Reading a redirect chain: what your browser does not show you
· by Spicy Stromboli · technical, link-analysis, phishing, cybersecurity, url-analysis, redirect-chain
A bit.ly link looks like a single hop. It almost never is.
Behind every shortener sits at least one HTTP redirect, and modern phishing kits chain several — a tracker, an A/B router, a geo-filter, and finally the landing page — to make the destination invisible to mail-gateway scanners and to the user who hovers over the link before clicking. This redirect layering is one component of a broader AI-augmented obfuscation network that adapts its behavior depending on who is walking the chain.
The hops you’ll typically see
A representative chain looks like this:
https://t.co/abc123→ 301 to a trackerhttps://click.advertising.example/?u=…→ 302 to a regional CDNhttps://login-secure.example.net/auth?next=…→ 200 (the actual phish)
The interesting bits are usually in step 2. That ?u= parameter is often a Base64-encoded
URL — sometimes nested inside another URL-encoded layer — and that’s where the attacker
hides the real destination from anything that does flat string-matching on the link.
Walking the chain safely
The dangerous way: paste the URL into a browser tab. Even a “preview” extension still issues a real HTTP GET, which can leak your IP, drop tracking cookies, or trigger a malicious redirect chain that ends with a drive-by download.
The safe way is what the Link Scout does on your behalf:
- Manual redirect mode (
fetch(url, { redirect: 'manual' })) so each hop is surfaced. - Per-hop re-validation against an SSRF denylist — every IP every hop resolves to is checked against the private/loopback/cloud-metadata ranges before any connection happens.
- A small response cap (64 KB) — we only need headers and a snippet, never the full payload.
- Recursive decoding of any Base64, hex, or URL-encoded segment in the URL, so encoded destinations and encoded PowerShell payloads both pop into view.
What to look for
Once the chain is visible, three things should make you nervous:
- Domain drift: the visible hostname changes meaningfully across hops (e.g.
t.co→random-tracker.tk→microsoft-account-verify.support). - Encoded payloads: a query parameter that decodes to
powershell -EncodedCommand …or to another URL is a near-certain malware staging signal. - A 200 on a freshly registered domain: combine with WHOIS lookup and the picture usually completes itself.
The Link Scout flags all three automatically, but the goal isn’t to outsource your judgement — it’s to give you the information that the original click would have hidden.