How do anti-phishing filters inspect links?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
Before a phishing email can do damage, it needs to get to the inbox. Anti-phishing filters stand between delivery and the user, scanning every URL in an incoming message to decide whether it looks safe. Here's what they're actually checking.
The first stop is blocklist comparison. URLs and domains get checked against known malicious URL databases. Google Safe Browsing, Microsoft SmartScreen, and PhishTank maintain massive lists of confirmed phishing domains. If your link, or your tracking domain, matches any of these, the email gets blocked or flagged before it reaches anyone.
For URLs not already in a blocklist, filters analyze the domain itself. Newly registered domains, domains with mismatched registration patterns, and domains that visually mimic legitimate brands (like paypa1.com instead of paypal.com) all score higher risk. This is why spammers constantly register fresh domains. And it's why your custom tracking domain needs a clean history, not just your sending domain.
More advanced systems do real-time link detonation: they actually visit the URL to see where it goes, what page loads, and whether it tries to steal credentials. Enterprise email gateways like Microsoft Defender rewrite every link in incoming email to route through a safety proxy, scanning the destination at click time rather than at delivery. This is why some corporate recipients see your carefully crafted links mangled into long Microsoft-owned URLs.
For legitimate senders, the takeaway is simple: use your own branded tracking domain, keep your sending domain clean, and don't use redirect chains that bounce through multiple intermediary domains. Legitimate-looking link patterns are as important as legitimate content.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.