Keepnet Labs Logo
Keepnet Labs > blog > step-by-step-phishing-email-analysis

Step by Step Phishing Email Analysis

Learn how to spot phishing emails that trick you into giving away personal info. Our guide shows you easy steps to analyze emails to spot phishing malicious emails. Start protecting your inbox from hackers today with our simple tips.

Step by Step Phishing Email Analysis

Email-based threats, including phishing attacks, malware, ransomware, and other cyber threats, pose a significant concern for organizations. These threats are increasingly prevalent and can cause substantial damage.

However, enterprise email security measures are not always sufficient. Office 365, Google Workspace, and Secure Email Gateways may not detect or prevent threats effectively.

Recent studies underscore this issue, revealing that these security measures miss up to 82% of soft threats. Consequently, organizations continue to face substantial risks of attacks.

Effective email analysis is crucial to detecting and preventing email-based threats. Organizations should establish robust email security protocols and educate their employees on how to spot potential threats. AI and machine learning can automate email analysis, reducing response time to cyber threats. How to Analyze a Phishing Email?

It's essential to analyze phishing emails into three parts: Header, Body, and Attachment. This way, you can identify phishing attacks and protect against cyber-attacks. Let's delve into each part to understand their significance and how to analyze them effectively.

What is Phishing Email?

Phishing emails are deceptive messages aimed at stealing sensitive information. Email Phishing Analysis is important for identifying these threats. It involves a detailed Phishing Email Analysis Process, where you scrutinize the email's sender, content, and links or attachments.


A thorough Phishing Email Analysis Report documents these findings, highlighting potential risks and necessary actions. Phishing email analysis includes verifying the sender's identity, examining the message's tone, and cautiously inspecting any links or attachments.

Knowing how to do phishing email analysis is key to protecting yourself from cyber threats. It combines technical inspection with awareness of phishing strategies, empowering individuals and organizations to detect and prevent these malicious attacks.

Step By Step Phishing Email Analysis

Analyzing phishing emails is a complex and time-consuming task. Gartner reports that analyzing each email takes an average of 2 hours and 45 minutes. This lengthy process is primarily due to the intricate steps involved in analysis.


To make sure an email is safe to open, there are several steps you can take. These include checking the email is real, carefully looking at any links or attachments, and figuring out who sent the email and why.

Such a comprehensive phishing analysis requires highly skilled professionals in various security tools and technologies. Unfortunately, this complexity often leads to delays in response by IT administrators. As a result, the average time to handle an incident can extend to approximately 70 days.

To ensure an email's safety, check if it's real. Confirm that the sender is genuine. Next, examine any attachments and links for malware or phishing risks. Finally, understanding the email's origin and purpose is vital for evaluating its trustworthiness.

The financial implications of email-related security breaches are significant. The IBM Data Breach report highlights that the average cost of a single data breach is around $3.86 million. This figure encompasses various expenses for investigations, remediation, lost productivity, revenue loss, and legal fees.

Let’s explore this process in three main subjects:

Header for Phishing Email Analysis

Phishing email analysis steps start with analyzing the header in a phishing email.

In the header, some red flags could indicate a suspicious or phishing email:

  • Mismatched Email Addresses: Check if the sender's email address matches the name and domain. A discrepancy here is a common indicator of phishing attempts.
  • Spam IP Addresses: Look at the IP address in the 'Received from' field. If the sender's IP address differs from the company they claim to be from, that's a red flag.
  • Suspicious 'Reply-To' Address: A 'Reply-To' address that differs from the sender's address in an email could be a trick to send responses to a harmful person
  • Authentication-Results: Look for DKIM, SPF, and DMARC authentication results. Failure in these checks often points to phishing.
  • Fake Headers: Phishers add fake headers like X-Virus-Scan: Clean to their phishing email to look more legitimate.

You can identify potential threats and prevent malicious activities by closely examining these elements in the email header. Remember, a thorough header for the phishing email analysis process is the first step in evaluating the email.

Phishing Email Body Analysis

After checking the email header, the next critical part to examine is the Body. The email body displays the message and may show several warning signs of phishing or malicious intent.


When analyzing the body of a phishing email, pay attention to the following red flags:

  • Urgent or Threatening Language: Phishing emails often create a sense of urgency or fear. Look for language that pressures the recipient to act quickly, such as threats of account closure or legal action.
  • Unsolicited Requests for Sensitive Information: Legitimate organizations typically don't ask for personal or financial information via email. Be wary of emails requesting passwords, account numbers, or other sensitive data.
  • Mismatched URLs: Hover over any links in the email (without clicking) to see the actual URL. If the URL doesn't match the context of the email or appears suspicious, it's a red flag.
  • Spelling and Grammar Mistakes: Professional emails are usually well-written. If an email has many spelling and grammar mistakes and claims to be from a well-known organization, it might be a phishing attempt.
  • Inconsistencies in Email Formatting: Look for unusual formatting, such as mismatched fonts, odd spacing, or low-quality logos. These inconsistencies suggest that the email is from a different source.
  • Generic Greetings or Signatures: Phishing emails often use generic greetings like "Dear Customer" instead of your name. Similarly, vague or missing signatures can also be a warning sign.
  • Unusual Attachments: Be wary of emails containing unexpected attachments, particularly executable (.exe) or compressed (.zip, .rar) files. These can contain malware.
  • Embedded Forms: Emails that contain forms asking for personal or financial information are highly suspicious. Legitimate organizations usually direct you to a secure website for such transactions.

Phishing Email Attachment Analysis

Attachment is the final key component to scrutinize in an email phishing analysis. Attachments can be dangerous as they may contain malware or viruses that can compromise your system's security.

Here’s the phishing email analysis process for attachments:


Checking Attachments for Red Flags

Attachments are often the most dangerous part of phishing email samples. Following these best practices can reduce the risk of falling prey to malware, Ransomware or other cyber threats.

  • Unexpected File Types: Exercise caution with file types often used to deliver malware, like .exe, .scr, .zip, or .rar. Legitimate organizations seldom send these types of files through email.
  • Mismatched File Names and Content: Ensure that the file name matches the content it claims to hold. For example, a file named 'Invoice.pdf.exe' is a major red flag.
  • Multiple File Extensions: Watch out for files with double extensions, as it's a common trick to disguise malicious files as harmless.
  • Size and Nature of the File: If an attachment is unusually large or doesn't match the email's context, it could signal a phishing attempt.
  • Unsolicited Attachments: It's important to be careful about opening attachments from unfamiliar senders or that come unexpectedly. This is especially true if the email presses or scares you into opening them.
  • Use of Password-Protected Files: Cybercriminals may use password-protected files to bypass antivirus software. Be suspicious if the email contains a password for opening an attached file.

Keepnet’s Phishing Analysis Solution

The best option is to automate phishing analysis processes. By automating phishing email analysis, IT admins detect, analyze, and respond to phishing threats 187x faster!

Keepnet automates phishing email analysis, reducing the time by 95% and increasing the detection rate to 99%, thanks to 20+ integrations. Keepnet's Incident Responder integrates with 20+ phishing analysis engines like Forti Sandbox, Vmray, Virustotal, Google Webrisk, Safebrowsing, Zen Spamhaus, and others. Keepnet's Incident Responder product analyzes phishing emails in under 2 minutes.

Please watch the video below and learn how to analyze an email in 2 minutes.

A Real-World Phishing Analysis Use Case

This table will explore a real example of a phishing email analysis. This practical example will help you understand how to do a phishing analysis:

StepActionTools/Platforms UsedOutcome
1Employee reports a suspicious emailPhishing ReporterIncident initiation
2Incident Responder analyzes the emailOver 20 analysis engines including Forti Sandbox, Virustotal, Google SafebrowsingEmail confirmed as phishing in under 2 minutes
3Module confirms the email as phishingKeepnet Incident ResponderConfirmation of phishing threat
4SOC team is informed; reporter thankedKeepnet Phishing ReporterEnhanced team awareness; positive feedback loop established
5IOC data is shared for wider protectionIntegrates with Palo Alto Cortex, SplunkThreats blocked across the organization
6Automated scans of other employees' emailsScans cover Office 365 and Google WorkspaceAutomatic quarantine or deletion of detected threats
7SOC team conducts manual investigationsVarious indicators used for analysisThorough analysis completed in less than 5 minutes
8Email security is enhancedAI and machine learning solutions with 20+ engines and multiple integrationsStreamlined forensics and responses, reduced risk of data breaches

Table 1: A Real-World Phishing Analysis Use Cases



Schedule your 30-minute demo now!

You'll learn how to:
tickEnable your SOC team to analyze reported phishing incidents 186x faster and respond 48x quicker.
tickUse over 20+ phishing analysis engines, including Sandbox, Antivirus, and Threat Intelligence for better protection.
tickGet a full report to see the return on investment: hours and money you saved!

Frequently Asked Questions

What is phishing email analysis?

arrow down

Phishing email analysis is looking closely at suspicious emails to find clues that they are fake. It helps you avoid phishing scams.

What are the first steps in analyzing a phishing email?

arrow down

Start by checking the sender's email address and the greeting. If they seem odd or too general, be cautious. Also, look at the email's overall tone.

Why is it important to check the email header in phishing analysis?

arrow down

The email header contains the path the email took to reach you. It can show if the email came from a suspicious source.

How do I view an email's header?

arrow down

The method varies by email service. Generally, look for options like “Show Original,” “Properties,” or “View Source” in the email settings or right-click menu.

Can I use online tools for phishing email analysis?

arrow down

Yes, there are online tools that let you check email headers and links for safety. They can help you see if an email is from a scammer.

How can I tell if a link in an email is safe without clicking it?

arrow down

Hover over the link with your mouse cursor (but don't click) to see the actual URL. If it looks suspicious or doesn't match the expected destination, don't click.

iso 27017 certificate
iso 27018 certificate
iso 27001 certificate
ukas 20382 certificate
Cylon certificate
Crown certificate
Gartner certificate
Tech Nation certificate