Suspicious Links Module
Suspicious Links Module
Embedded Files
Analyze links in emails for deceptive destinations, hidden redirects, and obfuscated addresses.
Analyze links in emails for deceptive destinations, hidden redirects, and obfuscated addresses.
Fraudulent emails frequently use links designed to look trustworthy while pointing somewhere dangerous. Forensic-Email inspects every link in an email for a range of concealment and misdirection techniques.
IP Address Links
One or more links point directly to a raw IP address (such as http://192.168.1.1/login) instead of a named domain. Legitimate services almost never do this.URL Shorteners
One or more links use a URL shortening service such as bit.ly or tinyurl.com. These services hide the real destination — you cannot tell where the link leads before clicking it.Anchor Text Mismatch
A link's visible text shows one domain name, but the link actually points to a different domain. For example, a link that displays "secure-paypal.com" but leads to "attacker.net" is a classic phishing technique.Homograph / Punycode Domains
One or more links use international domain names (IDN) that contain special characters. In the browser address bar, these can look identical to a familiar domain while pointing to a completely different site — a technique known as an IDN homograph attack.Invisible Unicode in URL
One or more link URLs contain invisible Unicode characters — such as zero-width spaces — inside the domain name. This can make "paypal.com" (with a hidden zero-width space) appear identical to "paypal.com" while pointing to a different address.Percent-Encoded Hostname
One or more links use percent-encoding (the % character) inside the hostname. Legitimate domain names are never encoded this way; this is a deliberate obfuscation technique used to disguise the true destination.Embedded Public Suffix
A link's domain contains a trusted extension — such as .com, .edu, or .gov — in the middle rather than at the end. For example, "paypal.com.attacker.net" is designed to look like it belongs to paypal.com, but the real registered domain is attacker.net.Excessive Subdomains
One or more links have an unusually long chain of subdomains before the actual domain. This technique buries the real destination at the end of a confusingly long address, such as "login.verify.secure.paypal.attacker.net."Redirect Tracking URLs
One or more links pass through a third-party tracking or redirect service before reaching their final destination. The URL you see in the email is not the URL you will land on.Unencrypted HTTP Links
One or more links use plain HTTP instead of HTTPS. Any data you enter on an unencrypted site — including passwords or payment details — can be intercepted in transit.
Page updated
Report abuse