How can redirection attacks mask lookalike domains?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

Imagine you get an email that links to what looks like a Bit.ly shortened URL or a Google Drive link. Looks fine, right? That's the whole point.

Redirection attacks work by hiding the real destination behind a chain of intermediate URLs. The link you see in the email is legitimate, or at least it looks that way. The damage happens after you click, when you've already been silently bounced through one or more hops to wherever the attacker actually wants you to go.

Here's why this is especially dangerous when lookalike domains are involved. Spam filters and URL reputation systems check the link in the email at the moment it arrives. If that first link points to a real URL shortener, a legitimate cloud service, or even a compromised but still-clean website, the filter has nothing to flag. The lookalike domain sits one or two hops away, completely invisible to the initial scan.

A typical chain looks something like this. The phishing email links to a real Bit.ly short URL. That redirects to a compromised blog or file-hosting page. That page then redirects to something like paypa1-secure.com, a lookalike domain designed to harvest credentials. By the time you land there, you're three steps away from what was in the email.

Attackers also use cloud services on purpose. A link to a Google Docs page, a Microsoft OneDrive file, or a publicly accessible storage bucket is almost never blocked by email filters. Those services have pristine reputations. So attackers host a redirect page there, use it once, then abandon it.

But this is also why time-of-click protection matters so much. Some secure email gateways only check URLs when the email is received. A smarter system re-evaluates the full redirect chain at the moment you click, which is when the malicious destination actually becomes relevant. That gap between "scan at delivery" and "click later" is exactly what attackers exploit.

If you're educating your team on this, teach them a few practical habits. Watch for shortened URLs in unexpected places. Hover over links before clicking to see where they actually go. Be suspicious of any URL that redirects through an unrelated domain before reaching the destination. And if a link takes you somewhere that asks for your login, always check the address bar carefully before typing anything.

Want to understand what the underlying domain trick looks like before the redirect even comes into play? Take a look at how typosquatting works. It's often the final destination in these chains.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Get tailored advice for your setup

I'm trying to understand how URL redirection attacks hide lookalike domains in phishing emails. Based on my situation, can you help me with the following: 1. Which redirect techniques are most likely being used against my domain or industry? 2. What should I look for when reviewing suspicious emails or links reported by my team? 3. What technical defenses (time-of-click, redirect-following scanners) should I prioritize? 4. What's the most practical advice I can give non-technical staff to spot these attacks?

Edit the yellow boxes, then send to the AI of your choice.