How do anti-phishing filters inspect links?

Anti-phishing filters examine links through multiple techniques to identify malicious URLs.

Blocklist checking: URLs and domains are checked against known malicious URL databases (Google Safe Browsing, Microsoft SmartScreen, PhishTank). Matches result in warnings or blocking.

Domain reputation analysis: New domains, domains with suspicious registration patterns, or domains with poor history get flagged. Legitimate brands with established domains fare better.

URL structure analysis: Filters examine URL patterns associated with phishing: misleading subdomains (login.bank.malicious.com), excessive path depth, unusual character encoding, or suspicious parameters.

Display text comparison: When link text shows "paypal.com" but the URL goes elsewhere, filters flag the mismatch as a phishing indicator.

Redirect following: Filters may follow redirect chains to discover the final destination. Multiple redirects or landing on a different domain than expected raises flags.

Destination page analysis: Some filters fetch the linked page and analyze content for phishing characteristics: login forms, brand impersonation, credential harvesting.

Impact on legitimate email:

Tracking redirects can trigger redirect inspection

Display text/URL mismatches from link wrapping need careful handling

Third-party shorteners face extra scrutiny

Custom tracking domains with clean reputation avoid most issues