What this bundle covers
The "click here" link in a phishing email used to be the weakest part of the attack. Email gateways followed the URL, saw the domain, and either passed or flagged the email. Attackers worked around this by hiding their phishing destination behind a trusted-domain redirect — google.com/url?q=phish, bit.ly/abc, or whichever proxy still worked that week. By 2026 most of those tricks are dead. A few are still alive, and one combination of techniques defeats every automated email scanner we tested.
This bundle is the empirical research:
- What's still alive in 2026 — every major platform's redirect endpoint, tested with real curl traces and browser screenshots
- The Twitter open redirect nobody patched — a live unauthenticated open redirect on twitter.com and x.com, found after testing 80+ trusted endpoints
- Attacker-built redirect infrastructure — Cloudflare Workers, GitHub Pages, Netlify, and the compound chain that defeats sandbox scanners
- redirect_analyzer — a free Python tool that traces redirect chains including the techniques naive HTTP scanners miss
Who this is for
Anyone running email security for a real organisation. Anyone hunting phishing infrastructure as a SOC analyst. Anyone publishing security research who wants to stop spreading "google.com/url defeats Safe Links" advice that has been wrong since 2023.
Status
Live. Four posts published, tool published on GitHub, validation scripts and screenshots in the source repo. We'll keep this updated as techniques change.