← All articles

The limits of URL rewriting and link scanning

GottaPhish Team · June 30, 2026

Click-time URL rewriting is one of the most trusted email-security features: every link is replaced with a gateway-owned URL, so the destination can be re-checked the moment a user clicks. It catches a great deal of phishing and is worth having. But it is not the safety net many teams believe it is, and understanding its blind spots keeps expectations — and defenses — honest.

How URL rewriting and link scanning work

When mail arrives, the gateway rewrites links to route through its own scanning service:

Original : https://example.com/doc
Rewritten: https://urldefense.example/v3/__https://example.com/doc__;!!TOKEN

At click time the user hits the gateway first, which evaluates the destination — reputation, sandbox detonation, content analysis — and either allows the click, warns, or blocks. The premise is sound: check the link when it matters, not just at delivery. The problem is that a determined attacker controls the very thing being checked.

Why it is imperfect

The scanner is a known, distinguishable visitor

Rewriting only works if the gateway follows the link, and that fetch looks different from a real victim's browser. Attackers detect the scanner and serve it something clean.

Gateway scanner  → CAPTCHA / benign page → verdict: clean
Human victim      → solves gate → live credential page

The link changes after it is judged

Even a perfect scan is a snapshot.

Redirect chains launder the destination

The rewritten link may point to a reputable domain that simply forwards on: an open redirect, a URL shortener, a legitimate marketing tracker, or a chain of hops ending on freshly registered infrastructure. Scanners follow a limited number of hops, and the final destination can be swapped or gated independently of the first.

Trusted hosting resists blocking

When the destination is SharePoint, Google Drive, or a Cloudflare-fronted domain, a clean verdict is often correct in the moment — the file or page really is hosted there — yet the content is the lure. The scanner cannot block the platform wholesale.

Rewriting checks a link on the attacker's terms. Whoever controls the destination controls what the scanner sees, and can change it after the verdict lands.

Defense in depth

URL rewriting should be one layer among several, valuable but never load-bearing on its own:

The goal is not to distrust rewriting, but to stop treating a click-time verdict as proof of safety. It is one probabilistic input, and the attacks engineered to pass it are the ones your other layers exist to catch.

How GottaPhish helps

Click-time URL rewriting catches a lot, but it is not the safety net many teams believe: cloaking, gated pages, single-use links, and redirect chains routinely fool automated scanning, so the link-scanning layer alone always leaves gaps. GottaPhish and its expert support team show you what URL rewriting actually stops — and what it misses — through authorized, fully audited simulations that reproduce those exact techniques safely, giving you per-user and per-department data on who reaches the page and who reports it. Our experts help you design the scenarios, deploy the campaigns, and interpret the dashboards, so the evidence sharpens your defense-in-depth priorities. The result turns your workforce into a reliable last line of detection where automated scanning can be fooled.