Most security tools share the same basic strategy: keep a list of known-bad websites, and block anything on the list. Email gateways, web filters and DNS blockers all rely on some version of this. It works well — but only against threats that have already been reported, analysed and added to a list.
Zero-day phishing exploits the gap before that happens. Attackers register a fresh domain, stand up a convincing fake login page, send it to their targets, and take it down again — often within hours. By the time the page is reported and blocklisted, the campaign is over and the attackers have moved to a new domain.
Why the timing beats traditional defences
The numbers explain why speed matters so much. Researchers at Verizon found that the median time for a person to click a phishing link is just 21 seconds after receiving it. [2] If the dangerous part of an attack happens in the first minute, a defence that depends on a page being reported, reviewed and added to a blocklist hours later is simply too slow.
Attackers also build their infrastructure specifically to defeat lists. Interisle’s 2025 Phishing Landscape report found that 77% of phishing domains were maliciously registered for the attack — brand-new domains, not hijacked legitimate ones — and that the number of unique phishing domains grew 38% in a year to over 1.5 million. [3] Each fresh domain starts life with a clean reputation that no blocklist covers.
The disguises that fool people
Modern phishing pages don’t look crude. Around 80% of phishing websites now use HTTPS — the padlock in the address bar — to borrow the visual cue people were once taught to trust. [4] The page may be a pixel-perfect clone of a real login screen, hosted on a domain that’s a single character different from the genuine one.
That’s the core problem with reputation-based protection: it asks “have we seen this exact thing before?” A zero-day page is designed so the honest answer is always “no.”
What actually catches a zero-day page
If you can’t rely on recognising the page, you have to judge it by what it is, not what it’s called. That means analysing the page itself, in real time, at the moment it loads:
- Visual inspection — does this page look like a login screen for a brand it has no right to imitate?
- Structural analysis — what do the page’s components, scripts and forms actually do? A full “x-ray” of the page can reveal credential-harvesting behaviour a screenshot can’t.
- Live context — how old is the domain? Does it match the brand it’s presenting? Brand-new domains imitating established services are a strong signal.
This is the approach SafeToOpen Browser Security takes. Because it inspects the page as it renders in the browser — rather than waiting for a blocklist — it can flag a phishing page that was created moments ago and has never been seen anywhere else.
See zero-day detection in action
SafeToOpen scans the page live in the browser and blocks never-before-seen phishing before any details are entered.
How Browser Security works →The takeaway
Blocklists are still useful — they cheaply stop the huge volume of known threats. But they have a structural blind spot for anything new, and attackers have built their entire model around exploiting it. Closing that gap takes a layer that evaluates each page on its own merits, in real time. That’s the difference between knowing a threat is bad and being able to tell.