Phishing & Domain Reputation Checker

Signals we check

The verdict is built from a fixed set of signals, each named in the report. Nothing is hidden behind a black-box ML score.

• DNS. A and AAAA records, MX records, and the NS provider. No DNS at all is itself a signal. So is using a free DNS provider that ships phishing kits in bulk.
• SSL. Certificate issuer, subject CN, full SAN list, certificate age, and time to expiry. A Let's Encrypt cert issued in the last 24 hours on a brand-spoof domain is a strong signal.
• WHOIS. Registrar, registration date and so domain age, and registrant org if disclosed. Domains under 30 days old score higher. Privacy registration on a brand-spoof domain scores higher still.
• Brand keyword in subdomain or path. "paypal" in login.paypal-secure.example.com is the classic pattern. We match against a known brand list and flag the placement.
• Suspicious TLD. .tk, .top, .xyz, .ru, .cn, and a handful of others are over-represented in phishing telemetry. Not an automatic fail, but it nudges the score.
• Free-tier hosting on a brand-spoof domain. Heroku, Vercel, Netlify, and Cloudflare Pages are legitimate platforms abused by phishing kits because they are free and disposable.
• Open redirects and suspicious URL parameters. Long base64 blobs, encoded URL parameters that look like another domain, and known open-redirect patterns.
• HTML resemblance to known brand login pages. Lightweight string match against a library of common login templates. Not pixel-perfect comparison, but it catches the obvious clones.

Verdict bands map the 0 to 100 score into four buckets:

What we don't check

Honest about the limits. This is a fast lightweight scanner, not a full sandbox.

• We do not fetch full page content for malware analysis. There is no sandbox detonation, no JavaScript execution profiling, no binary scoring.
• We do not follow redirect chains beyond 3 hops. Long redirect chains used to obscure final destination are flagged but not fully traversed.
• We do not decode obfuscated JavaScript. Encoded payloads, packed scripts, and runtime-generated DOM are out of scope.
• We do not query every available threat intel feed. The free tool checks a curated subset. Full feed integration is on the paid SecurityAlert plan.

For deeper inspection, run the URL through VirusTotal for AV-engine consensus, urlscan.io for a full headless-browser session including DOM and network capture, or Hybrid Analysis for sandbox detonation. This tool is the first-pass triage that tells you whether deeper inspection is worth your time.

When to use this

• You got a suspicious link. Email, SMS, Slack DM, anything. Paste it here before clicking. Five seconds of caution saves a lot of incident-response work.
• Pre-takedown reconnaissance. If you are about to file a takedown for a brand-spoof domain, run this first to capture the WHOIS, registrar, and signal evidence in one report URL you can attach to the request.
• Customer support triage. A customer reports a domain claiming to be your brand. Scan it, share the report URL with the customer and with internal security. If the verdict is malicious, escalate to takedown.
• Security awareness training. Show a real suspicious URL alongside its report so people learn what the signals look like in practice.

Frequently asked questions