Automating Phishing Header Analysis in Your PSA
· 24 min read
When a user reports a phishing email, the ticket lands and someone has to deal with it. Without automation that means: download the .eml, open it in a text editor, read through several hundred lines of raw headers, manually pull SPF/DKIM/DMARC verdicts, and write up a note. Every analyst does it slightly differently. Some do it thoroughly. Some do it fast. Most do it inconsistently at 4pm on a Friday.
I built an automation that fires the moment the ticket is created, parses the attached .eml, evaluates authentication headers, and posts a structured triage summary back to the ticket (usually within a few seconds of the ticket opening). Here is what it does and the part that would have burned me if I had not caught it.