Here is a question that puzzles a lot of people the first time they understand how modern phishing works: if a criminal has just stolen someone’s password on a fake login page, why would they then send that person to the real website? Wouldn’t they want to keep control of the victim?
The answer reveals one of the most useful detection opportunities a brand owner has — and it starts with understanding why the redirect happens at all.
Why phishing kits send victims to your real site
The goal of a credential-phishing page is not just to capture a password. It is to capture the password without the victim realising it happened, because every minute the victim stays unsuspicious is a minute the attacker can use the stolen credentials before they’re changed or the account is locked.
So once the fake page has harvested what it needs, well-built kits perform a final, deliberate step: they redirect the victim to the genuine website — usually the real login or home page of the brand being impersonated. Security researchers describe this plainly. In one analysis of a live campaign, the kit redirected the victim to the legitimate brand site after credential theft specifically to reduce the chance of immediate reporting. [1] Another technical teardown noted the victim is sent to the homepage of the legitimate website, “hiding evidence of the compromise and ensuring the victim remains unaware of the attack.” [2]
From the victim’s point of view, the experience feels ordinary: they entered their details, there was a brief pause, and now they’re looking at the real site, perhaps asked to log in again (which they do, successfully). Nothing seems wrong. That is exactly the point.
The criminal’s problem is your opportunity
The redirect that protects the attacker from suspicion is the same redirect that can announce them to you — if you’re watching the right signal.
See how Brand Protection works →The fingerprint: the HTTP referral URL
When a browser follows a link or redirect from one page to another, it often sends a referrer — an HTTP header (historically spelled Referer) telling the destination site which page the visitor came from. When a phishing kit redirects a freshly-phished victim to your real login page, the victim’s browser can carry the phishing page’s address along as that referrer.
That means the phishing site’s URL can appear in your own web-server logs — on the public-facing pages where your users sign in and sign out. Proofpoint’s analysis of phishing kits spells out the consequence directly: with the common JavaScript redirect method, “the referrer URL may show up in the targeted brand’s logs allowing detection of the kit for a savvy brand.” [3]
In other words, the attacker’s own anti-suspicion step hands you a list of the very pages impersonating you — written into infrastructure you already own and already log.
Why this matters so much for brand impersonation
Brand impersonation is not a fringe problem. The Anti-Phishing Working Group recorded roughly 3.8 million unique phishing sites in 2025, and impersonation of trusted brands is the engine behind most of them — Microsoft alone appears in a large share of brand-phishing activity quarter after quarter. [5][6] If your business runs a login page that customers or staff value, someone can clone it.
The hard part is time. Academic researchers who tracked 286,237 phishing URLs over five months found the average phishing site lives about 54 hours, with a median of just 5.46 hours — and some themes, like logistics brands, average under two hours. [7] By the time a phishing site surfaces on a traditional blocklist, much of the damage is already done. Detection has to be fast to matter.
This is what makes referral-URL monitoring valuable: the signal can arrive while the attack is live, or even earlier. Criminals frequently test their phishing pages against your real site while they’re still building and tuning the kit — pointing the half-finished page at your genuine login flow to make sure the redirect works. Those test hits can land in your logs before a single real victim is targeted.
How SafeToOpen Brand Protection uses this
SafeToOpen Brand Protection turns that log signal into action with a pipeline that needs no change to how your site runs:
Your public-facing web server — the one where users sign in and sign out — already records referral URLs in its logs. Those logs flow to your SIEM or log collector, which emails the collected HTTP referral URLs to SafeToOpen every few minutes. SafeToOpen extracts each URL and scans it with the same zero-day detection engine that powers our browser extension — the engine built to recognise a phishing page by what it is, not whether it has been reported before. When a page impersonating your brand is confirmed, it’s reported to your security team for takedown, with evidence, and shared with SafeToOpen’s technology partners so the URL can be blocked in real time across the web.
Crucially, this approach catches sites that blocklists and email gateways miss, because it doesn’t wait for the phishing site to be reported by someone else. The referrer arrives in your logs the moment a browser is redirected — and increasingly, as noted above, even while the kit is still under construction.
Catch the fakes early, from logs you already keep
SafeToOpen Brand Protection monitors the referral URLs hitting your login and logoff pages and scans them in real time — finding impersonation sites fast, often before victims are hit.
Explore Brand Protection →An honest note on coverage
Referral monitoring is powerful but not a silver bullet, and it’s worth being clear about that. Attackers are aware of the log trail: some kits have moved from the JavaScript redirect to an HTTP “refresh” method that doesn’t leave the same referrer, [3] and the most evasive kits redirect suspected researchers to benign sites while serving the real phishing page only to genuine targets. [8] That’s precisely why referral monitoring works best as one layer alongside others — lookalike-domain and visual brand monitoring, real-time browser and email protection for your people, and phishing-resistant authentication. Together they cover each other’s blind spots.
But the core insight holds: the attacker’s need to keep victims calm pulls them toward your real infrastructure — and every time it does, it’s a chance for you to see them first.