Phishing Forensics Lab
Inspect. Trace. Block.

Go beyond spotting red flags. Dissect raw email headers, trace the actual sending server, verify authentication records, and build a filter that would have blocked it. 5 levels. Real technique.

350 XP reward
🔬 Earns: Phishing Forensics Analyst badge
1
Header
Inspection
2
Auth
Check
3
URL
Dissection
4
Incident
Response
5
Build
Filter
🔍 Level 1 of 5

Email Header Inspection

Real phishing emails leave fingerprints in their headers. Click each email to expand its raw headers, then drag each email to the correct bin below.

🤖
Cipher says: Email headers are the envelope behind the letter. The From: field you see in your inbox can be forged — but headers like Return-Path and the Received chain reveal the true origin. Click on a header field to learn what it means.

Drag each email to the right bin — or click the buttons if drag isn't your thing:

🚨 Suspicious / Phishing

✅ Legitimate

Classify all 6 emails to continue

🛡️ Level 2 of 5

Authentication Check

SPF, DKIM, and DMARC are the email system's trust certificates. Read the mock DNS panel for each scenario and determine whether the email would pass or fail authentication.

🤖
Cipher says: SPF says "these IPs are allowed to send for this domain." DKIM adds a cryptographic signature — any tampering breaks it. DMARC tells mail servers what to do when SPF or DKIM fails: none (just report), quarantine (spam folder), or reject (block it).

🔗 Level 3 of 5

URL Dissection

Attackers hide malicious domains in URLs that look legitimate at a glance. Can you find the REAL domain before you click?

🤖
Cipher says: In a URL like login.paypal.com.evil.com/verify, the actual domain is evil.com — everything before the last dot before the path is subdomains. Attackers also use lookalike characters: paypaI.com (capital I, not lowercase L) and Cyrillic letters that look identical to Latin ones.

Click each colored part to learn what it means:

https://login.bankofamerica.com/signin?ref=email&token=abc123
Protocol
Subdomain
Real Domain ← find this
TLD
Path
Query Params
Answer all 8 questions to continue

🚨 Level 4 of 5

Incident Response Simulation

A teacher at Lincoln Middle School just clicked a phishing link. You're on the response team. Work through the steps — skipping one shows you what happens next.

🚨 Active Incident — Lincoln Middle School

Mr. Okafor received an email claiming his Google account was suspended. He clicked the link and entered his credentials before realizing it was fake. The link was google-accounts-verify.tk/login — not Google. Your job: contain this before it spreads.

⚙️ Level 5 of 5

Build a Phishing Filter

Toggle the rules you want to activate. Then test your filter against 20 emails — real-world phishing and legitimate messages. Tune for fewer misses without too many false positives.

🤖
Cipher says: A perfect filter is impossible — every rule that catches more phishing also risks blocking legitimate email. You're optimizing a tradeoff. Aim for Effectiveness ≥ 70% with False Positives ≤ 3 to pass.

Available Rules

0True Positives
(phishing caught)
0False Positives
(legit blocked)
0Misses
(phishing slipped)
0%Effectiveness
(TP ÷ all phishing)
SenderSubjectTypeYour FilterResult
Run the filter test first
🔬

Phishing Forensics Analyst

You've completed all 5 levels. You can now read email headers, verify authentication records, dissect malicious URLs, run an incident response, and build a real phishing filter.

+350 XP Added to your hero profile
← Back to Missions Explore More Labs