Systems and methods are described for detecting compromised web pages and domains by analyzing of elements of hypertext markup language (HTML) files of a domain. In one embodiment, a security service receives a request including a potentially malicious uniform resource locator (URL) and retrieves a first HTML file to which the potentially malicious URL points and a second HTML file to which a host URL corresponding to the potentially malicious URL points. The security service determines whether the potentially malicious URL is a malicious URL by comparing features of the first HTML file to corresponding features of the second HTML file and when a similarity value resulting from the comparing is less than a threshold, then the security service concludes that the first HTML file was created by a malicious actor and responds to the request with an indication that the potentially malicious URL is a malicious URL.