ACCORDING to SANS ISC, open redirects are still being exploited in phishing campaigns, with researchers noting that while not always high-impact on their own, they can help phishing messages appear more credible and evade some detection. In the first quarter of 2026, redirect-based phishing accounted for a little over 21% of all analysed messages, with 32% in January, 18% in February and 16.5% in March, based on a sample of just over 350 messages.
The analysis also counted any message containing at least one redirect as a redirect sample, and it recognised that not all redirect mechanisms were classic open redirects, ranging from Google-style tokens to tracking or logout endpoints and URL shorteners. Google-style redirects are not fully open and require a valid, reusable token, which can be misused across phishing campaigns.
The author emphasises that applications should avoid exposing redirection endpoints or monitor and restrict redirection functionality to guard against abuse.