Phishing URL Detection Techniques That Hold Up Against Modern Evasion

By IPThreat Team July 5, 2026

When the URL Looked Exactly Right

A mid-sized logistics company in Australia received a batch of emails claiming to be from their freight forwarding partner. The URLs embedded in those emails passed every automated gateway check. The domain was registered 11 days prior, hosted on a legitimate cloud provider, and used a valid TLS certificate. The landing page was a pixel-perfect replica of the partner's login portal. Three employees submitted credentials before the security team received an alert from their SIEM — not from their email gateway.

That scenario plays out hundreds of times a day across industries. As Australian organizations face increasing pressure on SMBs following broader cybercrime displacement trends, the sophistication gap between attacker infrastructure and defender tooling is growing. Detection techniques that worked reliably two years ago now miss a meaningful percentage of active campaigns. This article covers the mechanics of modern phishing URL detection, what layers of analysis actually catch these threats, and how security teams can operationalize detection before the first credential is submitted.

Why Traditional URL Filtering Falls Short

Legacy URL filtering relies heavily on reputation databases and blocklists. A domain that appears on no blocklist, uses HTTPS, and resolves to a cloud IP range presents as clean. Attackers understand this and routinely exploit the window between domain registration and blocklist population — a gap that can span hours to days.

The FortiBleed campaign, which exposed credentials from over 73,000 FortiGate systems, demonstrated how quickly harvested credentials get weaponized once phishing delivers initial access. The upstream problem in many of those cases was a phishing URL that cleared initial inspection. Similarly, the Iran-nexus TAG-182 group using MarkiRAT as a surveillance payload frequently relies on phishing URLs that abuse legitimate infrastructure to avoid detection — a pattern that breaks blocklist-centric defenses entirely.

The core limitation is that blocklists are reactive. Effective phishing URL detection must be analytical, examining the structure and behavior of URLs rather than waiting for them to appear on a known-bad list.

Structural Analysis of Phishing URLs

Phishing URLs carry structural signals that automated analysis can extract and score. Security teams building or tuning detection pipelines should prioritize the following features.

Domain Age and Registration Patterns

Legitimate business domains rarely appear in production email flows within days of registration. Querying WHOIS and passive DNS data for the domain age of every URL in inbound email provides a high-signal feature. A domain under 30 days old carrying login page parameters warrants immediate escalation. This single feature, applied consistently, catches a substantial proportion of phishing campaigns that abuse freshly registered domains.

Related to this is the registration velocity pattern. Threat actors running coordinated campaigns often register clusters of domains within short timeframes, sometimes using the same registrar, the same nameservers, or WHOIS privacy services in patterns that correlate across domains. Aggregating domain registration data across inbound URLs over a rolling 7-day window can surface these clusters before any individual domain appears on a threat feed.

Subdomain Complexity and Deceptive Formatting

A well-documented evasion technique involves placing a trusted brand name in a subdomain while the actual registered domain is attacker-controlled. The URL paypal.account-verify.maliciousdomain.com looks legitimate in a quick visual scan. The registered domain is maliciousdomain.com, not paypal.com. Detection logic should extract and evaluate the registered domain, not the full URL string.

Homograph attacks take this further by substituting visually similar Unicode characters for ASCII equivalents. The letter а in Cyrillic looks identical to the Latin a in most fonts. A domain like pаypal.com using a Cyrillic а is a different domain entirely. Punycode conversion at the detection layer — converting internationalized domain names to their ASCII-compatible encoding — reveals these substitutions. Any domain resolving through Punycode encoding that mimics a high-value brand should trigger an alert.

URL Path and Query String Indicators

Phishing pages often embed tracking identifiers in query strings to link victims to specific campaigns or validate that a click came from a real target. Parameters like token=, uid=, or ref= followed by long encoded strings are consistent with phishing infrastructure. Legitimate transactional emails do use similar patterns, so this signal carries more weight when combined with other indicators rather than in isolation.

Redirect chains are another structural indicator. A URL that immediately redirects through two or three intermediary domains before landing on a credential page is a behavioral pattern associated with phishing infrastructure designed to obscure the final destination from email gateways that only inspect the initial link.

Machine Learning Features for URL Classification

Static rule-based detection catches known patterns but struggles with novel evasion. Machine learning classifiers trained on URL features provide coverage against variations that rules miss. The most useful features for ML-based URL classification include:

  • URL length: Phishing URLs tend to be longer than legitimate URLs, incorporating encoded parameters, tracking tokens, and obfuscated paths.
  • Character entropy: High entropy in the domain or path component often indicates randomly generated strings used to avoid pattern matching.
  • Special character density: The ratio of hyphens, dots, and encoded characters relative to total URL length correlates with deceptive URL construction.
  • TLD risk scoring: Certain top-level domains are statistically overrepresented in phishing infrastructure. TLDs like .xyz, .top, .buzz, and .click carry higher baseline risk than .com or .org, though all TLDs see abuse.
  • Brand token presence: Detecting known brand names or product terms within a URL's subdomain or path that do not appear in the registered domain itself is a strong phishing indicator.
  • Lexical similarity to known-good domains: Measuring edit distance or cosine similarity between the target domain and a curated list of high-value brands surfaces typosquatting and lookalike domains.

A trained classifier combining these features can achieve high accuracy on URL classification without requiring the domain to appear on any blocklist. The operational challenge is latency — ML inference needs to happen fast enough to intercept URLs before delivery or at click time.

DNS Behavior and Infrastructure Signals

The DNS record structure behind a domain provides detection signals beyond what the URL itself reveals.

Fast Flux and Infrastructure Rotation

Fast flux DNS configurations — where A records rotate across hundreds of IP addresses with very short TTLs — are a consistent indicator of phishing and malware infrastructure. Legitimate services do use low TTLs for load balancing, but the combination of very short TTLs, a large number of resolving IP addresses spanning multiple ASNs, and a freshly registered domain is a reliable cluster for flagging.

The disruption of the NetNut proxy network, which cut off approximately 2 million infected devices, illustrated how extensively phishing and fraud infrastructure relies on compromised residential proxies and rotating IP pools. Traffic from such infrastructure generates exactly the kind of fast-rotating DNS patterns and IP diversity that defenders can detect at the DNS query layer.

Nameserver and Hosting Correlations

Phishing campaigns frequently reuse hosting infrastructure across campaigns. A nameserver that has previously served known-phishing domains is a meaningful risk signal for any new domain using the same provider. Passive DNS databases maintained by vendors like Farsight, DomainTools, and VirusTotal allow analysts to pivot from a suspicious domain to all domains sharing its nameserver history.

Similarly, IP ranges associated with bulletproof hosting providers consistently host phishing infrastructure. Correlating the resolved IP of a URL against ASN reputation data — not just individual IP blocklists — provides a broader coverage layer. This is especially relevant for campaigns like CL-STA-1062 targeting Southeast Asian government infrastructure, where phishing URLs hosted across specific ASNs showed consistent patterns across unrelated targets.

Content-Based Detection at the Landing Page

When a URL cannot be classified by structural or DNS analysis alone, dynamic analysis of the landing page content provides the next layer. This involves fetching the page in a sandboxed environment and inspecting what it delivers.

Visual Similarity Scoring

Credential harvesting pages replicate the visual appearance of legitimate login portals. Computer vision-based detection — comparing a rendered screenshot of the landing page against a library of legitimate brand login pages — can identify visual mimicry even when the HTML is entirely custom-written to evade signature matching. Perceptual hashing algorithms like pHash produce a fingerprint of a rendered page image that survives minor visual changes while still matching pages that look similar to a human observer.

Form Action Analysis

A login form on a page claiming to represent Bank of America that submits credentials to a domain unrelated to Bank of America is a definitive phishing indicator. Extracting and analyzing form action targets — where the form actually sends data — is a reliable content-based signal. This analysis requires actually rendering the page and inspecting the DOM, since many phishing pages load form targets dynamically via JavaScript to defeat static HTML inspection.

Favicon and Resource Fingerprinting

Phishing pages often load resources — stylesheets, images, JavaScript files — directly from the legitimate brand's servers to ensure visual accuracy. This creates a detectable pattern: a domain with no prior history loading resources from microsoft.com, google.com, or financial institution CDNs is engaging in a characteristic behavior associated with phishing infrastructure. Monitoring outbound resource requests from sandboxed page renders surfaces this pattern reliably.

Phantom Squatting and AI-Hallucinated Domain Risk

A newer attack surface deserves specific attention. The concept of phantom squatting — where threat actors register domains corresponding to package names or URLs that AI coding assistants have hallucinated in generated code — extends the phishing surface beyond email. A developer copying AI-generated code that references a nonexistent package may inadvertently point production systems toward a domain that an attacker has since registered to serve malicious content.

Detection for this threat pattern requires monitoring the domains referenced in code repositories and dependency manifests against registration status. Newly registered domains that match patterns of AI-hallucinated package names and begin receiving traffic from developer tooling should be treated with the same scrutiny as phishing URLs in email flows. The attack surface differs but the detection logic — domain age, registration patterns, content analysis — applies directly.

Implementing Detection at Multiple Intercept Points

A phishing URL that reaches a user's inbox has already passed through at least one layer of control. Defense in depth requires detection at multiple intercept points, each providing coverage the others may miss.

Email Gateway Layer

At the email gateway, URL rewriting and detonation provide the primary control. Every URL in inbound email should be rewritten to pass through a URL proxy at click time, enabling analysis to run against the URL's state at the moment of the click rather than at delivery. This defeats time-of-delivery evasion, where phishing pages serve benign content during gateway inspection and activate malicious content hours later when the email reaches the inbox.

DNS Filtering Layer

Recursive DNS filtering — where DNS queries for known-bad or suspicious domains are blocked or redirected — provides a catch for users who click phishing URLs that escaped gateway inspection. Integrating domain intelligence feeds into DNS resolvers, and applying heuristic analysis to domains generating first-ever query volume, closes a significant gap. Browser-based ransomware techniques, emerging from explorations of LLM capabilities applied to browser-only attack surfaces, often rely on domains resolving successfully — DNS-layer blocking eliminates this delivery path.

Endpoint Browser Isolation

For high-risk user populations — executives, finance teams, IT administrators with elevated access — browser isolation routes web traffic through a remote rendering environment, preventing malicious page content from executing against the endpoint. A phishing page that successfully loads in an isolated browser cannot harvest credentials from a form that never renders locally or execute JavaScript that exfiltrates session tokens from the local browser store.

Post-Click Analysis and SIEM Correlation

When a user clicks a phishing URL that passed all upstream controls, the event generates logs. Proxy logs, DNS query logs, and endpoint browser history all record the click. SIEM correlation rules that fire on combinations of low-reputation domain access, form submission events, and subsequent authentication anomalies can detect successful phishing even after the click occurs. The goal at this stage shifts from prevention to rapid containment: identifying which credentials were potentially exposed, forcing password resets, and invalidating session tokens before attackers pivot from initial access to lateral movement.

Operationalizing Phishing URL Intelligence

Detection techniques produce value only when operationalized within workflows that security teams can sustain.

Maintaining a curated list of monitored brands — the organizations most frequently impersonated in phishing campaigns targeting your sector — and running continuous monitoring for lookalike domain registrations against that list gives security teams advance warning before a campaign reaches the inbox. Services like CertStream monitor certificate transparency logs in real time, surfacing newly issued certificates for domains that contain brand keywords. A certificate issued for secure-payroll-login-companyname.com the same day a campaign targeting your HR team begins is intelligence that arrives before the phishing email does.

Threat intelligence sharing with sector peers compounds the detection coverage. Phishing infrastructure rarely targets a single organization. URLs, hosting ASNs, nameservers, and registration patterns identified in one organization's incidents frequently appear in campaigns targeting adjacent organizations in the same sector. Structured sharing through ISAC channels or formal threat intelligence exchange programs turns individual detections into sector-wide early warning.

Finally, tabletop exercises that include phishing URL detection scenarios — specifically scenarios where the URL passes gateway inspection — prepare incident response teams to move quickly when post-click indicators arrive. The response playbook for a clicked phishing URL has a different first-hour timeline than a URL blocked at the gateway, and teams that have practiced it execute faster when it matters.

Where to Focus Investment

For security teams prioritizing improvement in phishing URL detection, the highest-return investments concentrate in three areas. First, deploy click-time URL analysis if it is not already in place — time-of-click inspection eliminates the delivery-versus-activation gap that defenders consistently lose. Second, integrate passive DNS and domain age data into email gateway scoring so freshly registered domains carrying login page parameters receive elevated scrutiny automatically rather than requiring analyst judgment on each case. Third, establish continuous monitoring for lookalike domain registrations against a defined brand watchlist — this moves detection upstream of delivery entirely.

The threat landscape rewards defenders who move detection earlier in the attack chain. A phishing URL caught at registration monitoring never reaches the gateway. A URL caught at the gateway never reaches the inbox. A URL caught at click time never harvests a credential. Each layer of earlier detection reduces the response burden and the blast radius when a campaign targets your organization.

Contact IPThreat