The limits of URL rewriting and link scanning
Click-time URL rewriting is one of the most trusted email-security features: every link is replaced with a gateway-owned URL, so the destination can be re-checked the moment a user clicks. It catches a great deal of phishing and is worth having. But it is not the safety net many teams believe it is, and understanding its blind spots keeps expectations — and defenses — honest.
How URL rewriting and link scanning work
When mail arrives, the gateway rewrites links to route through its own scanning service:
Original : https://example.com/doc
Rewritten: https://urldefense.example/v3/__https://example.com/doc__;!!TOKEN
At click time the user hits the gateway first, which evaluates the destination — reputation, sandbox detonation, content analysis — and either allows the click, warns, or blocks. The premise is sound: check the link when it matters, not just at delivery. The problem is that a determined attacker controls the very thing being checked.
Why it is imperfect
The scanner is a known, distinguishable visitor
Rewriting only works if the gateway follows the link, and that fetch looks different from a real victim's browser. Attackers detect the scanner and serve it something clean.
- Cloaking. The server inspects user-agent, ASN, and request patterns, and shows automated visitors a harmless page while showing victims the phishing page.
- Geofencing. The page only activates for IP ranges matching the target's country or organisation; the cloud scanner's IPs get a benign response.
- CAPTCHA and interaction gates. A CAPTCHA, a "click to continue," or a required cookie stops an automated crawler before it ever reaches the payload — but a human sails through.
Gateway scanner → CAPTCHA / benign page → verdict: clean
Human victim → solves gate → live credential page
The link changes after it is judged
Even a perfect scan is a snapshot.
- Delayed weaponization. The URL points to a benign page when scanned, then swaps to the phishing payload afterward. The verdict is already cached.
- Single-use links. A token in the URL burns after one visit. If the scanner spends it, the page shows a harmless 404 — and the victim, arriving with a fresh token, gets the live page. If the victim spends it first, a later investigator sees only the 404.
Redirect chains launder the destination
The rewritten link may point to a reputable domain that simply forwards on: an open redirect, a URL shortener, a legitimate marketing tracker, or a chain of hops ending on freshly registered infrastructure. Scanners follow a limited number of hops, and the final destination can be swapped or gated independently of the first.
Trusted hosting resists blocking
When the destination is SharePoint, Google Drive, or a Cloudflare-fronted domain, a clean verdict is often correct in the moment — the file or page really is hosted there — yet the content is the lure. The scanner cannot block the platform wholesale.
Rewriting checks a link on the attacker's terms. Whoever controls the destination controls what the scanner sees, and can change it after the verdict lands.
Defense in depth
URL rewriting should be one layer among several, valuable but never load-bearing on its own:
- Phishing-resistant MFA (FIDO2/passkeys) so that even a link that reaches a live credential page cannot produce a usable login.
- Endpoint and browser protections that evaluate the page as rendered, after all redirects and gates.
- Newly-registered-domain and certificate-transparency monitoring to shorten reaction time on look-alike infrastructure.
- A trained, reporting human layer — the control that judges the page as actually delivered, precisely where automated scanning was fooled.
The goal is not to distrust rewriting, but to stop treating a click-time verdict as proof of safety. It is one probabilistic input, and the attacks engineered to pass it are the ones your other layers exist to catch.
How GottaPhish helps
Click-time URL rewriting catches a lot, but it is not the safety net many teams believe: cloaking, gated pages, single-use links, and redirect chains routinely fool automated scanning, so the link-scanning layer alone always leaves gaps. GottaPhish and its expert support team show you what URL rewriting actually stops — and what it misses — through authorized, fully audited simulations that reproduce those exact techniques safely, giving you per-user and per-department data on who reaches the page and who reports it. Our experts help you design the scenarios, deploy the campaigns, and interpret the dashboards, so the evidence sharpens your defense-in-depth priorities. The result turns your workforce into a reliable last line of detection where automated scanning can be fooled.
