// sample report
Phishing Email Analysis — Sample Report
Example scenario
An employee forwards a suspicious "account verification" email to the security inbox for a verdict.
Executive summary
The message is assessed as likely phishing. The sender domain is a look-alike of the brand, the reply-to differs from the display name, and the call-to-action link uses a homograph domain behind a URL shortener. Recommended action: do not click, report, and block the sender domain.
Findings
| ID | Finding | Severity | Mapping |
|---|---|---|---|
| PH-01 | Look-alike sender domain | High | MITRE ATT&CK T1566.002 · NIST AT-2 |
| PH-02 | Reply-To mismatch | Medium | MITRE ATT&CK T1566 · NIST SI-8 |
| PH-03 | Homograph link behind a shortener | High | MITRE ATT&CK T1566.002 · CWE-1007 · NIST IA-2 |
Details
PH-01 · Look-alike sender domain
HighEvidence. Display name shows the brand while the envelope domain is a near-identical look-alike registered recently.
Risk. Recipients may trust the familiar display name and act on the request.
MITRE ATT&CK T1566.002 · NIST AT-2
PH-02 · Reply-To mismatch
MediumEvidence. Reply-To address points to a free webmail account unrelated to the claimed sender.
Risk. Replies and any shared data would reach the attacker rather than the brand.
MITRE ATT&CK T1566 · NIST SI-8
PH-03 · Homograph link behind a shortener
HighEvidence. The button resolves through a shortener to a homograph domain imitating the login page.
Risk. Credential theft if the recipient signs in on the fake page.
MITRE ATT&CK T1566.002 · CWE-1007 · NIST IA-2