diff --git a/src/safelinks.js b/src/safelinks.js
index d33689b7..747f249d 100644
--- a/src/safelinks.js
+++ b/src/safelinks.js
@@ -2,4 +2,4 @@
 // https://support.microsoft.com/en-us/office/advanced-outlook-com-security-for-microsoft-365-subscribers-882d2243-eab9-4545-a58a-b36fee4a46e2
 const inputUrl = new URL(`http://${process.argv[2]}`)
 const outputUrl = new URL(inputUrl.searchParams.get('url'))
-console.log(outputUrl.hostname)
+console.log(`${outputUrl.host}${outputUrl.pathname}${outputUrl.search}`)
diff --git a/src/script.sh b/src/script.sh
index b7e02aef..f9978801 100644
--- a/src/script.sh
+++ b/src/script.sh
@@ -219,7 +219,13 @@ while read URL; do
     cut -f 1 -d ":" >> "phishing-subdomains.txt"
   elif test "${URL#*safelinks.protection.outlook.com}" != "$URL"; then
     ## Parse hostname from O365 safelink
-    echo $(node "../src/safelinks.js" "$URL") >> "phishing-notop-domains-temp.txt"
+    SAFELINK=$(node "../src/safelinks.js" "$URL")
+    if grep -Fq "$SAFELINK" "top-1m-well-known.txt"; then
+      echo "$SAFELINK" >> "phishing-url-top-domains-temp.txt"
+    else
+      echo "$SAFELINK" | \
+      cut -d"/" -f1 >> "phishing-notop-domains-temp.txt"
+    fi
   else
     ## Parse phishing URLs from popular domains
     echo "$URL" | \