// Methodology
Phishing analysis follows a clear order of priority. Start with reputation services � they are fast, passive, and often sufficient to confirm a verdict. Only move to sandboxes when you need to observe active behaviour, such as a macro executing or a payload dropping.
Never click links or open attachments on your host machine. Always use a sandbox or isolated VM.
Check headers, sender address, reply-to, and subject for red flags.
Cross-reference all IPs, URLs, domains, and hashes against threat intel services.
Parse the delivery path and validate SPF, DKIM, and DMARC alignment.
Safely preview any links without visiting them directly.
Detonate attachments or URLs to observe live behaviour if needed.
// Reputation Lookup
Reputation services are your first stop. They are passive � you are querying existing databases, not interacting with malicious infrastructure. Use these for every indicator you extract from the email.
VirusTotal
virustotal.comCross-references URLs, IPs, domains, and file hashes across 70+ detection engines simultaneously. Also maps relationships between indicators � useful for pivoting from a URL to its hosting IP to other URLs on the same infrastructure.
URLhaus
urlhaus.abuse.chTracks URLs actively used for malware distribution. Useful for context on suspicious links found in phishing emails � if the URL is listed, you have strong evidence of malicious intent and can see what malware family it is associated with.
AbuseIPDB
abuseipdb.comCommunity-reported IP reputation database covering spam, C2 traffic, brute force, and scanning activity. Use this against source IPs extracted from email headers to determine if the sending server has a history of abuse.
OTX AlienVault
otx.alienvault.comBroader threat intelligence platform with community-contributed pulses. Each pulse contains IOCs, TTPs, and MITRE ATT&CK mappings. Good for understanding the wider campaign context behind an indicator you have found.
// Header Analysis
Email headers contain the full delivery path of a message. They can reveal spoofed sender addresses, relay servers, and authentication failures. Copy the raw headers from the email client and paste into one of the tools below.
What to look for: SPF fail, DKIM fail, DMARC fail, mismatched From vs. Return-Path, unexpected relay hops, unusual sending times or geolocation.
MxToolbox Header Analyzer
mxtoolbox.com/EmailHeaders.aspxPaste raw headers and it parses the full delivery path with a clear visual timeline. Produces clean SPF, DKIM, and DMARC output with pass/fail indicators. One of the clearest interfaces for header analysis.
Google Messageheader
toolbox.googleapps.com/apps/messageheaderGoogle's equivalent header parser. Works with any email headers � not limited to Gmail. Useful as a second opinion or when MxToolbox is unavailable.
// URL Inspection
Never visit a suspicious URL directly. These tools let you see what is behind a link without your browser ever making the request.
URLScan.io
urlscan.ioLoads the URL in a safe, isolated environment and returns a full report � screenshot of the page, all contacted domains and IPs, technologies detected, and extracted IOCs. An essential tool for seeing exactly what a link leads to without any risk.
URL Expanders
Search "URL expander"Shortened URLs (bit.ly, tinyurl, etc.) hide the real destination. Paste a shortened link into a URL expander to reveal the full URL before submitting it to URLScan or VirusTotal. Never click a shortened link directly.
// Sandboxes
Use sandboxes when reputation services are inconclusive and you need to observe active behaviour � macros executing, payloads dropping, network callbacks. All three options below have a free tier.
Files submitted to public sandboxes are visible to other users including threat actors. If you are handling a real incident at work, check your organisation's policy before submitting.
Any.Run
any.runInteractive sandbox � you can click inside the virtual machine in real time. Excellent for observing process trees, network connections, registry changes, and dropped files as they happen. Best choice when you need to interact with the sample.
Hybrid Analysis
hybrid-analysis.comCombines static and dynamic analysis. Solid free tier with MITRE ATT&CK tagging, PCAP export for network traffic analysis, and screenshot capture throughout execution. Good all-rounder for most samples.
Triage
tria.geSupports both Windows and Linux targets. Generous free tier with strong IOC extraction. A good alternative when you need Linux analysis or want a second opinion alongside Hybrid Analysis.
// Working with .eml Files
If you have a raw .eml file rather than viewing the email in a client, you can parse it directly from the terminal. This gives you access to headers, body, and any embedded attachments.
Read headers and body
The simplest approach � pipe the file through cat to read the raw content including all headers:
# Read full headers and body
cat suspicious.emlExtract attachments
If the email contains attachments you need to extract for further analysis, use this Python snippet. It walks all MIME parts and saves any file with a filename to your working directory.
# Extract attachments from a .eml file
python3 -c "
import email, sys
msg = email.message_from_file(open('suspicious.eml'))
for part in msg.walk():
if part.get_filename():
open(part.get_filename(), 'wb').write(part.get_payload(decode=True))
print('Saved:', part.get_filename())
"Extracted attachments are live malware. Do not open them on your host machine. Move them into a sandbox or analyse statically with a tool like file, strings, or olevba for Office documents.