Threat Type

URL Sandboxing: Catching Evasive Phishing Links That Blocklists Miss

Domain blocklists catch known-bad URLs. They miss fresh malicious domains registered hours before the attack, URL shorteners, redirect chains, and links that show benign content to scanners but malicious content to users. Phishaver detonates every URL in an isolated environment to evaluate the full redirect chain.

How evasive URL attacks work

The redirect chain evasion technique

An attacker embeds a URL in an email that leads to a legitimate-looking domain — often a compromised legitimate website, a trusted file-sharing service, or a URL shortener. That first hop redirects to a second URL, which may redirect to a third. The final destination is a credential harvesting page or drive-by download. Email scanners that check only the first URL see a trusted domain. The actual malicious content is three hops away.

Time-of-click evasion

Some phishing URLs serve clean content when accessed from scanner IP ranges or without a victim-specific token in the URL. The malicious payload activates only when clicked from a real user browser, or only within a specific time window. Static URL analysis misses this entirely. Behavioral sandbox detonation replicates a real user browser session to observe actual landing page content.

How Phishaver's URL sandbox works

Email URL Isolated Browser Session real UA, JS enabled Redirect Chain Traced Hop 1 → Hop 2 → Hop 3 every hop evaluated Landing Page Analyzed Risk Score + Evidence

Full redirect chain detonation

Every redirect hop is followed in an isolated browser session that replicates a real user agent. The full chain is traced — not just the first domain lookup. Final landing page content is analyzed for credential harvesting forms, drive-by download scripts, and lookalike brand pages.

Fresh domain detection

Domain registration age is checked for each hop. A URL chain that passes through a fresh domain registered within 14 days — even if the first hop is a trusted service — receives elevated risk scoring.

Visual similarity analysis

Landing pages that visually replicate Microsoft 365 login, Google Workspace login, banking portals, or other common credential harvesting targets are detected via layout and content fingerprinting.

JavaScript behavior analysis

JavaScript execution in the isolated session is monitored for credential form submission to external hosts, drive-by download initiation, or obfuscated redirect logic that activates only after page load.

Observable URL threat indicators

  • URL chain contains a domain registered within the last 14 days
  • Redirect chain leads to a credential form or login page not matching the original sender's domain
  • Final landing page visually matches a known brand login page (M365, Google, financial institution)
  • URL uses a shortening service as the first hop that redirects to an unrecognized domain
  • JavaScript on landing page attempts to submit form data to an external host
  • URL includes a victim-specific token that activates different content for different recipients
  • Landing page uses HTTPS with a domain-validation certificate on a freshly registered domain
Threat Type

Spear Phishing

Targeted phishing often uses evasive URLs as the payload delivery mechanism.

 Threat Type

Business Email Compromise

BEC attacks often include credential harvesting links disguised as document-sharing URLs.

 Threat Type

Attachment Malware

Malicious attachments frequently embed URLs as secondary payload delivery vectors.

Detonate every link

See where every email URL actually leads.

Redirect chain detonation catches evasive phishing links that domain blocklists miss by hours. Connect in under 5 minutes.

Get protected Talk to our team