What is SecureLint and how does it work?

SecureLint is a Chrome extension that runs entirely in your browser. It scans text you type or paste into any web editor in real time, detects sensitive data (API keys, passwords, tokens, credentials), and masks it before it can leak. It also blocks phishing sites using a 14-layer detection engine before the page fully loads.

Is my data ever sent to a server?

For individual users — no. All detection, masking, and phishing checks happen 100% locally inside your browser. No page content, typed text, or detected secrets are ever transmitted to any server. For Enterprise users, masked incident reports (never raw secrets) can be sent to your organization's admin dashboard only when explicitly enabled by your IT admin.

Does SecureLint work on all websites?

Yes. SecureLint works across all websites — standard inputs, textareas, contenteditable elements, and rich text editors like CodeMirror, Monaco, Ace, TinyMCE, CKEditor, and popular productivity tools like Gmail, Slack, Notion, ChatGPT, and more.

How does phishing detection work?

SecureLint uses a 14-layer engine: bloom filter, URL heuristics, homograph/IDN analysis, typosquat detection, WHOIS domain-age check, SSL certificate validation, Google Safe Browsing, and page-content scanning for credential-harvesting language. If Google Safe Browsing confirms the site is safe, the site is automatically unblocked — no false positives.

What types of secrets does SecureLint detect?

SecureLint detects 100+ secret types including AWS, GCP, and Azure credentials; JWT tokens; OAuth access and refresh tokens; database connection strings (MongoDB, Redis, MySQL, PostgreSQL); private keys and certificates (RSA, EC, PGP); Stripe, Slack, and GitHub API keys; SSNs, Aadhaar numbers, and credit card patterns.

Is SecureLint free to use?

SecureLint is a paid product with Pro and Enterprise plans. The Pro plan is designed for individual developers and security professionals, while Enterprise is built for IT and security teams needing full DLP, admin dashboard, and SLA-backed support. Both plans can be activated instantly from securelint.in.

Can I switch plans or cancel anytime?

Yes. You can upgrade, downgrade, or cancel your subscription at any time from your dashboard. If you cancel, your Pro or Enterprise features remain active until the end of your current billing period.

What payment methods are accepted?

For Indian users we accept all major UPI apps (PhonePe, GPay, Paytm), credit and debit cards, and net banking via Razorpay. For international users we accept PayPal and Google Pay.

Does SecureLint check SSL certificates in real time?

Yes. SecureLint performs a real-time SSL/HTTPS certificate check on every page you visit. If the certificate is expired, self-signed, or the site is running on plain HTTP for a login or payment page, SecureLint raises an immediate alert so you never enter credentials on an insecure connection.

How does the domain age alert work?

Phishing sites are almost always newly registered — often less than 7 days old. SecureLint queries WHOIS data in real time and flags any site where the domain was registered recently, showing you the exact registration date before you interact with the page.

Is SecureLint a VAPT tool?

SecureLint performs a continuous, passive VAPT-style real-time scan directly in your browser. It detects exposed credentials, weak SSL, suspicious domains, phishing indicators, XSS attempts, and clickjacking on every page you visit — without requiring any manual test setup. It is not a replacement for a full penetration test, but gives developers and security teams instant, always-on threat visibility.

What is real-time browser security scanning?

Real-time browser security scanning means SecureLint analyses every page you open, every URL you visit, and every input you type — instantly, before threats can cause damage. It checks for phishing indicators, exposed API keys, SSL validity, domain age, redirect chains, crypto drainers, and XSS payloads — all within milliseconds and entirely inside your browser.

How do I install SecureLint?

Visit the Chrome Web Store, search for 'SecureLint' or click the direct install link on securelint.in. Click 'Add to Chrome', confirm permissions, and SecureLint is active immediately — no account required for the free tier.

Does SecureLint slow down my browser?

No. SecureLint is engineered for sub-millisecond detection using optimised regex engines and a local bloom filter for phishing checks. It runs in a content-script context with minimal CPU and memory footprint — independent benchmark tests show less than 2 ms latency per scan cycle.

What is the Enterprise plan?

Enterprise is designed for IT and security teams. It adds centralized policy management, email DLP and send blocking, WAF and social-domain blocking, incident reporting, admin dashboard, and dedicated support with an SLA. Contact our sales team for pricing.

SecureLint Research Team

VAPTLabs Security Research

Jun 12, 2026·8 min read

Real-Time Phishing Email Detection: How SecureLint Scans Every Message Before You Click

A carefully crafted phishing email lands in your inbox. The sender name looks familiar. The logo matches. The call-to-action is urgent. You click the link before your brain has time to run the checks your eyes skipped. That moment — between seeing the email and clicking the link — is where SecureLint operates.

SecureLint's phishing detection engine analyses every email you open in Gmail and Outlook Web in real time, computing a 0–100 trust score from 14 independent threat signals. High-risk emails get a red warning banner before you can click any link. Low-trust links trigger an interstitial popup the moment you click them.

Why email phishing still succeeds in 2026

Email authentication standards (SPF, DKIM, DMARC) have existed for over a decade — yet phishing remains the leading initial access vector in over 80% of breaches. The reason is that sophisticated attackers have adapted:

Lookalike domains — Registering paypa1.com or micro-soft.com and sending emails that pass SPF and DKIM on those domains
Compromised legitimate accounts — Sending phishing emails from a real colleague's hacked account, which passes all authentication checks
Link redirectors — Embedding links through legitimate services (Google Docs, OneDrive, Dropbox) that redirect to phishing pages only after email gateway scanning
Zero-day phishing kits — Purpose-built pages that use valid SSL certificates, legitimate-looking UI, and are hosted on domains registered within the last 24 hours

SecureLint's 14-signal email analysis

Each email is scored across 14 independent signals, grouped into four categories:

Authentication signals — SPF pass/fail, DKIM signature validity, DMARC policy enforcement (none / quarantine / reject)
Sender identity signals — Display name vs. envelope sender mismatch, reply-to address mismatch, sender domain age (domains younger than 30 days are high-risk), brand impersonation pattern matching against 500+ known brands
Link signals — Each link URL is scored for domain reputation, SSL certificate age, redirect chain depth, URL encoding obfuscation, and homograph / IDN substitution attacks
Content signals — Attachment MIME type risk, phishing keyword density (urgency language, credential request patterns, account suspension threats), and known phishing template fingerprints

SPF, DKIM, and DMARC: what they check and what they miss

These three standards form the baseline of email authentication — but each has blind spots that SecureLint's additional signals are designed to cover.

SPF (Sender Policy Framework) checks whether the sending mail server is authorized to send on behalf of the domain in the email envelope. It does not check the From header visible to the user, which is why display name spoofing is still possible even with a passing SPF record.
DKIM (DomainKeys Identified Mail) verifies that the email was cryptographically signed by the claimed domain. A passing DKIM signature means the email was not tampered with in transit — but it says nothing about whether the sending domain itself is malicious.
DMARC (Domain-based Message Authentication) ties SPF and DKIM together and specifies what the receiving server should do with failures. A DMARC policy of p=none provides reporting but no protection. Only p=quarantine or p=reject actually block spoofed emails.

SecureLint surfaces all three signal results in a compact header badge on each email — a green tick for pass, an amber warning for soft-fail or p=none, and a red badge for outright failure. These are displayed horizontally alongside the sender name so you can see authentication status without opening any panel.

Real-time link threat scoring

Every link in an email body is scored before you click it. SecureLint checks:

Domain age — Domains registered within 30 days of the email date are flagged as high-risk. Most phishing infrastructure is burned and replaced within weeks.
SSL certificate age — A certificate issued within 72 hours of the email is a strong phishing signal.
Brand impersonation — The domain is checked against patterns for 500+ major brands. paypal-security-verify.com triggers a brand impersonation flag even though it passes SSL.
Redirect chain depth — Phishing links often chain through two or three redirectors to bypass gateway scanning. SecureLint flags links with redirect chains longer than two hops.
IDN homograph attacks — Unicode lookalike characters (е vs e, а vs a) are normalised and checked for brand impersonation.

Attachment risk fingerprinting

SecureLint does not download attachments for scanning (that would require server-side processing). Instead, it fingerprints the attachment metadata visible in the email DOM:

MIME type vs. file extension mismatch (e.g., a .pdf with an application/exe MIME type)
High-risk file extensions: .exe, .js, .vbs, .wsf, .hta, .iso, .lnk
Password-protected archives (common phishing technique to bypass content scanning)
Office documents with macro-enabled extensions (.xlsm, .docm)

The 0–100 trust score

All 14 signals are combined into a single 0–100 trust score, displayed as a colour-coded gauge on each email:

80–100 (Green) — All authentication signals pass; no threat indicators detected. Safe to interact with.
50–79 (Amber) — Some signals are suspicious. Review before clicking any links.
0–49 (Red) — Multiple high-risk signals detected. SecureLint displays a warning banner and blocks link clicks pending your confirmation.

Setting up phishing detection in SecureLint

✅Install SecureLint from the Chrome Web Store.
✅Open Gmail or Outlook Web — phishing detection activates automatically with no configuration.
✅Open any email. A trust score badge appears next to the sender name within one second of the email rendering.
✅Hover any link in the email body to see its per-link risk score before clicking.
✅For red-scored emails, SecureLint displays a full-width warning banner with a breakdown of each failing signal.

Frequently asked questions

Which email clients does SecureLint phishing detection work in?

SecureLint works inside Gmail (mail.google.com) and Outlook Web (outlook.live.com, outlook.office.com). It reads the rendered email content and header metadata directly from the DOM — no email forwarding or server-side access required.

What is the trust score and how is it calculated?

The trust score is a 0–100 composite score calculated from 14 signals: SPF pass/fail, DKIM validity, DMARC policy, sender domain age, brand impersonation matching, link domain reputation, SSL certificate age, redirect chain depth, URL encoding obfuscation, attachment MIME risk, sender name spoofing, reply-to mismatch, and phishing keyword density.

Does SecureLint read the content of my emails?

SecureLint reads the rendered HTML of emails displayed in your browser to extract sender metadata, link URLs, and attachment types. This analysis runs entirely locally in the browser extension. No email content, sender addresses, or URLs are transmitted to SecureLint servers.