How to Use Phishing Inspector
Complete guide to analyzing emails with multi-layered security intelligence
Step 1: Get the Email Content
DESKTOP (Recommended for complete analysis): Get the complete email source including all headers. This is NOT a screenshot or forwarded email. In Gmail, click the three-dot menu (⋮) and select "Show original". In Outlook, right-click and select "View Source" or go to File > Properties. In other clients, look for "View Source", "Show Original", or "Message Source" in the menu. The source should include headers like "Received:", "Authentication-Results:", "DKIM-Signature:", and "SPF:". MOBILE (Limited analysis mode): If you cannot access email source from your mobile device, you can still analyze emails using body-only mode. Simply copy the email content including: (1) Sender information (From: email@example.com), (2) Subject line if visible, (3) Complete email body with all text and links. The system will automatically detect body-only content and perform limited analysis. Note: Mobile analysis has lower confidence and cannot check email authentication, IP reputation, or routing.
Step 2: Choose Your Analysis Method
You have three options: • Paste Email Source (RECOMMENDED - Desktop): Copy the complete email source with all headers from your email client and paste it into the text area. Provides full analysis with all security checks. • Upload EML File (Desktop): If your email client allows exporting as .eml file (common in Outlook and Thunderbird), upload the file directly. EML files contain all necessary headers and content for complete analysis. • Paste Email Body (Mobile/Limited): If accessing headers is not possible (mobile devices), paste the email body content. System automatically detects "Body-Only Mode" and performs limited analysis focusing on content, URLs, and behavioral patterns. Include sender and subject information for better results.
Step 3: Start Multi-Layered Analysis
Click "Analyze" and watch the progress indicator as the system: 1. Validates content completeness (detects complete/partial/body-only mode) 2. Parses and normalizes email structure 3. Runs 2 independent AI models (Llama 3.1, Gemma 2) to detect phishing patterns 4. Verifies URLs with Google Safe Browsing, VirusTotal, URLhaus, and URLScan.io 5. Checks IP reputation with AbuseIPDB and DNS blacklists (if headers available) 6. Validates email authentication - SPF, DKIM, DMARC (if headers available) 7. Analyzes attachments and behavioral patterns 8. Calculates adaptive risk scores based on available data 9. Generates comprehensive reports with confidence levels Most analyses complete in 10-20 seconds. Body-only mode is faster (8-12 seconds) as it skips header-based checks.
Step 4: Review Your Analysis Report
You'll receive two report options: • Simple Report: Shows verdict (Phishing/Spam/Legitimate), risk score, key warning signs, and clear recommendations. Perfect for everyday users. • SOC Analyst Report: Includes detailed risk breakdown, all extracted IOCs (URLs, IPs, domains), external verification results from all services, AI model details, MITRE ATT&CK mappings, email authentication analysis, and comprehensive findings with evidence. You can switch between views anytime using the buttons at the bottom of the report.
Understanding Your Report
Overall Risk Score (0-100)
Combined score from all analysis layers. 70+ = High Risk (Phishing), 40-69 = Medium Risk (Suspicious/Spam), 0-39 = Low Risk (Legitimate).
Risk Breakdown
Five dimensional analysis: Content Risk (AI-detected phishing patterns), URL Risk (malicious links verified by threat intelligence), Header Risk (authentication failures), Attachment Risk (dangerous file types), Behavioral Risk (social engineering tactics).
External Verification
Real-time threat intelligence results from Google Safe Browsing, VirusTotal (70+ engines), URLhaus, URLScan.io, and AbuseIPDB. Threats confirmed by these services are marked "Externally Verified" for high confidence.
Confidence Score
Indicates certainty about the verdict (45-95%). Higher confidence means stronger evidence across multiple layers. Lower confidence suggests mixed signals or limited information.
MITRE ATT&CK Techniques
Security framework mapping showing specific attack techniques detected (e.g., T1566.002: Phishing - Spearphishing Link). Helps SOC analysts understand attacker methodology.
IOC Extraction
Automatically extracts and categorizes Indicators of Compromise: all URLs with reputation checks, IP addresses with abuse scores, domains with age verification, email addresses with roles, suspicious keywords, attachment analysis with hashes.
Tip: Use the Simple Report for quick decisions and the SOC Analyst Report when you need to understand exactly why a verdict was reached or need to document findings for your security team.
Security Best Practices
- Always provide complete email source with headers, not screenshots or forwarded emails. Headers contain critical authentication and routing information.
- Legitimate companies never request passwords, credit card numbers, or Social Security numbers via email. Any such request is suspicious.
- Be skeptical of urgent language or threats of account closure. Phishers create artificial urgency to bypass your critical thinking.
- Verify sender address carefully. Phishers use similar-looking domains (e.g., paypa1.com instead of paypal.com) or compromised legitimate accounts.
- Hover over links before clicking to see the actual destination URL. Phishers hide malicious URLs behind legitimate-looking text.
- Even if Phishing Inspector marks an email as legitimate, verify unexpected requests directly through official channels, not by replying to the email.
- Check for generic greetings ("Dear Customer") instead of your name. Legitimate companies usually personalize emails.
- Look for spelling and grammar errors. While not always present, poor language quality can indicate phishing.
- Be cautious of attachments, especially .exe, .zip, .scr, or macro-enabled Office documents (.docm, .xlsm).
- When in doubt, contact the organization directly using official contact information from their website, not from the email.
Troubleshooting Common Issues
Error: "Insufficient content for analysis"
The content you provided is too short or doesn't appear to be email-related. DESKTOP: Make sure you copied the complete email source including headers. MOBILE: Ensure you copied at least 50 characters of meaningful email content, not just "Click here" or similar short phrases. Include sender information and the full email body.
Warning: "Body-Only Mode" or "Mobile/Limited Analysis"
This is normal if you're using a mobile device or couldn't access email headers. The system detected that headers are missing and automatically switched to body-only analysis. You'll still get AI-based content analysis and URL verification, but with lower confidence. For complete analysis with header authentication checks, access the email from a desktop computer and use "Show original" or "View Source".
Analysis taking longer than expected
Analysis involves multiple external API calls which can take time, especially if the email contains many URLs. External services may have rate limits during peak usage. Please wait - the system continues processing all layers. Body-only mode is typically faster (10-15 seconds) as it skips header checks.
Some external services show "Not configured" or "Failed"
Some threat intelligence services require API keys. If a service is not configured, the analysis continues with remaining layers. Failed services (due to rate limits or timeouts) don't affect other layers - the system gracefully handles failures.
Verdict seems wrong or confidence is low
Low confidence indicates mixed signals (e.g., content seems suspicious but all URLs verified clean) or limited data availability (body-only mode). Review the detailed SOC report to see exactly what each layer detected and what data was available. Consider all evidence, not just the verdict. For highest confidence, use complete email source with headers from desktop.
Confidence dropped after switching from desktop to mobile analysis
This is expected. Body-only mode (mobile) has lower confidence because it lacks email authentication data (SPF, DKIM, DMARC), IP reputation checks, and routing information. The confidence score is automatically adjusted down by 12-15% to reflect this limitation. The analysis is still valuable but less comprehensive than desktop analysis.
Need More Technical Details?
Explore our comprehensive documentation to understand the multi-layered analysis architecture, risk calculation methodology, and external service integrations.