Link-Display Mismatch

In HTML email, a hyperlink consists of an anchor element with an href attribute (the actual destination) and inner text or image content (what the user sees). A link-display mismatch occurs when the visible text contains a URL that differs from the href value, exploiting the user's assumption that the two are identical. This is a fundamental HTML capability that requires no technical sophistication to abuse and is not blocked by standard mail filtering without explicit URL comparison logic.

Link-display mismatches are among the most effective phishing techniques because they defeat visual URL inspection, which is a primary defense users are trained to apply. A message displaying https://microsoft.com in its link text but linking to a credential-harvesting page on an attacker-controlled domain will bypass user scrutiny in all but the most careful examinations. This technique is also used in combination with URL shorteners and open redirects to further obscure the true destination.

The attacker composes an HTML email with anchor elements where the href points to a malicious domain while the text node contains a legitimate-looking URL. When rendered in an email client, only the text is visible; the href is only exposed on hover or click. Detection requires parsing the HTML body of the message, extracting all anchor href values, and comparing them against any URL-formatted strings in the corresponding text nodes. This comparison must account for legitimate cases where mismatches are expected: URL shorteners (bit.ly, t.co), email tracking redirects, and security rewriting services such as Microsoft Defender for Office 365 SafeLinks or Proofpoint URL Defense, which wrap the original URL in a proxy. Effective analysis resolves shortened and rewritten URLs to their final destinations before rendering a verdict.