What is a phishing link that drops malware?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
You get an email that looks like a shared invoice, a courier notification, or a software update from a tool you actually use. You click the link. A page loads that looks completely normal. It tells you to download a plugin, install an update, or open a document. You do it. That's the moment malware lands on your machine.
That's how a phishing link that drops malware works. The link itself isn't the payload. It's the door. The real attack happens after the click, either through a silent drive-by download that runs without any further action, or through a fake prompt designed to get you to install something yourself.
The prompts are convincing because attackers spend time making them look right. You might see a page that mimics a real Microsoft or Adobe interface, telling you your PDF viewer is outdated. Or a fake Google Drive page that says the file can't load until you install a browser extension. The design is polished. The URL looks almost right. The urgency feels real.
What makes this combination particularly nasty is that it layers two attacks at once. The malware itself can be a Trojan, ransomware, a worm, or a keylogger. But before any of that runs, the phishing side has already done its job of making you trust the source enough to click. By the time you realise something's wrong, the file is already on your system.
For email senders and security teams, the defence sits at a few layers. Link scanning tools check whether a destination URL has a known malicious reputation before anyone clicks it. Sandboxing systems follow the link and watch what happens on the page. And for end users, the single most reliable signal is this: if a page you reached from an email is asking you to download or install something you didn't go looking for, stop.
If you're managing email infrastructure and want to understand how filters catch these links before they reach inboxes, the next question covers URL reputation scoring in detail.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.