Spoold is a free, privacy-first developer toolbox. Paste into the Magic Box and it detects JSON, HTML, JWT, curl, OpenAPI, CSV, timestamps, and more—then suggests the best tool. You can also browse the full catalog by category. No sign-up is required.

Is Spoold free to use?

Yes. Core tools are free. Heavy work runs in your browser so your payloads are not processed on Spoold servers for formatting, decoding, and similar utilities.

Is my data safe with Spoold?

Tool processing for supported client-side utilities happens in your browser. Encrypted share links are designed so only people with the link can read the payload. Review the Privacy Policy for details on cookies, optional ads, and third-party services.

What tools are available?

Spoold ships 65+ tools including JSON formatter and diff, JSON Schema validation, YAML and TOML converters, HTML and Markdown preview, JWT decode and sign, OpenAPI/Swagger viewer with curl, GraphQL formatter, curl to code and curl compare, certificate viewer, CSV preview, regex tester, Mermaid, code editor, LLM token utilities, QR codes, and many encoding and text utilities.

Does Spoold show ads?

The site may display advertisements or sponsored placements to help keep the service free. House promotions highlight other Spoold tools. Ads do not change the fact that supported tools process your pasted content locally in the browser. You can read how to manage ad cookies and opt-outs in the Privacy Policy.

Can I use keyboard shortcuts?

Yes. Press Cmd or Ctrl+K to open tool search, use / from the homepage, and use per-tool shortcuts (shown in the UI) such as jj for JSON and hh for HTML where configured.

Safe Links / Wrapped URL Decoder - Unwrap Protected Email Links

Wrapped URL decoder

Reveal the original destination

Paste wrapped URL

Strip tracking parameters

Decoded destination

Provider

Microsoft Safe Links

Steps

Final host

example.com

Clean URL

https://example.com/login

Inspect URL Generate QR

Unwrap chain

1. Microsoft Safe Links

local decode

Extracted url= redirect parameter.

https://example.com/login?utm_source=email

Signals

Wrapped URL decoded

1 wrapper removed without visiting the link.

Guide: Safe Links / Wrapped URL Decoder

Back to tool

What is this tool?

A Safe Links decoder unwraps email security and redirect URLs to reveal the destination embedded inside the link. Paste a Microsoft Defender Safe Links URL, Proofpoint URL Defense link, Google redirect URL, or generic wrapped URL and the tool extracts the original target without visiting it.

Use it as an Outlook Safe Links decoder, Proofpoint URL Defense decoder, protected email link decoder, or wrapped redirect URL decoder when you need to understand where a suspicious or noisy link is pointing before opening it. The decoder runs in your browser, so the pasted URL is analyzed as text rather than fetched from the network.

Common use cases

Use case	What to check
Phishing triage	Reveal the real host, scheme, query parameters, and warning signals.
Help desk tickets	Turn a long protected email link into a readable destination for review.
Incident response	Copy the unwrapped URL into a separate URL analysis workflow without clicking it.
Marketing link cleanup	Remove tracking parameters from benign redirect URLs before sharing them.

Supported wrappers

Wrapper	How it is decoded
Microsoft Safe Links	Extracts the embedded `url` parameter.
Proofpoint URL Defense	Decodes query-param and v3 path payload formats locally.
Google, Facebook, LinkedIn redirects	Reads common redirect params such as `url`, `u`, and `q`.
Generic wrapped URLs	Searches common params like `target`, `redirect`, and `destination`.

Wrapper patterns and examples

Most wrapped URLs hide the target in a predictable place: a query parameter, a path payload, or a nested redirect URL. The examples below show the common shapes this tool looks for when decoding safe links and protected URLs.

Pattern	Embedded target
https://*.safelinks.protection.outlook.com/?url=...	The percent-encoded value of `url`.
https://urldefense.proofpoint.com/v2/url?u=...	The Proofpoint-escaped value of `u`.
https://urldefense.proofpoint.com/v3/__...__	The encoded path between double underscores.
https://www.google.com/url?q=...	The redirect destination in `q` or another known parameter.

Redirect parameter reference

Many wrapped links are ordinary redirect URLs with a destination parameter. Spoold checks common names including url, u, q, target, destination, redirect, link, continue, next, and r.

The decoder also handles nested wrappers. For example, if a Microsoft Safe Links URL points to a Google redirect URL, the tool can remove both wrappers and show the final destination with the unwrap chain.

Decode Microsoft Safe Links

Microsoft Safe Links commonly rewrites email URLs through domains like safelinks.protection.outlook.com. The original destination is usually stored in the url query parameter, percent-encoded. This tool decodes that parameter and shows the clean destination. This is useful for searches like safelinks.protection.outlook.com decode, decode Safe Links URL, and Outlook protected link decoder.

Decode Proofpoint URL Defense

Proofpoint URL Defense can wrap the target in a query parameter or in a v3 path section between double underscores. The decoder handles the common -3A hex escapes and underscore slash substitution used by Proofpoint-wrapped links.

Mimecast and short-token limits

Some email security products do not embed the original URL in the link. They store a short token that must be resolved by the vendor service. This tool will flag those links instead of visiting them, because the safe behavior is local decoding only.

Tracking parameter cleanup

After unwrapping, the tool can remove common tracking parameters such as utm_source, utm_campaign, fbclid, and gclid. The unstripped URL remains available when you need the exact original destination.

Signal reference

The decoder shows lightweight URL signals to help you decide what to inspect next. These are not malware verdicts; they are structural clues from the final URL.

Signal	Meaning	Next check
Not HTTPS	The final destination uses an unencrypted or unexpected scheme.	Verify whether the sender should ever link to that scheme.
IP address destination	The URL points directly to an IP instead of a normal domain.	Check reputation and whether the IP matches the claimed brand.
Credentials in URL	The URL contains username or password data before the host.	Treat the display host carefully; credential syntax can mislead readers.
Punycode domain	The hostname contains encoded Unicode characters.	Look for brand impersonation or confusing lookalike characters.
Still looks wrapped	The final URL is still on a known redirect or protection domain.	Check whether the target is tokenized or needs vendor-side resolution.

When local decoding cannot work

Short links such as brand-owned redirectors may store the destination on a remote server.
Some Mimecast and security-gateway links use opaque tokens instead of embedding the original URL.
Some social or ad-click tracking links require a server-side redirect to discover the target.
Some links intentionally expire or require authentication before the vendor reveals the destination.

In those cases, a safe local decoder should say that the target is not embedded rather than clicking the link for you. Use a controlled security workflow or sandboxed URL analysis service when remote resolution is required.

Safe inspection workflow

Paste the full protected link, including query string and path.
Review the decoded destination, final host, and unwrap chain.
Compare the final host with the sender, brand, and expected business context.
Inspect query parameters, especially login paths, document IDs, redirects, and unusual tokens.
Copy the final URL into your approved investigation process instead of opening unknown links directly.

The decoder does not fetch, open, or follow the pasted URL.
Signals are warnings, not a malware verdict.
Watch for non-HTTPS destinations, IP address destinations, credentials in URLs, and punycode domains.
Use your organization's security process for suspicious email links.

FAQ

Does this click the link?

No. It only decodes URL text in your browser. It does not send a request to the wrapped or final destination.

Can it decode every Mimecast link?

No. If the target URL is stored behind a vendor token rather than embedded in the link, local decoding cannot reveal it.

Can it decode nested wrappers?

Yes. It recursively unwraps supported embedded redirects up to a small depth limit.

Why does the decoded URL still look like a redirect?

Some URLs contain multiple redirect layers or store the target behind a token. The tool removes locally visible layers and flags cases where the final target is still hidden.

What is the difference between clean and unstripped URLs?

The clean URL removes common tracking parameters. The unstripped URL keeps the exact decoded destination for investigations where every parameter matters.

Is this a phishing scanner?

No. It is a URL decoder and inspection helper. It reveals the destination and structural signals, but it does not classify the link as safe or malicious.

Similar tools

For a deeper breakdown of the final destination, open it in the URL Inspector.