Phishing Email Analysis

What is Phishing?

Phishing is a social-engineering attack where an attacker pretends to be someone you trust (bank, IT, a colleague) to trick you into risky actions—like sharing passwords, clicking malicious links, or sending money. Common red flags: urgent language, mismatched or look-alike domains, non-HTTPS links, and requests for credentials.

Read the full phishing tutorial

Context

Your organization reports an uptick in credential-stealing emails. You receive one that claims your account will be locked in 24 hours unless you verify details.

Task

Scan the mock email below and list at least three red flags.
Open the header details and analyze the fields using the Email Header Analysis guide.
Capture all flags to complete the challenge.

Simulation (Static Demo)

This is a safe, non-interactive mockup. No links are live.

From: "Account Security" <alerts@secure-notice.example.com> Reply-To: support@secure-notice.example.co Subject: Urgent: Verify your account now Dear User, We detected unauthorized login attempts. Your account will be LOCKED within 24 hours unless you verify your details. Please confirm your password to continue using our services: http://example-secure-login.co/verify Regards, Security Team

Show simplified headers

Return-Path: <alerts@secure-notice.example.com>
Received: from mail.secure-notice.example.com (203.0.113.55)
DKIM-Signature: none
SPF: softfail (sending IP not permitted)
Reply-To: support@secure-notice.example.co
Link in email: http://example-secure-login.co/verify

Email Header Analysis (Quick Guide)

Use these checks to validate sender authenticity and detect spoofing.

From vs. Reply-To

Observed: From: ...example.com vs Reply-To: support@secure-notice.example.co
Why it matters: Attackers often swap the reply address to a look-alike domain.
Verdict: Mismatch → Red flag

Return-Path

Observed: Return-Path: alerts@secure-notice.example.com
Why it matters: Should match the sending domain; odd paths can indicate spoofing or forwarding tricks.
Verdict: Suspicious with other signals.

SPF

Observed: SPF: softfail
Why it matters: Sender’s IP isn’t permitted to send for that domain.
Verdict: Softfail → Red flag

DKIM

Observed: DKIM-Signature: none
Why it matters: Unsigned mail is easier to tamper with; legit brands usually sign.
Verdict: Missing → Red flag

Received Chain

Observed: Received: from mail.secure-notice.example.com (203.0.113.55)
Why it matters: Helps confirm the sending server; unexpected hosts or geos are suspicious.
Verdict: Review with SPF/DKIM

Link Preview

Observed: http://example-secure-login.co/verify
Why it matters: Look-alike domain; not HTTPS.
Verdict: Bad destination → Red flag

Capture the Flags

Copy each answer directly from the email or headers (or wrap it like CXA{...}). Case-insensitive.

0/3 flags captured

Flag 1 — Which address will replies go to?

Question: Looking at the headers, what is the exact Reply-To email address?

Hint: Expand “Show simplified headers” and find the line starting with Reply-To:. It ends in .co.

Flag 2 — Where does the email want you to click?

Question: Copy the full URL shown in the email body (include the scheme and the path).

Hint: It starts with http:// (not HTTPS) and contains “secure-login”. Copy it exactly.

Flag 3 — What action is threatened?

Question: In the email body, what uppercase word describes what will happen to your account?

From vs. Reply-To

Return-Path

SPF

DKIM

Received Chain

Link Preview

Flag 1 — Which address will replies go to?

Flag 2 — Where does the email want you to click?

Flag 3 — What action is threatened?

Nice work — Challenge Complete! 🎉