// tool reference · Incident & Response
AI Phishing Email Analyzer Free
Paste a suspicious email for a verdict, red flags and defanged links.
Open AI Phishing Email Analyzer →
What it does
Paste a suspicious email — headers included — and get per-indicator analysis: sender authenticity, lookalike domains, header inconsistencies, and social-engineering technique.
When to use it
- A user reported a message; you are triaging a phishing queue.
Inputs
Field names are the actual form parameters, verified against source.
| Field | Type | Required | Notes |
|---|---|---|---|
| email_raw | textarea | required | The FULL email including headers. Headers carry most of the signal — body alone is much weaker. |
What you get back
Verdict plus per-indicator findings with severity.
Worked example
Input
From: "PayPal Security" <security@paypa1-verify.top> Reply-To: collect@mailbox.ru Subject: Your account has been limited Return-Path: bounce@sendgrid-relay.net
Output (abridged)
VERDICT: PHISHING — high confidence
CRITICAL Lookalike domain: 'paypa1-verify.top' — digit 1 for letter l,
on a TLD PayPal does not use.
CRITICAL Reply-To mismatch: replies go to collect@mailbox.ru, an
unrelated free provider. Classic collection-address split.
HIGH Return-Path does not align with From — SPF cannot pass for
the displayed domain.
MEDIUM Urgency pretext ('account limited') to bypass deliberation.
→ Block the sender domain. Search the tenant for other recipients.
→ If anyone clicked: rotate credentials, review sign-in logs.
How it works
Deterministic header parsing (SPF/DKIM/DMARC alignment, Reply-To mismatch, domain similarity), then AI analysis of the pretext.
Limits
Read live from the platform configuration.
| Rate limit | 5 requests / 10 minutes |
Privacy
The email is sent to the AI provider for analysis and is not retained.
Standards
MITRE ATT&CK (T1566 Phishing)DMARC / SPF / DKIM