Catch a Phish: Investigate a Suspicious Email
Maps to: Cybersecurity Analyst · SOC Analyst, Incident Responder, Threat Intelligence Analyst, Security Engineer
Ever gotten an email that felt *off*? Catching that feeling and proving it is the actual day job for a huge slice of cybersecurity. You'll triage a batch of suspicious emails the way a brand-new security analyst does on day one: pull apart the hidden headers, check the links and senders against threat databases (without ever clicking them), and make the call: is this a real attack, something sketchy worth escalating, or a harmless false alarm? You'll walk away with a reusable "is this phishing?" checklist and a written investigation, the exact kind of thing that gets a beginner noticed. One honest heads-up: this is *defensive* security, catching attacks, not the movie-hacker stuff (breaking in). That's not the boring version. It's where most real cyber jobs actually are.
The plan
0/4 doneYou're 20% in just for starting, the hardest part. Mark your first step done to keep the momentum.
Don't set anything up yet. Get a small batch of suspicious emails in front of you and just... read them, the way the scammer hopes you won't. For each one, write a one-line gut verdict (looks malicious, looks sketchy, or looks harmless) and what tipped you off. You'll be wrong on some. That's the point: this first-pass note is the thing you'll test and defend later.
Objective: Have 5+ real suspicious emails in front of you and a first-pass verdict + reason written for each, before touching a single tool.
- 1
Pick where your emails come from. Safest + most reliable: a free practice set (guaranteed to have ambiguous ones to wrestle with later). Or use your own spam/junk folder, but treat every email as live: never click links, never open attachments, never type a password.
- 2
Open the first email. Read it as a target would. Notice the feeling it's trying to create (urgency, fear, a too-good reward) and who it claims to be from.
- 3
Write your first-pass note: one line per email, your gut verdict (malicious / suspicious / harmless) and the one thing that tipped you off. Keep this; it's your draft investigation.
Your call
Choose what you'll investigate (a practice set / your own spam / a 'spot-the-lookalike' set), and write a gut verdict + reason for each email, yourself, first.
One line per email: your gut verdict, and what tipped you off.
What good looks like: A written first-pass note: a gut verdict + a reason for every email in your batch.
- If everything looks 'kind of suspicious,' good; that's the real starting state. The job is turning that fog into evidence.
- Don't research yet. The whole exercise only works if your gut call comes before the tools.
- 1
The bar to look back against
You've triaged at least 5 suspicious emails (each with the evidence you found and a verdict) made a real escalate-or-close call on the genuinely ambiguous one and written down WHY (not just what), turned it into a reusable phishing checklist, and published a short investigation report. "Done" isn't "I labeled some emails." It's "I can defend every call I made, especially the close ones."
Finish the final step, then submit what you built. Your progress is saved.
Tools you'll use
Step 1 · First look: make the call before you have the tools
Step 2 · Gather the evidence: headers, senders, links, files
Step 3 · The hard call, and your reusable checklist
How this shows up on a resume or college app
I investigated [N] suspicious emails the way an entry-level security analyst does, analyzing hidden headers, sender authentication (SPF/DKIM/DMARC), and link/file reputation to separate real phishing attacks from false alarms, then built a reusable triage checklist and published an investigation report. I learned that most of cybersecurity is patient, careful evidence-gathering, and that the hard part is making a call you can defend when the evidence is incomplete.