Malicious redirect chains

What it is#

Malicious redirect chains are multi-hop redirect sequences designed to evade security tools, filter visitors, and deliver payloads only to intended targets. Unlike legitimate redirect chains (URL shorteners, CDN routing), malicious chains are deliberately complex and conditional, a security scanner following the same URL may see a blank page or a benign site while a targeted user sees a phishing form.

Cloaking#

Cloaking is the practice of serving different content to different visitors based on their characteristics. In a malicious redirect chain, intermediate hops inspect the visitor's User-Agent, IP address, referrer, cookies, and other HTTP headers. If the visitor looks like a security crawler, search engine bot, or comes from a blocklisted IP range, the chain terminates with a benign page or a 404 error. Only visitors matching the target profile (e.g., a specific browser, geographic region, or language) proceed to the malicious payload.

This makes cloaked redirect chains particularly difficult to analyze in automated sandboxes, because the chain literally does not complete for non-targeted visitors.

Traffic distribution systems#

A traffic distribution system (TDS) is server-side infrastructure that routes visitors through redirect chains based on configurable rules. Attackers use TDS platforms to manage campaigns at scale. A single initial URL can lead to different phishing pages, malware downloads, or scam sites depending on the visitor's profile.

TDS platforms support geographic filtering (show a phishing page only to US users), device filtering (serve mobile vs desktop payloads), temporal controls (activate a chain only during business hours), and frequency capping (show the payload only once per IP). Some TDS services are sold as commercial products in underground markets.

Open redirect abuse#

An open redirect is a vulnerability on a legitimate website that allows an attacker to craft a URL on a trusted domain that redirects to an arbitrary destination. For example, trusted-brand.com/redirect?url=evil.com uses the trusted domain's reputation to bypass email filters and URL reputation systems. Open redirects on popular platforms are frequently chained together with other hops to create chains that start on trusted domains, a technique commonly seen in campaigns targeting lookalike domains.

Detection challenges#

Malicious redirect chains are difficult to detect because they are non-deterministic. The same initial URL can produce different chains for different visitors, or no chain at all. Security teams face several obstacles:

• Crawler evasion. Chains may not complete in automated scanning environments.
• Ephemeral infrastructure. Intermediate redirect domains may be active for only hours.
• Mixed legitimate and malicious hops. A chain might pass through a legitimate URL shortener and a compromised WordPress site before reaching the phishing page.
• Client-side redirects. JavaScript-based redirects are invisible to tools that only follow HTTP 3xx responses.

Effective detection requires browser-based crawling that executes JavaScript, geographic diversity in scanning infrastructure, and correlation of redirect chain hops with known malicious domains and TDS fingerprints. Phishing domain detection systems and broader threat intelligence platforms increasingly incorporate redirect chain analysis as a core capability.