When you open a Voretix scan report, the verdict is the headline — but the redirect chain is the plot. Malicious campaigns almost never link a victim straight to the payload page. They route through trackers, traffic distribution systems and cloaking layers, and each hop leaves a fingerprint. Here is how to read them.
The shape of a benign chain
Legitimate redirects are boring, and boring is the baseline you calibrate against. Common benign patterns:
http://→https://upgrades on the same host.example.com→www.example.comcanonicalisation.- A marketing tracker (one hop, well-known domain) unwrapping into the destination it advertises.
- Regional bounces:
brand.com→brand.debased on geolocation.
Two or three hops, recognisable infrastructure, and a destination that matches what the link claimed to be.
Five patterns that should raise your eyebrow
- Downgrades and domain hops. A chain that starts on a reputable domain and ends somewhere unrelated — especially a fresh domain or a raw IP — is the classic open-redirect abuse shape.
- Shortener stacking. One shortener is convenience; a shortener that resolves into another shortener is evasion. Nobody chains three of them for a legitimate reason.
- Meta-refresh and JavaScript hops. HTTP 301/302 redirects are visible to any crawler. Campaigns that redirect via
<meta http-equiv="refresh">orwindow.locationin script are usually trying to lose the cheap scanners. The sandbox follows these anyway — and flags them. - Parameter smuggling. Watch for the victim's email address riding the query string through every hop (
[email protected]). Kits use it to pre-fill the fake login form and to burn one-time links after a single visit. - The 200-that-should-be-a-302. A hop that returns 200 with a full HTML page that immediately forwards you is a cloaking checkpoint: it decided you looked human before letting you through. Scanners that only fetch headers never see past it.
Every hop in a chain is a decision someone paid for. Ask what each one is buying.
Where to look in the report
In the scan report, each step in the chain card shows the URL, status code and hop type, with the final destination highlighted. Cross-reference three things: the final domain's age in the overview, the hop types (header vs meta vs script), and whether the screenshot matches the brand the first link implied. When those three disagree with each other, trust the chain — it is the part of the page the attacker could not make lie.
Frequently asked questions
What is a redirect chain?
The hop-by-hop sequence of URLs between the link that was clicked and the page that finally loaded. Each hop in a scan report records the URL, status code and hop type, with the final destination highlighted.
Why do phishing links use so many redirects?
Each hop buys something: reputation laundering through a trusted first domain, click analytics, geofencing, and cloaking layers that show scanners a harmless page while routing victims to the payload.