Example Phishing Analysis Report

The report below reflects actual Ephemeral Sentinel output format. Sender details and content are from a real phishing email submitted for analysis.

Executive Summary

Ephemeral Sentinel has classified this message as malicious with a risk score of 55/100. Authentication results: SPF not present, DKIM passed. The sender's domain has no SPF record — there is no published list of servers authorised to send mail for this domain.

Key Risk Signals

The sender's domain has no SPF record — there is no published list of servers authorised to send mail for this domain.
DKIM signature verified for relay domain 'google.com', not the sender domain (0121fd.buzz) — provides no authentication of the actual sender.
No DMARC policy was found for the sender's domain — the domain owner has not configured any protection against sender spoofing.
The sender's domain uses a top-level domain with disproportionately high abuse rates — strongly associated with disposable phishing infrastructure.
The sender's domain name uses a machine-generated, hex-hash identifier — a pattern characteristic of throwaway domains registered specifically for single-use phishing campaigns.
The message contains language strings associated with fake billing, fabricated orders, or subscription fraud — common in callback phishing and vishing attacks. Any charges or orders described should be independently verified before taking action.

Risk Interpretation

This message describes fabricated billing charges and directs the recipient to call a phone number. This is a callback phishing attack: the charges do not exist, and calling the number connects the recipient to a fraudster who will attempt to extract financial details or remote system access. Do not call any number in this message.

Recommended Action

Do not call any phone number, click any link, or reply to this message. The charges described are fabricated. This is a callback phishing attack — anyone who calls will be connected to a fraudster attempting to obtain payment details, banking credentials, or remote access to your computer. Delete this message and report it to your security team.

This analysis was performed in-process using deterministic rules. No email content was retained, transmitted to external services, or used for any purpose beyond generating this report.

Authentication

SPF · DKIM · DMARC

SPF	NONE	0121fd.buzz
DKIM	PASS	google.com
DMARC	UNKNOWN	0121fd.buzz

Risk Signals

6 red · 0 green

Red signals

LOW Sender domain has no SPF record — sending host cannot be verified against domain policy.

LOW DKIM signature verified for relay domain 'google.com', not the sender domain (0121fd.buzz) — provides no authentication of the actual sender.

LOW DMARC result is unknown — sender domain likely has no DMARC policy, leaving it unprotected against spoofing.

MEDIUM Sender domain uses '.buzz' — a TLD disproportionately associated with phishing and disposable domains.

MEDIUM Sender domain SLD appears to be a machine-generated hex hash — strongly associated with throwaway phishing infrastructure.

MEDIUM Phishing language strings detected — fake billing, order, or subscription content.

Green signals

None

Correlated amplification:

+5 from correlated signals: DMARC unknown + suspicious sender TLD — consistent with throwaway phishing domain
+5 from correlated signals: DMARC unknown + phishing strings — weak auth combined with billing/order phish language

Language Analysis

1 signal(s)

TXT_STRINGS_PHISH (medium) — Phishing language strings detected — fake billing, order, or subscription content. Matched keyword: 'NORTON LIFELOCK – BILLING'

URLs

8 visible

URL	Score	Flags
http://schema.org/EventScheduled	0	—
http://schema.org/Person	0	—
http://schema.org/Organization	0	—
http://schema.org/Event	0	—
https://fonts.gstatic.com/s/i/googlematerialiconsfilled/encrypted/v3/gm_grey200-24dp/2x/gm_filled_encrypted_gm_grey200_24dp.png	0	—
http://www.w3.org/1999/xhtml	0	—
http://schema.org/EmailMessage	0	—
http://schema.org/InformAction	0	—

Reading the Report

What each section means.

Every Sentinel report contains the same structured sections.

🚨

Verdict Header

Risk score (0–100), confidence percentage, metadata reliability rating, and timestamp. Verdict: Benign, Suspicious, or Malicious. The header is color-coded — red border for Malicious.

📋

Executive Summary

The primary human-readable section. Contains Key Risk Signals in plain language, a Risk Interpretation explaining the attack, and a Recommended Action in red. Written for non-technical recipients.

🔐

Authentication

SPF, DKIM, and DMARC results with the domain each was evaluated against. Note: DKIM PASS for a relay domain (e.g. google.com) does not authenticate the actual sender's domain — Sentinel calls this out explicitly.

⚠️

Risk Signals

Each detected signal listed as LOW, MEDIUM, or HIGH with a plain-language description. Red signals indicate threat indicators. Green signals indicate trust indicators. Correlated amplification shows bonus scoring when multiple signals reinforce each other.

🗣️

Language Analysis

Phishing language patterns detected in the message body, with the specific matched keyword shown. Common patterns include billing fraud, subscription urgency, and fabricated order language.

🔗

URL Table

All URLs visible in the message, each scored and flagged individually. A score of 0 with no flags indicates the URL was not independently suspicious. Higher scores or flags indicate redirect chains, malicious structure, or known bad infrastructure.

What a Sentinel analysis looks like.

What each section means.

Explore how Sentinel fits your environment.