Phishing forensics for humans. Three tools, one workflow: drop a .eml into the
Email Inspector to grade sender reputation
and authentication, send a sketchy link to the
Link Scout to follow its redirect chain,
decode its query parameters, and flag known-bad signatures, or paste suspicious copy into the
Heuristic Scan to surface manipulation tactics.
Everything runs in your browser or on a hardened, no-logs serverless endpoint.
Files never leave your browser. Max 5 MB. Only the parsed sender domain is sent to /api/sender.
▸ How do I get a .eml file?
A .eml file is the raw email (headers + body + attachments) saved as a single file. Most mail clients can export one in a couple of clicks. Never forward a suspicious email — exporting preserves the original headers we need to grade it.
- Gmail (web)
- Open the message → click the ⋮ (three dots, top-right of the message) → Download message. The browser saves a
.emlfile. - Outlook (desktop)
- Drag the message out of the inbox onto your desktop, or open it → File → Save As → choose Outlook Message Format – Unicode (*.msg), then rename the extension to
.eml. Better: install the free "Save as EML" add-in, or use Outlook Web. - Outlook (web) / Microsoft 365
- Open the message → ⋯ menu → Download → Download as EML.
- Apple Mail (macOS)
- Select the message → File → Save As… → set Format to Raw Message Source → save with a
.emlextension. - Thunderbird
- Right-click the message → Save As → File… → it saves as
.emlautomatically. - iPhone / Android
- Mobile mail apps generally can't export .eml. Open the message on a desktop client, or paste the raw headers into the Headers tab above.
🛡️ Privacy: the file is parsed entirely in your browser. Only the sender's domain (e.g. example.com) is sent to our server for the DNS / age lookup.
How phishing works
Phishing isn’t magic — it’s a layered con made of two ingredients: social engineering (manipulating you) and technical exploits (manipulating your tools). PhishPond gives you one inspector for each.
1. The hook (social engineering)
Attackers reach for proven psychological levers — urgency, authority, fear, greed, social proof — to get you to click before you think. Read enough of these messages and you’ll see the same vocabulary recur: “action required”, “your account has been suspended”, “the CEO needs this immediately.” The Heuristic Scanner extracts that vocabulary and grades the message against it.
2. The payload (technical exploits)
Click the hook and you usually land on a redirector that obscures the real
destination — sometimes through five or six hops, sometimes with the payload
base64-encoded in the query string. The Link Scout walks the chain for you,
decodes anything Base64 / hex / URL-encoded inside the URL, and shouts when it
sees strings like powershell,
.hta, or
javascript:.
Three habits that beat 90% of phishing
- → Slow down. Urgency is the signal, not the substance.
- → Verify out-of-band: a known phone number, a fresh browser tab to the real domain.
- → Hover, don’t click. The visible text and the actual link are not the same field.
Latest field notes
View all →Recent essays on phishing, social engineering, and link forensics.
link analysisThe Ghost in the URL: Deconstructing AI-Augmented Obfuscation NetworksAn authoritative deep dive into how AI-driven obfuscation bypasses traditional secure email gateways and how to use PhishPond tools to reveal hidden threats.
social engineeringThe Imposter in the Lobby: Defeating Real-Time AI Video ClonesA deep dive into the rise of Deepfake-as-a-Service (DaaS) and how to identify and defeat real-time AI video clones during corporate calls.
identity securityThe Proxy Pandemic: Why Modern Phishing Ignores Your MFAA comprehensive guide to Adversary-in-the-Middle (AiTM) attacks. Learn how proxies bypass MFA and how to secure your identity with phishpond.io.
social engineeringAI Vishing: When the Voice on the Phone Isn't FamilyAI voice cloning has turned vishing into a terrifyingly personal threat. Learn how to identify voice scams and protect your family in 2026.
social engineeringQuishing 101: Why You Should Never Blindly Scan a QR CodeQR code phishing, or quishing, is the latest physical-to-digital threat. Learn how to spot malicious codes at restaurants and parking meters.
social engineeringVerify Before You Click: Stop Delivery SmishingThat text about a held package is likely a trap. Learn how the 2026 incomplete address scam works and how to verify delivery links safely using phishpond.io.
Social Engineering vs. Technical Exploits
Cybersecurity coverage tends to collapse two very different attack surfaces into a single word — “phishing” — and that flattening makes the threat harder to defend against, not easier. A clearer mental model splits the field in two: social engineering, which targets human cognition, and technical exploitation, which targets software. Almost every modern phishing attack chains them together, but they fail in different ways and they require different defences. PhishPond exists to make that split legible.
Social engineering is the older craft. Long before email, con artists were weaponising the same biases catalogued in modern behavioural-economics literature: authority bias, scarcity, loss aversion, reciprocity, and the illusion of urgency. Phishing operators rarely invent these tactics — they industrialise them. The vocabulary is small and surprisingly stable: “immediate action required”, “your account will be suspended”, “the CEO needs you to wire this today.” A message scoring high on PhishPond’s Heuristic Scanner is a message that has reached for too many of these levers at once. That doesn’t prove malice — legitimate communication is sometimes urgent — but it does justify the extra thirty seconds it takes to verify the sender through a second channel.
Technical exploitation is what happens after you click. The first step is
almost always misdirection: a shortened URL, an HTML-redirect page, or a chain of
tracker domains designed to obscure the destination from both the user and the
mail-gateway scanner. The Link Scout follows that chain manually, re-validating
every hop against a strict denylist of internal addresses (a class of bug known as
SSRF — server-side request forgery — that phishing analysers themselves
have shipped with embarrassing frequency). When the chain ends, the Scout dumps
headers, decodes any Base64, hex, or URL-encoded payload buried in the query
string, and runs the result against a small library of malware signatures
(powershell, .hta, .scr,
javascript:, the -EncodedCommand flag, and the usual
living-off-the-land binaries).
Defending against the two sides looks different in practice. Social-engineering defence is mostly behavioural — slow down, verify, prefer paranoid skepticism over polite compliance. Technical defence is mostly hygienic — patch the browser, refuse to run macros, treat any executable downloaded from an email link as guilty until proven innocent, and segment the network so that one click cannot become full domain compromise. Organisations get the highest return when they invest in both simultaneously: training that teaches the vocabulary above so users can name the tactic, and a layered technical pipeline (mail filter, browser sandbox, EDR) that assumes the user will eventually click anyway.
PhishPond is not a substitute for any of that. It’s a teaching tool, an analyst’s first-pass triage utility, and a way to make the otherwise invisible structure of a phishing attempt — the chosen verbs, the redirect graph, the encoded payload — visible enough to reason about. If you find yourself running a real suspicious message through it, do that before you click anything in the original, run the link in a sandboxed browser if you must, and report it to your security team or to your local CERT. The best defence against an industrialised attack is to make its scale and patterns boringly obvious — which is exactly what looking at one carefully tends to do.