Phishing Email Analysis
Lesson 6 of 10
The Scenario
A user forwarded a suspicious email claiming to be from Microsoft about an "urgent password reset." Before you click anything, you need to analyze the headers and content to determine if it is phishing.
The Prompt
Analyze these email headers and body for phishing indicators. Tell me:
1. Is this legitimate or phishing? (confidence level: high/medium/low)
2. What specific indicators lead to your conclusion?
3. SPF, DKIM, and DMARC analysis
4. Any malicious URLs or domains?
5. Recommended action
Headers:
From: security@micr0soft-alerts.com
Reply-To: reset@mail-secure-check.xyz
Return-Path: bounce@cheap-mailer.net
Received: from mail-secure-check.xyz (185.234.72.11)
X-Mailer: PHPMailer 6.1.4
Authentication-Results: spf=fail; dkim=none; dmarc=fail
Date: Mon, 18 Mar 2026 02:14:33 +0000
Subject: [URGENT] Your Microsoft 365 password expires in 24 hours
Body:
Dear User,
Your Microsoft 365 password will expire in 24 hours. Click the link below to verify your identity and reset your password:
https://microsoft-365-reset.cheap-mailer.net/verify?id=a8f3e2
What AI Gives You
Verdict: PHISHING (high confidence)
- Domain
micr0soft-alerts.comuses a zero instead of "o" — typosquatting - Reply-To mismatch: different domain than From
- SPF fail + no DKIM = not from Microsoft
- URL points to
cheap-mailer.net, not microsoft.com - PHPMailer is not used by Microsoft
Try It Yourself
Forward a suspicious email's raw headers to AI (most email clients have a "view source" option). You will quickly learn what legitimate vs phishing headers look like.
Subscribe to unlock this lesson
₹7,999/year
Full access to all 10 lessons in this course, plus 74 more lab courses, quizzes, and AI mock interviews. 365 days.
Already have an account? Sign in