SARA / Free Tools / Phishing Analyzer

Free Phishing Email Analyzer

Paste a suspicious email or upload its .eml file. SARA parses authentication headers, enriches URLs against the same 8-source TI stack we use for tenants, scores attachments, and returns a verdict with recommended next actions.

Privacy

Email content is processed in-memory only — we never persist your email body. Headers, URLs, and sender IPs are queried against public threat-intel sources; body text is not sent to upstream APIs. There are no submission permalinks; every analysis is one-shot.

Paste raw email (preferred — includes headers)
…or upload a .eml file (≤ 25 MB)

In-memory only. No body text leaves this server.

ReferenceWhat does a phishing analyzer do?

It parses the email's headers (SPF, DKIM, DMARC, Received chain), extracts every URL and attachment, scores them against 8 threat-intel sources, and surfaces the deceptive patterns attackers use — look-alike domains, encoded display names, mismatched Reply-To, base64-encoded URLs in the body. The output is a verdict you can hand a Tier-1 analyst, not raw header dumps.

GuideHow to use this tool

  1. Either paste the raw email (headers + body) into the textarea, or upload the .eml file directly. The raw-email paste preserves headers — copy-paste from inside Gmail / Outlook usually loses them.
  2. SARA parses headers in-memory, enriches every URL via the same 8-source stack as the IOC checker, and scores attachments via oletools when present.
  3. Read the verdict + the red flags. Export the result as Markdown for your case file, or pivot the highest-risk URL into the IOC checker for deeper hunting.

When to useWhen is the phishing analyzer the right move?

Reported phish from a user

A user forwarded a suspicious email. Skip the manual header-parsing pass — paste it here and get a verdict you can defend to the user.

BEC investigation

Business-email-compromise hinges on look-alike domains and reply-to swaps; SARA flags both deterministically.

Awareness program

Run real (defanged) phish past the tool with your team — turns SOC analysis into a teachable demo.

Bulk triage via API

Wire /api/v1/phishing-analyze into your mail-gateway quarantine for first-pass verdicts before human review.

API

Want this in your SOAR or SIEM?

SARA Open ships an OpenAI-compatible API. Call POST /api/v1/phishing-analyze — SPF/DKIM/DMARC parsing, URL enrichment, and attachment risk scoring on any email or .eml.

curl -X POST https://sara-open.sirp.io/api/v1/phishing-analyze \
  -H "Authorization: Bearer $SARA_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"raw_text": "Received: from …"}'
Read the API reference →

Browse related toolsKeep exploring

EPSS Score Lookup

Daily-updated exploit probability for any CVE.

CISA KEV Browser

Search every actively-exploited CVE on the CISA list.

SARA API

Programmatic EPSS + KEV + CVSS + IOC + Sigma + phishing in one call.

Looking for more?

Ask SARA — our AI security analyst — for full CVE context, exploit chains, and detection rules.

Try SARA