How to send us a suspicious email for automated analysis

Updated 3w ago 21 views 9 min read
phishing suspicious email forward as attachment email security report email Outlook Gmail Apple Mail
In This Article

Got an email that looks fishy? Don't delete it, and don't engage with it — forward it to us and you'll get back an automated verdict, usually within a few minutes. Here's exactly how to do it from any email app, what the reply means, and what to do next.

Three-step flow: spot a suspicious email, forward it as an attachment to report@theitexperience.com, and receive an automated verdict reply within minutes.
Heads up — managed clients only. This automated analysis service is included with your managed IT plan and is reserved for The IT Experience's managed clients. Not a client yet? You're welcome to read along — or get in touch at [email protected] if you'd like to talk about what managed IT could look like for your business.
The 30-second version
Managed Clients Only

Forward as an attachment to [email protected]

A regular forward strips out the parts of an email we need to actually check it. The fix takes one extra click in most email apps. We'll show you where it is.

You'll get a reply with one of four verdicts: Phishing, Needs Review, Likely Safe, or a note that we couldn't analyze it.

Why "forward as an attachment" matters

Every email carries hidden technical information — the sending server's IP address, authentication results (SPF, DKIM, DMARC), the real return path, and more. This is the forensic fingerprint that tells us whether the email actually came from who it claims to be from.

When you hit Forward normally, your email app strips that fingerprint and replaces it with yours. We get a copy of the words, but not the evidence. When you forward as an attachment, the original email is wrapped intact inside your new message — fingerprint and all.

Side-by-side comparison: a regular forward shows the headers crossed out and marked unavailable, while a forward-as-attachment preserves the sender domain, origin IP, SPF, DKIM, DMARC, and Return-Path fields intact.
The shortcut: if you can, send from a desktop computer rather than your phone. The "forward as attachment" option exists on every desktop email app. On most mobile apps it doesn't — we'll cover the mobile workaround below.

How to forward as an attachment

Find your email app below. Each section shows the menu path and a numbered diagram you can follow.

Outlook on the web  ·  New Outlook for Windows

These two share the same interface. If you use Outlook in a browser at outlook.office.com, or the "new" Outlook desktop app on Windows, this is your path.

Diagram showing the Outlook on the web menu path: open the email, click the three-dot 'More actions' menu, select 'Other reply actions', then click 'Forward as attachment'.
  1. Open the suspicious email.
  2. Click the (More actions) button in the top-right of the message, then choose Other reply actions.
  3. Click Forward as attachment. A new compose window opens with the email attached as a .eml file.
  4. Send to [email protected]. You don't need to write anything in the body.

Classic Outlook for Windows

The traditional desktop app with the ribbon at the top. If your Outlook has tabs labeled Home, Send/Receive, Folder, etc. along the top, you're on classic Outlook.

Diagram showing the Classic Outlook for Windows ribbon path: select the email in your inbox list, go to the Home tab, click 'More' in the Respond group, then select 'Forward as Attachment'.
  1. In your inbox list, single-click the suspicious email to highlight it (don't open it).
  2. On the Home tab, find the Respond group and click More (or the small dropdown arrow next to Forward).
  3. Choose Forward as Attachment.
  4. Send to [email protected].
Keyboard shortcut: select the email and press Ctrl + Alt + F to skip straight to the forward-as-attachment compose window.

Outlook for Mac

The fastest path on Mac is the right-click menu.

Diagram showing the Outlook for Mac path: right-click the email in your message list and select 'Forward as Attachment' from the context menu.
  1. In your message list, right-click (or Control-click) the suspicious email.
  2. Choose Forward as Attachment.
  3. Send to [email protected].

Apple Mail  (macOS)

Apple Mail puts this option in the menu bar at the top of your screen.

Diagram showing the Apple Mail path: select the message, click the Message menu in the menu bar, then choose 'Forward as Attachment'.
  1. Single-click the suspicious email in your message list.
  2. At the top of the screen, click Message in the menu bar.
  3. Choose Forward as Attachment.
  4. Send to [email protected].

Gmail  (web)

If you have a Gmail account (or your work email runs on Google Workspace), the option lives in the message's three-dot menu.

Diagram showing the Gmail web path: open the email, click the three-dot 'More' menu in the message header, then choose 'Forward as attachment'.
  1. Open the email at mail.google.com.
  2. Click the (More) menu in the top-right of the message header — not the one in the toolbar above the email list.
  3. Choose Forward as attachment.
  4. Send to [email protected].

On a phone or tablet

Most mobile email apps — Outlook Mobile, Gmail Mobile, Apple Mail on iPhone — don't have a "forward as attachment" option built in. You've got two good choices:

Preferred

Wait until you're back at a desktop

Phishing emails don't get more or less dangerous in the next few hours. Leave the email alone (don't click anything) and forward it as an attachment when you're back at your computer.

Quicker, lower confidence

Forward the normal way from your phone

Just hit forward and send to [email protected]. We can still analyze a lot of it — we just lose the technical fingerprint, so anything ambiguous gets routed to a person to look at directly.

Browser workaround for power users: if you have to do it from mobile, open your email in a desktop-style browser tab (Outlook on the web at outlook.office.com or Gmail at mail.google.com). The "forward as attachment" option works there even on a phone, though the buttons are small.

What happens after you send it

Your forwarded email lands in our analysis mailbox and gets picked up automatically. Behind the scenes, a series of checks runs against the sender's domain, authentication signals, links, attachments, and message content. The whole thing typically takes a few minutes.

You'll get an automated reply at the email address you forwarded from. The reply will have one of four outcomes — here's what each one looks like and what to do.

Understanding your reply

Phishing detected

The strongest verdict. The analysis found clear signals that the email is malicious — failed authentication, a known-bad link, a sender domain registered days ago, or a combination of red flags that don't have an innocent explanation.

Sample reply email with a red 'Phishing detected' banner, a 'What we noticed' list of specific findings, and a red action box telling the user not to click links or attachments and to contact us immediately if they already interacted with the email.
What to do: don't click any links, don't open attachments, don't reply to the sender. Delete the email. If you already clicked something, entered a password, or opened an attachment, contact us right away at [email protected] or (603) 505-4290 — quick action significantly limits the impact.

Under review by our team

This is the most common verdict. The automated checks turned up something worth a closer look — not enough to call it phishing outright, but not clean either. A real person on our team is taking a look and will follow up directly.

Sample reply email with an amber 'Under review by our team' banner, a short list of what the automated check noticed, and an amber note telling the user to treat the email as suspicious until we confirm what it is.
What to do: treat the email as suspicious until we get back to you. Don't click any links, don't open attachments, and don't reply to the sender. You'll get a follow-up from us with the final verdict.

Likely safe

The analysis didn't turn up anything that strongly indicates phishing or malicious intent. The sender's authentication checked out, and the links and attachments came back clean. We send this verdict sparingly — when there's any ambiguity at all, we route to Needs Review instead.

Sample reply email with a green 'Likely safe' banner and a green note reminding the user that no automated check is perfect, and to reach out if something still feels off.
What to do: you're probably fine, but trust your gut. No automated check is perfect. If something about the email still feels off — an unusual request from a familiar sender, an unexpected attachment, a tone that doesn't sound right — reply to the analysis email and a technician will take a closer look.

"We couldn't analyze this submission"

If the email address you forwarded from isn't recognized as belonging to one of our managed-client organizations, you'll see this response instead of a verdict. The service is included as part of managed IT and isn't something we run for the general public.

Sample reply email with a blue 'Managed clients only' banner explaining that the sender's email address isn't recognized as belonging to a current client organization, and an invitation to contact us about becoming a client.
If this happens unexpectedly: you may have forwarded from a personal email address (Gmail, Yahoo, iCloud) instead of your work address. Try again from your work email. If you still get this reply and you're sure you're at a managed client, email us at [email protected] and we'll check the allow-list.

A few important reminders

Already clicked, opened, or replied? Stop forwarding and call us right away at (603) 505-4290 or email [email protected]. The faster we know, the more we can do — password resets, session revocation, mailbox-rule cleanup, and watching for follow-up activity all get easier with a head start.

Don't engage with the suspicious email while you're waiting

While the analysis runs, leave the original email alone. Don't click any links to "see where they go", don't open attachments to "check what they are", and don't reply — even with a quick "is this you?" because that just confirms your address is live for the attacker.

The most common red flags to trust

You don't need to wait for our analysis to recognize most phishing. A few habits catch the vast majority on their own:

  • Unexpected urgency. "Your account will be locked in 24 hours." "Wire this payment by end of day." Urgency is the single most reliable phishing signal.
  • The actual sender address doesn't match the display name. Click or tap the sender to reveal the underlying email address. "Microsoft Support" coming from [email protected] is a giveaway.
  • Requests for passwords, MFA codes, or financial details over email. No legitimate bank, vendor, government agency, or IT provider will ever ask for these by email. Treat any request like this as phishing by default.
  • Links you didn't expect. Hover (don't click) over links to preview where they actually go. If a "PayPal" email links to pp-billing-service.com, that's not PayPal.
  • Out-of-band verification works for everything else. If you genuinely need to verify a request — an invoice change, a payment, a banking detail — call the sender at a number you already have on file. Not a number from the email. Not a reply to the email.

What we do with submissions

Raw submitted emails purge from our queue automatically after 48 hours. We retain the analysis summary (the verdict, what we found, the sender domain) for longer so we can spot campaigns hitting multiple clients at once — but the original email itself is short-lived. We don't share submissions with anyone outside our team.

Quick reference

Forward suspicious emails as an attachment to:

Need help with something this article didn't cover, or already clicked on something you shouldn't have? Reach us anytime during business hours at [email protected] or (603) 505-4290.

Was this article helpful?