
  "threatInfo": {
    object (ThreatInfo)
  },
  "threatDiscovery": {
    object (ThreatDiscovery)
  }
}
Fields
submission

object (Submission)

Required. The submission that contains the URI to be scanned.
threatInfo

object (ThreatInfo)

Provides additional information about the submission.
threatDiscovery

object (ThreatDiscovery)

Provides additional information about how the submission was discovered.

Response body

If successful, the response body contains an instance of Operation.

Authorization scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

Submission

Wraps a URI that might be displaying malicious content.

JSON representation 
{
  "uri": string,
  "threatTypes": [
    enum (ThreatType)
  ]
}
Fields
uri

string

Required. The URI that is being reported for malicious content to be analyzed.
threatTypes[]

enum (ThreatType)

Output only. ThreatTypes found to be associated with the submitted URI after reviewing it. This might be empty if the URI was not added to any list.

ThreatInfo

Context about the submission including the type of abuse found on the URI and supporting details.

JSON representation 
{
  "abuseType": enum (AbuseType),
  "abuseSubtype": enum (AbuseSubtype),
  "targetedBrand": {
    object (TargetedBrand)
  },
  "threatConfidence": {
    object (Confidence)
  },
  "threatJustification": {
    object (ThreatJustification)
  }
}
Fields
abuseType

enum (AbuseType)

The type of abuse.
abuseSubtype

enum (AbuseSubtype)

Optional. The sub-type of abuse. This is a more granular view of the abuse type. Only set this field when abuseType is SOCIAL_ENGINEERING (including phishing and scams). If abuseSubtype is set for any other abuse type, the request is rejected with INVALID_ARGUMENT.

Setting this field provides the following benefits:

  • Improved Detection accuracy: Specific categories (e.g., BANK_PHISHING) provide a stronger signal to our models than generic labels. If we observe low detection rates for a specific category you submit, we can target that area for model improvement.
  • Clearer intent: The taxonomy helps clarify the intent of your submission and ensure that it aligns with supported threat policies.

Important:

  • If your submission doesn't align with any of these categories, use OTHER_PHISHING or OTHER_SCAM. We will survey the submissions and the comments field to describe your subcategory, and we will conduct a review to add more subcategories in the future.
  • Providing AbuseSubtype doesn't guarantee that your submission will be accepted. We must validate that the submitted URLs render content that violates Safe Browsing policies.
targetedBrand

object (TargetedBrand)

Optional. The brand, organization or institution targeted or impersonated by the attack.
threatConfidence

object (Confidence)

Confidence that the URI is unsafe.
threatJustification

object (ThreatJustification)

Context about why the URI is unsafe.

AbuseType

The abuse type found on the URI.

Enums
ABUSE_TYPE_UNSPECIFIED Default.
MALWARE The URI contains malware.
SOCIAL_ENGINEERING The URI contains social engineering (including phishing and scams).
UNWANTED_SOFTWARE The URI contains unwanted software.

AbuseSubtype

The sub-type of abuse.

Enums
ABUSE_SUBTYPE_UNSPECIFIED Default.
BANK_PHISHING Phishing by impersonating a bank or other trusted financial entity to obtain the end user’s credentials.
CRYPTO_EXCHANGE_PHISHING Phishing by impersonating a recognized cryptocurrency trading platform to obtain the end user’s credentials.
SOCIAL_MEDIA_PLATFORM_PHISHING Phishing by impersonating a social media platform to obtain the end user’s credentials.
RETAIL_PHISHING Phishing by impersonating an established retail site to obtain the end user’s credentials or payment details.
EMAIL_PROVIDER_PHISHING Phishing by impersonating an email service to obtain the end user’s credentials.
ENTERTAINMENT_PHISHING Phishing by impersonating an entertainment service to obtain the end user’s credentials.
GOVERNMENT_AGENCY_PHISHING Phishing by impersonating a governmental agency to gain access to personally identifiable information (PII) such as a Social Security number (SSN) or Taxpayer Identification Number (TIN).
OTHER_PHISHING Captures any other types of phishing attacks not listed in the specific categories above. Phishing attacks aim to trick users into revealing sensitive information—such as login credentials or payment details—by impersonating trusted entities.
PACKAGE_TRACKING_SCAM Deceptive content posing as a shipping service to obtain users' personal info and payment details.
FAKE_SUPPORT_SCAM Deceptive content posing as known entities, claiming false device problems to trick users into sharing personal info or calling scammers.
GOVERNMENT_FINE_SCAM Deceptive content claiming the user must pay an outstanding civic fine to avoid immediate legal escalation.
FAKE_PRIZE_SCAM Deceptive content that lures users with offers of rewards or prizes.
OTHER_SCAM Captures any other types of scam attacks not listed in the specific categories above. Scams aim to trick users into surrendering money or personal information through deceptive schemes.

TargetedBrand

Details about the brand, organization or institution targeted or impersonated by the attack.

JSON representation 
{
  "brandName": string,
  "domain": string
}
Fields
brandName

string

Optional. The brand, organization or institution targeted or impersonated by the attack. Example: "Google".
domain

string

Optional. The domain of the brand, organization or institution targeted or impersonated by the attack. Example: "google.com".

Confidence

Confidence that a URI is unsafe.

JSON representation 
{

  // Union field value can be only one of the following:
  "score": number,
  "level": enum (ConfidenceLevel)
  // End of list of possible types for union field value.
}
Fields

Union field value.

value can be only one of the following:
score

number

A decimal representation of confidence in the range of 0 to 1 where 0 indicates no confidence and 1 indicates complete confidence.
level

enum (ConfidenceLevel)

Enum representation of confidence.

ConfidenceLevel

Enum representation of confidence.

Enums
CONFIDENCE_LEVEL_UNSPECIFIED Default.
LOW Less than 60% confidence that the URI is unsafe.
MEDIUM Between 60% and 80% confidence that the URI is unsafe.
HIGH Greater than 80% confidence that the URI is unsafe.

ThreatJustification

Context about why the URI is unsafe.

JSON representation 
{
  "labels": [
    enum (JustificationLabel)
  ],
  "comments": [
    string
  ]
}
Fields
labels[]

enum (JustificationLabel)

Labels associated with this URI that explain how it was classified.
comments[]

string

Free-form context on why this URI is unsafe.

JustificationLabel

Labels that explain how the URI was classified.

Enums
JUSTIFICATION_LABEL_UNSPECIFIED Default.
MANUAL_VERIFICATION The submitter manually verified that the submission is unsafe.
USER_REPORT The submitter received the submission from an end user.
AUTOMATED_REPORT The submitter received the submission from an automated system.

ThreatDiscovery

Details about how the threat was discovered.

JSON representation 
{
  "platform": enum (Platform),
  "regionCodes": [
    string
  ]
}
Fields
platform

enum (Platform)

Platform on which the threat was discovered.
regionCodes[]

string

CLDR region code of the countries/regions the URI poses a threat ordered from most impact to least impact. Example: "US" for United States.

Platform

Platform types.

Enums
PLATFORM_UNSPECIFIED Default.
ANDROID General Android platform.
IOS General iOS platform.
MACOS General macOS platform.
WINDOWS General Windows platform.