← Use Cases

How do I check links in emails before they reach my team?

The problem

Phishing emails are the most common attack vector. They bypass spam filters because the domains are freshly registered, the SSL certificates are valid, and the links look legitimate. Your email security catches known threats but misses newly created attack infrastructure that hasn't made it into any threat database yet.

One clicked link can lead to credential theft, malware installation, or a full breach. The cost of not catching it dwarfs the cost of checking it.

How Unphurl solves it

Build an email security AI agent that parses URLs from incoming emails and checks each one through Unphurl before delivery. Unphurl catches the pattern-based threats that are too new for traditional databases: freshly registered domains impersonating known brands, suspicious redirect chains, and obfuscated URLs.

Signals that matter for this use case

  • Brand impersonation catches phishing pages mimicking banks, tech companies, and services
  • Domain age <7 days flags the peak phishing window for newly registered domains
  • Excessive redirects reveal redirect obfuscation chains common in phishing emails
  • TLD change on redirect catches links that claim one domain but land on another
  • URL contains IP detects direct-IP access common in phishing to bypass domain filtering
  • High domain entropy identifies auto-generated domain names used in phishing campaigns

Suggested scoring profile

{
  "name": "email-security",
  "weights": {
    "brand_impersonation": 40,
    "domain_age_3": 40,
    "domain_age_7": 30,
    "redirects_5": 30,
    "chain_incomplete": 20,
    "url_contains_ip": 15,
    "encoded_hostname": 10,
    "tld_redirect_change": 10,
    "subdomain_excessive": 10,
    "domain_entropy_high": 10,
    "ssl_invalid": 15,
    "phishing_floor": 80
  }
}

What a result looks like

An email arrives with a link to https://secure-microsoft-login.xyz/auth. Your AI agent extracts the URL and checks it:

Score: 80/100
Brand impersonation: microsoft.com (+40)
Domain age: 2 days (+40)
MX record: none
Redirects: 1 hop

The email is quarantined or the link is flagged before anyone clicks it.

Cost

Most URLs in legitimate emails point to known domains (Google, Microsoft, LinkedIn, Salesforce) that resolve free. A company processing 5,000 emails per month might extract 2,000 unique URLs, of which 50-200 are unknown and cost a pipeline check. The Standard package ($39 for 500 pipeline checks) covers most teams.

Get started

# Check a suspicious email link
npx unphurl https://secure-microsoft-login.xyz/auth --profile email-security

# Batch check all URLs extracted from today's emails
unphurl --batch email-urls.txt --profile email-security --json
Read the docs All use cases