News We are Working with Esteemed Law Enforcement Agencies to Fight Cybercrimes

Home » Blog » Cyber Security » Phishing Email Analysis Process – Expert Tips Disclosed

Phishing Email Analysis Process – Expert Tips Disclosed

author
Published By Stephen Mag
admin
Approved By Admin
Calendar
Published On July 25th, 2025
Calendar
Reading Time 4 Min Read

Do you want to know about the phishing email analysis process? If yes, then you can read this complete article. This article discusses how to analyse phishing emails for forensic investigation purposes. So, let’s start reading this.

Phishing emails are still one of the most common initial access points for attackers—even now in 2025. I honestly deal with these almost every week. Some are hilariously bad, but others? Scarily convincing.

In this post, I’m gonna walk you through how I handled a real phishing email analysis, we got at work. No fluff, no buzzwords—just straight-up analysis from the trenches.

📨 The Suspicious Email for Phishing Analysis

So, here’s how it all started. A colleague from finance shot me a quick forward of this sketchy-looking message:

From: noreply@secure-intuitbilling.com
Subject: Important Notice – Tax Payment Failure

Dear Customer,

Your tax payment for Q2 could not be processed.
Please review and submit the payment via the link below:

[View Invoice]

Thank you,
Intuit Billing Team

Pretty generic, right? But something just felt off right away.

How to Analyse Phishing Emails Step by Step?

I have followed the above-mentioned steps for phishing email analysis:

🔎 Step 1: First Impressions (Stuff That Smells Phishy)

A couple of things jumped out at me immediately:

  • Sender address: secure-intuitbilling.com kinda looks official, but I know Intuit uses intuit.com—this isn’t it.
  • No personalization: Just “Dear Customer.” No name, no company reference, no signature—lazy.
  • Urgency vibe: These emails always try to rush you.
  • The link: Hovered over it—turned out to be a TinyURL link. That’s a red flag. Legit companies rarely do that for payment stuff.
  • So yeah, all the classic phishing signs were there.

🧠 Step 2: Header Analysis (Behind the Curtain)

Next up, I yanked to analyse phishing email headers and gave ’me a look. Here’s what stood out:

  • SPF: Failed
  • DKIM: Not configured
  • Return-Path: bounce@cheap-webmail.net
  • Received from: sketchy IP address tied to some low-tier host in Indonesia

I ran it through tools like MXToolbox and Google Header Analyzer just to double-check. Everything confirmed my gut—this thing pretended to be from Intuit, but the infrastructure was telling another story entirely.

🔗 Step 3: Checking the Link (Safely, ofc)

Yeah, I’m not about to just click on random links like a rookie.

Instead, I opened it in a sandboxed lab environment. The shortened URL redirected to:

https://taxform-s3bucket-docs[.]com/tax-payment/index.html

Boom—fake Intuit login page. Looked super polished. Even had Let’s Encrypt SSL cert to make it feel legit.

But I know the game: type in your creds here, and boom—they’re gone. Straight to the attacker’s backend.

🧪 Step 4: Payload & Behaviour

I pulled down the HTML file and cracked it open in a controlled lab setup.

Here’s what I found inside:

  • JS script capturing keystrokes
  • POST request sending creds to a Telegram bot
  • After stealing creds, it redirected to the real Intuit login page

Classic flow. Trick the user, steal the login, and redirect them to the real site so they don’t suspect anything.

Seen this pattern more times than I can count, honestly.

🧯 Step 5: What I Did Next

After confirming it was phishing, I jumped into cleanup mode:

  • Blocked the sender domain + URL at our email gateway and firewall
  • Notified SOC so they could check for similar messages
  • Hunted through logs to see if anyone clicked (thankfully, no hits)
  • Reported the domain to the registrar + Google Safe Browsing
  • Shared the case in our internal security bulletin for awareness

Read Similar: Email Thread Visualization Explained

🛠 Phishing Email Analysis Tools I Used (The Usual Arsenal)

Here’s my go-to stack for handling stuff like this:

  • MXToolbox
  • Google Header Analyzer
  • VirusTotal
  • Any.Run or Joe Sandbox
  • URLScan.io
  • CyberChef
  • Burp Suite (for controlled analysis)
  • Whois / IP tools for infra info

🎓 Just Some Final Thoughts

Phishing isn’t going anywhere. Attackers are levelling up their social engineering game all the time. And honestly, it only takes one click from a distracted user to open the gates.

So, take a second, slow down, check the sender, hover the links. This is important for phishing email analysis. Trust your gut.

And for folks like us in DFIR, the job doesn’t stop at catching it—we gotta share, educate, and help others level up too.

Stay safe,