In 2025, phishing is still one of the most ubiquitous and effective attack vectors cybercriminals use to steal credentials, distribute malware, and compromise organizations. Oftentimes, these phishing campaigns stem from deceptive URLs which are crafted to appear legitimate. As security awareness efforts improve, attackers are continuously refining their techniques to evade detection and increase the likelihood of victims clicking malicious links.
In this blog, we’ll break down some of the most common URL phishing tactics, identify detection and analysis methods, and discuss strategies to defend against them.
While fighting phishing attacks, organizations face another challenge: managing the growing volume of sensitive data they’re required to protect. Many companies store documents containing personal information, financial details, and confidential data they legally must redact but struggle to do that effectively at scale.
Traditional redaction methods like markers and PDF editors are time-consuming and often leave the underlying data still accessible to attackers. This creates significant vulnerability when phishing compromises occur.
Redactable addresses this with AI-powered technology that automates the redaction process, permanently removing sensitive information from documents rather than simply hiding it. This allows organizations to maintain necessary records while significantly reducing exposure risk, giving security teams one less thing to worry about when defending against increasingly sophisticated phishing attempts.
A Quick Visual Reference
We will go into greater depth in the article, but here is a visual guide for how to identify common phishing URL techniques with URL examples.
The Anatomy of a URL
Before being able to detect and analyze potential URL-phishing techniques, it’s important to understand the structure and components of a URL. Attackers often manipulate these elements in various creative ways to craft deceptive links.
In a standard URL (Uniform Resource Locator), we often see some or all of the following components, each serving a distinct purpose:
Protocol (Scheme)
The protocol specifies the communication method used to access a resource and tells the browser how to retrieve the requested information. For example, HTTP (HyperText Transfer Protocol) and HTTPS (HTTP Secure) are used for accessing webpages (with HTTPS providing encryption for secure communication), while FTP (File Transfer Protocol) is often used for transferring files.
For a detailed list of common URI schemes, check out https://en.wikipedia.org/wiki/List_of_URI_schemes.
Subdomain
A subdomain is a prefix added to the main domain to organize or distinguish different sections of a website. Subdomains function as separate areas or zones of a resource, for example, mail.google.com, or drive.google.com.
Domain Name
The domain name typically consists of two main parts. The second-level domain refers to the main name of the website. For example, google, or tcm-sec. This is paired with the Top-Level Domain (TLD), which is the suffix that categorizes the domain (such as .com, .net, .edu, .gov, or country-specific ones like .ca, or .ru).
An important note is that the combination of the top-level and second-level domain is the only part that is unique in the URL. Attackers may be able to spoof subdomains or register identical domain names under different TLDs, but the combination between second and top-level domains cannot be copied.
Putting it all together, the hostname consists of the subdomain (if any) and the domain name.
Subdirectory
Subdirectories can be thought of as folders within the website’s file structure (or a defined route on the server side), used to organize content hierarchically. In the above example, the subdirectory called “courses” contains files for various courses hosted on the site.
File
A file refers to a specific resource being accessed on the server, which could be an actual file with an extension (such as .php or .html). In more modern web applications, files could simply be defined as routes or templates and may not contain a file extension.
We refer to the file being accessed, along with all of its subdirectories, as the path of the resource.
Parameter
Parameters are additional pieces of information appended to the end of the URL after a question mark “?” symbol. These parameters are used to provide specific instructions or data to the server when requesting a resource, typically in the context of dynamic web applications.
URL parameters are typically structured as key-value pairs, where:
- The key defines what kind of data is being sent.
- The value contains the corresponding information.
Sometimes, an attacker might include a victim’s email address within a URL parameter’s value to make a phishing page appear more legitimate. For example, when the user navigates to a malicious credential capture page, their email appears to be already filled in, making the login page seem more legitimate and convincing.
Subdomain Spoofing
Subdomain spoofing is a technique where attackers configure misleading subdomains under a non-legitimate domain that they’ve registered to impersonate legitimate websites. By adding a seemingly legitimate subdomain before the domain name (such as Google, Microsoft, or Facebook), they create URLs that visually appear similar to the real thing, attempting to coerce victims into thinking they are visiting a trusted site.
For example, instead of paypal[.]com, an attacker might register a domain like paypal[.]com[.]evilsite[.]com, where the evilsite[.]com is the attacker’s base domain, but the subdomain paypal[.]com tricks users into thinking it’s the legitimate PayPal website.
Detecting Subdomain Spoofing
It’s important to understand that subdomain spoofing isn’t an exploitation of any email or URL security vulnerabilities, but rather it’s taking advantage of the legitimate use of subdomains and misleading users through visual appearance.
As such, it’s important for both security teams and end-users to pay attention to the entire URL, particularly the subdomain portion. Remember that the combination of the top-level and second-level domain is the only part that is unique in the URL. This combination is key when it comes to spotting potential subdomain spoofing. Attackers can spoof subdomains or register identical domain names under different TLDs, but the combination between second and top-level domains cannot be copied.
Lookalike Domains and Typosquatting
Next, lookalike domains are a broad category of attacks where attackers explicitly register domain names that closely resemble their target (or other legitimate websites) to spoof senders or stage their phishing landing pages.
Typosquatting, also known as URL hijacking or domain squatting, occurs when an attacker registers a domain that is a typographical error, modification, or omission of a known, legitimate domain. By registering deceptive domain names that closely resemble popular or well-known websites, attackers can trick victims into thinking an email is delivered from a trusted source, or that a URL contained in an email is legitimate, meanwhile, it’s actually a malicious web page controlled by an attacker.
For example, instead of the legitimate linkedin[.]com , an attacker could purchase and register linkedn[.]com to stage their phishing campaign. With a simple omission of the second “i” character, a user who is not paying close attention may not notice that this is not the legitimate domain.
There are many different subcategories of typosquatting techniques such as:
Dictionary Typosquatting
Dictionary typosquatting is done when attackers register domain names by adding popular dictionary words onto a legitimate domain.
For example:
- Legitimate domain: www.google[.]com
- Malicious domain: www.googlerecovery[.]com
Omission Typosquatting
Omission typosquatting happens when attackers register a domain name that omits a character from the legitimate domain, tricking users who forget to type a letter.
For example:
- Legitimate domain: www.amazon[.]com
- Malicious domain: www.amzon[.]com
Addition Typosquatting
Addition typosquatting involves adding extra characters onto the legitimate domain name, such as:
- Legitimate domain: www.paypal[.]com
- Malicious domain: www.paypall[.]com
Bitsquatting
With bitsquatting, attackers replace a character in the domain name with another that either looks similar or is located in close proximity on the keyboard to abuse common typos. Other examples include using the character “l” for “I”, or “o” for “0” (zero).
For example:
- Legitimate domain: www.google[.]com
- Malicious domain: www.googIe[.]com
TLD-Swap
TLD-swap typosquatting is when attackers use a different top-level domain (TLD) to mimic the legitimate site, often with a slight variation.
For example:
- Legitimate domain: www.bestbuy[.]com
- Malicious domain: www.bestbuy[.]cam
Homoglyph Attacks
Homoglyph attacks exploit characters from different alphabets or symbol sets that look very similar to Latin characters. This is commonly referred to as an IDN (Internationalized Domain Name) or a Punycode attack. This more advanced technique takes advantage of visually similar characters and, under the right contexts, can be visually impossible to distinguish.
For example:
- Legitimate domain: www.apple[.]com
- Malicious domain: www.аррlе[.]com
In this case, the “a” in “аррlе” is from the Cyrillic alphabet, not the Latin alphabet. Despite this, it looks visually identical.
Fortunately, modern browsers are becoming more effective at warning users when they visit sites that contain non-Latin characters and oftentimes will convert that domain to punycode for DNS resolution. Punycode is an encoding system that converts Unicode characters (like those from non-Latin alphabets) into a subset of ASCII characters that can be used in domain names.
We can also use a service like DNSTwist to automatically scan and identify many potential typosquatting vectors for a specific domain. There are also cloud-hosted options of this tool, such as DNSTwist.it or DNSTwister.report.
As a proactive defense measure, many organizations will purchase common typosquat domains to prevent malicious use. For example, “facebok.com” with only one “o” redirects to the legitimate “facebook.com”. Additionally, “gogle.com” redirects to “google.com”.
URL Shortening
Additionally, URL shortening services are popular solutions that make long and verbose links more manageable and user-friendly. Services like Bit.ly or TinyURL help convert lengthy URLs into short, shareable links. While these services provide a great user experience, they also offer a convenient tool for attackers seeking to obfuscate malicious URLs in phishing campaigns.
How URL Shortening Works
URL shortening services take a long, complex URL and create a shorter version that redirects users to the original, often using a randomized, alphanumeric string. This is done by sending the client to the URL shortening server, which subsequently redirects them (often through an HTTP 301 response) to the intended destination.
For example:
- Original URL: tcm-sec.com
- Shortened URL: bit.ly/totallyamazingwebsite (no seriously, try it!)
Although the above example doesn’t use a very long original URL, the same concept applies.
However, by shortening a URL, attackers are able to hide their link’s actual destination, such as a phishing page designed to look like a legitimate login portal. Because users may be familiar with and trust popular URL shorteners, they are less likely to be suspicious of the shortened link and may click on it without hesitation.
Additionally, URL shortening can sometimes allow attackers to evade email security solutions that rely solely on inspecting the original URL and don’t follow any redirections. Some URL shortening services also offer dynamic redirection, meaning the destination of the shortened URL can be changed even after it’s created. This can add another level of obfuscation, as attackers can alter the redirection at any time. This also makes it more difficult for security analysts to track and block constantly changing malicious URLs.
Fortunately, there are many link-expanding services out there that can analyze and reveal the full destination of a shortened URL without clicking on it. For example, Unshorten.it can expand links and provide reputational information about a given shortened URL, while WannaBrowser can go as far as simulating web browsers and identifying any redirection locations.
Many security solutions, such as email security gateways and endpoint protection tools, offer URL filtering capabilities commonly configured to scan the true destination of shortened URLs. As a proactive measure, some organizations might choose to block access to URL-shortening services entirely or at least limit access to trusted services and exceptions.
Open Redirects
Open redirects are a web vulnerability attackers can exploit in phishing campaigns to redirect unsuspecting users to malicious websites. This vulnerability occurs when a web application allows user input (such as query parameters or URLs) to control the destination of a redirect without proper validation or sanitization. In phishing attacks, attackers can manipulate open redirects to deceive users into thinking they are visiting a legitimate site when, in reality, they are being sent to an attacker-controlled landing page or credential capture page.
How Open Redirects Work
Open redirects typically occur in scenarios where a website allows URL redirection based on user input. For example, a legitimate website might include a URL parameter like redirect_url to guide users to a different page after logging in or performing a specific action. However, if the site doesn’t properly check or validate the content of the redirect_url parameter, an attacker can exploit this by providing a malicious URL as the redirect target and using that crafted URL in a phishing email.
For instance, an attacker could craft a URL like the following:
https://www.legitwebsite.com/redirect?url=https://www.maliciouswebsite.comWhen users click on the link, they will be redirected to the malicious website while still believing they are still interacting with a trusted domain. This can also be used to get around weak email spam or phishing filters since the base domain within the URL is set to a legitimate website.
As a real-world example, https://www.google.com/url?q=https://tcm-sec.com can be used as a semi-open redirect to navigate from google.com over to tcm-sec.com.
Abuse of Legitimate Services
Lastly, an attacker doesn’t always have to rely on their own infrastructure and means to weaponize content shared in their emails. Attackers frequently exploit legitimate file-sharing and collaboration services, such as Google Drive, Dropbox, and others, to facilitate phishing campaigns and distribute malicious content to victims.
Because these services are trusted by users, emails containing links to such platforms often evade spam filters and are less likely to be flagged as suspicious until endpoint security solutions (hopefully) kick in. For example, an attacker might upload a zip archive of malware on Google Drive, or even more commonly, create a Google Docs page containing a link to a malicious webpage.
As these platforms are not inherently malicious, it is difficult for traditional email filtering systems to differentiate between legitimate links and those that lead to malicious content. When it comes to defending against attacks that abuse legitimate services, security awareness becomes the most effective line of defense.
End users should know common suspicious identifiers to spot, such as unexpected or unsolicited links, unfamiliar or suspicious file-sharing requests, or emails that create a sense of urgency or pressure to act quickly. They should also be trained to carefully inspect links, even those from trusted platforms, and recognize the signs of social engineering tactics. Most importantly, having clear and communicated channels for reporting suspicious emails or links to the security team for review is essential to ensure a prompt response to potential threats.
Security analysts may need to analyze these suspicious links in more detail or use various investigation and reputation tools to verify the authenticity of the destination URL and determine if the domain is associated with any known malicious activity. In some cases, analysts may need to detonate URLs or files in a controlled sandbox to analyze their behavior. If you’re looking to get practical experience with phishing analysis from the defender’s perspective, check out the Security Operations (SOC) 101 course on the TCM Academy!
Whether you are or are an aspiring IT professional, sysadmin, or security analyst, you can prove your competency in detecting potentially malicious URLs and mitigating their impact (as well as other skills) by completing the Practical SOC Analyst Associate certification.
Conclusion
Malicious URLs remain a common attack vector for attackers to deliver weaponized phishing campaigns and malware. Techniques such as subdomain spoofing, lookalike domains, URL shortening, open redirects, and abuse of legitimate services are just some of the many ways that adversaries manipulate trust and attempt to bypass traditional security measures. These tactics work because they exploit user habits, visual misdirection, and the inherent challenges of URL verification, making phishing a persistent threat. Phishing attempts may never be fully eradicated, but through continuous education and proactive security measures, organizations can make it much harder for attackers to succeed.
About the Author: Andrew Prince
Andrew is a seasoned and passionate security professional who brings a wealth of experience in areas such as security operations, incident response, threat hunting, vulnerability management, and cloud infrastructure security. With a professional background in development and system administration, Andrew offers a well-rounded perspective on his security strategy. Andrew also navigates both offensive and defensive operations to provide a holistic approach to keeping people, processes, and technology secure. He is also active in developing various Capture the Flag challenges, creating security training, and sharing knowledge through content creation. Andrew created the Security Operations (SOC) 101 course in TCM Security Academy and the Practical SOC Analyst Associate certification.
Social Media Links:
About TCM Security
TCM Security is a veteran-owned, cybersecurity services and education company founded in Charlotte, NC. Our services division has the mission of protecting people, sensitive data, and systems. With decades of combined experience, thousands of hours of practice, and core values from our time in service, we use our skill set to secure your environment. The TCM Security Academy is an educational platform dedicated to providing affordable, top-notch cybersecurity training to our individual students and corporate clients including both self-paced and instructor-led online courses as well as custom training solutions. We also provide several vendor-agnostic, practical hands-on certification exams to ensure proven job-ready skills to prospective employers.
Pentest Services: https://tcm-sec.com/our-services/
Follow Us: Email List | LinkedIn | YouTube | Twitter | Facebook | Instagram | TikTok
Contact Us: [email protected]
See How We Can Secure Your Assets
Let’s talk about how TCM Security can solve your cybersecurity needs. Give us a call, send us an e-mail, or fill out the contact form below to get started.