Safe at delivery.
Still safe at click.
Every link in every email is rewritten to route through Phish Protection's scanning infrastructure. If a link becomes malicious after delivery, it is blocked at click time. Protection does not expire when the email lands in the inbox.
https://login.microsoft-365.com/verify?id=8f3a https://scan.phishprotection.com/v1/url?d=login.microsoft-365.com&id=8f3a URLs re-verified at the moment of click
How does URL rewriting protect against delayed attacks?
Attackers increasingly use a technique called "delayed weaponization" — sending emails with clean URLs that pass delivery-time security checks, then swapping the destination to a phishing page hours or days later. Traditional email security misses this entirely because the email was already scanned and delivered.
Phish Protection rewrites every URL in every email to route through our scanning proxy. When a user clicks a link — whether it is five seconds or five days after delivery — the destination is checked against current threat intelligence at that exact moment. If the link is now malicious, the user sees a block page instead of the phishing site.
Why do phishing links pass delivery-time scans?
Modern phishing campaigns are built to evade delivery-time security. Attackers register legitimate-looking domains, host clean content during the delivery window, and then swap in phishing pages after the email has been approved by security filters. Some campaigns wait 24-48 hours before activating.
This is why delivery-time scanning alone is not enough. The link was genuinely safe when scanned — the security system worked correctly at the time. Time of Click Protection closes this gap by re-evaluating every link at the moment it matters most: when someone actually clicks it.
Every hop inspected. Every redirect followed.
Attackers frequently use URL shorteners, open redirects, and multi-hop redirect chains to disguise the final destination of a malicious link. A link might pass through three or four intermediate domains before landing on the phishing page.
Phish Protection's click-time scanner follows the entire redirect chain to the final destination URL and checks every hop along the way. If any URL in the chain is flagged as malicious — whether it is the first hop or the last — the user is blocked from proceeding.
CLICK DETECTED — user: j.martinez@company.com
Email age: 14 hours since delivery
Original link: bit.ly/3xR9kf2
Following redirect chain...
Hop 1: bit.ly/3xR9kf2
→ redirects to: t.co/abc123
Status: CLEAN
Hop 2: t.co/abc123
→ redirects to: login-secure.net/o365
Domain age: 3 hours — SUSPICIOUS
Hop 3: login-secure.net/o365
Final destination: PHISHING PAGE
Impersonating: Microsoft 365 login
Weaponized: 6 hours after email delivery
Verdict: BLOCKED
User shown block page. Credential theft prevented.Protection that does not expire
Closes the delivery gap
Links are re-checked at click time, not just at delivery. Delayed weaponization attacks are blocked even days after the email arrived.
Full chain inspection
Redirect chains, URL shorteners, and multi-hop links are followed to their final destination. Every hop is scanned.
Transparent to users
Clean links load at normal speed. Users only see a block page when a genuine threat is detected — no disruption to daily workflow.
Block phishing links — even after delivery
Start your 60-day free trial in 5 minutes. No credit card required. No hardware to install. URLs are re-checked every time a user clicks.