URL churn is the rapid creation, rotation, redirection, or abandonment of web addresses to make blocking and detection harder. In phishing and malware campaigns, attackers use many short-lived URLs instead of one stable site, so when defenders block a link or a host, the next one is already active. This makes simple blacklists less effective and increases the workload for abuse-response teams.
In real attacks, URL churn is common in phishing-as-a-service, spam, and credential theft operations. Attackers may reuse the same templates while constantly changing domains, subdomains, paths, or redirects to evade reputation systems and takedowns. Defenders respond by tracking infrastructure patterns, not just individual links: repeated redirect chains, shared hosting, registration trends, and clusters of URLs can reveal a larger campaign. Strong email filtering, web telemetry, and phishing-resistant MFA help reduce the damage when churn is used to deliver fake login pages.