How to Read a Phishing Email Like a Security Analyst

Most phishing advice stops at “look for typos and bad grammar.” That advice is dead. AI has made phishing emails grammatically flawless, professionally formatted, and visually identical to the real thing.

So how do analysts catch them? Not by reading the body of the email. By reading what’s underneath it.

Every email carries a paper trail. Headers, authentication results, routing information, and link destinations all tell a story the visible email never shows. Once you know where to look, a phishing email becomes obvious in seconds, regardless of how convincing the writing is.

This post walks through the exact fields I check, in the order I check them, using the same approach I used while investigating the SOC146 phishing case.

The Full Analysis Checklist

Before diving into each field, here’s the complete picture of what to check and why:

Header / FieldCategoryWhat It Tells You
From / Display NameSender IdentityCheck who the email actually came from, not who it claims to be
Reply-ToRedirect TrapReveals where responses actually go
Return-PathBounce AddressShows the true envelope sender, often different from From
Received HeadersIP TrailTraces the email’s path server by server
SPF / DKIM / DMARCAuthenticationConfirms whether the sending server was authorized
URLsLink AnalysisWhere a link actually goes versus what it displays
AttachmentsPayload CheckWhat the file really is and whether it’s been seen before

None of this requires special tools. Every header is visible in Gmail, Outlook, or any mail client through “View Source” or “Show Original.” Let’s go through each one.


1. From and Display Name: Two Different Things

The display name is whatever the sender wants it to say. “Microsoft Support,” “IT Helpdesk,” “Your Bank.” None of that is verified. The actual sending address is the part that matters, and it’s often hidden behind the display name in most email clients.

2. Reply-To: Where Your Response Actually Goes

If a reply address is present and different from the From address, that’s worth investigating immediately. Legitimate transactional emails rarely set a different Reply-To, and when they do, it’s usually a documented support address, not a personal Gmail account.


3. Return-Path: The Envelope Sender

The From header is what’s displayed. The Return-Path (also called the envelope sender or bounce address) is what the receiving mail server actually used to accept the message. These two frequently don’t match, and when they don’t, the Return-Path is usually closer to the truth.


4. Received Headers: The IP Trail

Every server that handles an email adds a Received header, stacked in reverse chronological order, with the most recent hop at the top. This creates a traceable path from the sender’s mail server to your inbox.


5. SPF, DKIM, and DMARC: The Authentication Trio

These three records work together to answer one question: was this email actually authorized to be sent from this domain? Most mail providers run these checks automatically and stamp the result directly into the headers as Authentication-Results.

SPF (Sender Policy Framework) checks whether the sending server’s IP is listed as an authorized sender for that domain.

DKIM (DomainKeys Identified Mail) verifies a cryptographic signature proving the email wasn’t altered in transit and came from a server holding the domain’s private key.

DMARC (Domain-based Message Authentication) tells receiving servers what to do when SPF or DKIM fail: quarantine, reject, or do nothing.


6. URLs: What’s Displayed vs. Where It Goes

A link’s visible text and its actual destination are two completely independent things in HTML email. “Click here to verify your account” can point anywhere the sender wants.


7. Attachments: What the File Really Is

File extensions are cosmetic. A file named invoice.pdf.exe, or an Excel file containing a macro, doesn’t announce itself as dangerous in the file name. The actual file type and its hash are what matter.


Putting It All Together

Here’s the order I actually follow when triaging a reported email:

  • Check the From address, not just the display name
  • Check Reply-To for a mismatch with From
  • Check Return-Path for a mismatch with From
  • Read Received headers from the bottom up to find the originating IP
  • Check Authentication-Results for SPF, DKIM, and DMARC verdicts
  • Hover or long-press every link to reveal the real destination
  • Hash any attachments and check VirusTotal before opening anything

Most phishing emails fail at least three of these checks simultaneously. You rarely need to go through all seven. The first mismatch you find is usually enough to confirm the email is malicious and move to containment.


Final Thoughts

The body of a phishing email is theater. It’s designed to create urgency and bypass critical thinking. The headers are where the truth lives, and they can’t be faked as easily because multiple independent systems, the sending server, the receiving server, and DNS records, all contribute to them.


If you want to see this analysis applied to a real, documented case, including the full attack chain from phishing email to C2 beacon, read the SOC146 walkthrough on this site.

Key Takeaways

  • Stop looking for typos. AI-generated phishing is grammatically perfect.
  • The display name means nothing. Always check the actual From address.
  • A Reply-To address that doesn’t match From is one of the strongest BEC indicators.
  • Return-Path often reveals the true sending infrastructure when From is spoofed.
  • Read Received headers from the bottom up for the original sending IP.
  • SPF, DKIM, and DMARC failures are a strong signal, but passes don’t guarantee safety.
  • Never trust displayed link text. Hover, expand shortened URLs, and check destinations.
  • Hash attachments and check VirusTotal before opening anything, regardless of file extension.
// Before you go

Get the security checklist most
businesses skip.

A free 25-point audit covering the exact gaps attackers hit first — engineer-built, no jargon. Plus one practical security breakdown every Tuesday. No fluff, no fear-mongering.

Get the Free Checklist →

Free on signup  ·  Unsubscribe anytime  ·  ~1 email per week

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top