Phishing Email Examples: 15 Analyzed by a SOC Analyst
Phishing email examples analyzed with real analyst eyes: red flags, header tells, and the patterns every security-aware person should recognize.

The most common phishing email you will encounter impersonates a cloud productivity platform (Microsoft 365, Google Workspace) and tells the recipient their password is about to expire or their account has been locked. That single pattern, credential harvesting through a fake login portal, accounts for a disproportionate share of initial access events in enterprise incident reports year after year. MITRE ATT&CK catalogs the family under T1566 (Phishing), with T1566.001 (Spearphishing Attachment) and T1566.002 (Spearphishing Link) as its two highest-frequency sub-techniques.
Recognizing it visually is useful. Recognizing it analytically, the way a SOC analyst reads headers, checks authentication results, and traces redirect chains, is what actually stops campaigns before credentials are compromised at scale.
Note
All sender addresses, domains, URLs, and names in the examples below are entirely fictional and constructed for educational illustration. Any resemblance to real organizations is coincidental. Domains are written in defanged notation (brackets around dots and modified schemes) so they cannot be accidentally activated.
The 7 Red Flags to Check First
Before the catalog, here is the fast scan. Almost every example below trips at least two of these. If a message trips two or more, treat it as phishing until proven otherwise.
- Sender domain mismatch. The address in angle brackets does not match the brand in the display name (
@microsft-accountsupport[.]com, not@microsoft.com). - Generic greeting. "Dear User" or "Dear Customer" instead of your name, on a message that claims to know your account.
- Urgency or threat. A countdown ("within 24 hours") or a consequence ("your account will be suspended") engineered to stop you verifying.
- Request for credentials, payment, or data. Legitimate services do not ask you to confirm a password or banking details over an email link.
- Mismatched link. The hover or long-press preview resolves to a domain unrelated to the claimed sender.
- Unexpected attachment. A file you did not request, especially a macro-enabled document, a
.zip, or an "invoice" PDF. - Off-key details. Odd grammar, inconsistent formatting, a
Reply-Toon a different domain, or a tone that does not match the supposed sender.
These flags work across channels. The same lures arrive as text messages (smishing) and phone calls (vishing), where a small screen hides the sender and the full URL, so the verify-before-you-act habit matters even more.
Group 1: Credential Harvesters
These lures share a single objective: redirect the recipient to a fake login page and capture credentials before the victim realizes the portal is not legitimate.
1. Fake Microsoft 365 Login
Pattern: Impersonates a Microsoft 365 security notification to redirect the target to a credential-harvesting portal styled as the Microsoft sign-in page.
From: Microsoft Account Team <no-reply@microsft-accountsupport[.]com> Subject: Your Microsoft 365 session has expired — sign in to restore access Body excerpt: "We detected unusual activity on your account. To protect your organization, your session has been terminated. Click below to verify your identity and restore access within 24 hours."
Red flags an analyst spots:
The sending domain microsft-accountsupport[.]com omits the second o in Microsoft. At reading speed, this typosquat is easy to miss but obvious on inspection. The domain was registered recently (a WHOIS lookup will typically reveal a registration date within days or weeks of the campaign). The urgency framing ("24 hours") and threat framing ("unusual activity") are stock credential-harvesting copy.
Technical tell: SPF and DKIM will both fail because the attacker cannot sign email with Microsoft's private keys. The Authentication-Results header from your mail gateway will show dkim=fail and spf=fail against the microsoft.com domain, even though the visible From address attempts to associate itself with Microsoft.
2. Password Expiry Notice
Pattern: Informs the recipient their corporate password expires imminently and provides a "renew now" button that captures the current password on a cloned internal portal.
From: IT Security <helpdesk@corp-secalert[.]net> Subject: ACTION: Your password expires in 2 hours Body excerpt: "Your network password expires today at 17:00. Click the link below to extend it without interruption to your workflow."
Red flags an analyst spots:
Legitimate corporate password resets route through authenticated portals your IT team controls, not external domains like corp-secalert[.]net. A two-hour deadline is a deliberate pressure tactic designed to prevent the recipient from pausing to verify. The generic sender name "IT Security" with no specific team attribution is a tell in organizations where helpdesk emails come from named individuals or a known ticketing system address.
Technical tell: The link destination previews to a subdomain on a hosting provider unrelated to the claimed organization. URL analysis tools like URLScan.io will show the page rendering a Microsoft or Okta login clone while the registrable domain belongs to a bulletproof host.
3. Shared Document Lure
Pattern: Mimics a legitimate file-sharing notification (SharePoint, OneDrive, Google Drive) to direct the recipient to a credential page disguised as a document preview.
From: SharePoint Notifications <noreply@sharepoint-clouddocs[.]com> Subject: Lena Torres shared "Q2 Compensation Review.xlsx" with you Body excerpt: "Lena Torres (l.torres@yourcompany[.]com) has shared a document with you. Click 'Open in SharePoint' to view."
Red flags an analyst spots:
The sender domain sharepoint-clouddocs[.]com is not microsoft.com or sharepoint.com. The attacker uses a plausible internal name ("Lena Torres") harvested from a LinkedIn search or a prior data breach to lower suspicion. Document-sharing lures succeed because the premise is routine in most organizations: people receive file-share notifications constantly and click without scrutiny.
Technical tell: Hover over the "Open in SharePoint" button. The href will resolve to a redirect chain through the attacker's domain before landing on a credential page. A VirusTotal URL scan of the destination will often show reputation hits if the campaign is more than a few hours old.
Group 2: Urgency and Authority Manipulation
These patterns combine social authority (executive, vendor, payroll system) with time pressure to bypass the recipient's normal verification instincts.
4. CEO Fraud / BEC Gift Card Request
Pattern: Impersonates a C-level executive requesting an urgent, confidential gift card purchase, exploiting authority and the secrecy framing to prevent the target from seeking a second opinion.
From: David Marsh, CEO <d.marsh@globalcorpinc-exec[.]com> Subject: Confidential — urgent request Body excerpt: "I'm in back-to-back meetings and need you to handle something quickly. Can you purchase four $250 Amazon gift cards for a client recognition gesture? Reply with the codes when done. Please keep this between us for now."
Red flags an analyst spots:
The sender domain globalcorpinc-exec[.]com is not the organization's actual domain. Gift card purchases do not flow through email with a request for redemption codes. The "keep this between us" instruction is a textbook social engineering isolation tactic: it is specifically designed to prevent the target from calling the executive directly to verify. The FBI's IC3 reports have consistently identified business email compromise (BEC) as the costliest category of cybercrime by total dollar loss.
Technical tell: The Reply-To header points to a personal webmail address (ceo.david.m@protonmail-secure[.]xyz), not the executive's corporate address. Any reply from the victim goes to the attacker's inbox, not the real CEO.
5. Invoice Fraud
Pattern: Submits a realistic-looking vendor invoice with modified banking details, targeting accounts payable teams with a payment redirect.
From: Billing <billing@acmevendorsupply-invoices[.]com> Subject: Invoice #INV-2026-0441 — Payment Due 15 June Body excerpt: "Please find attached invoice INV-2026-0441 for $14,850 for professional services rendered in May. Our banking details have changed. Please update your records with the new account below."
Red flags an analyst spots:
Banking detail changes in an email PDF require verification by phone to a number sourced independently (not the number on the invoice itself). The sender domain acmevendorsupply-invoices[.]com does not match the legitimate vendor's domain. The invoice attachment, often a PDF, may carry an embedded macro or a link to a credential page dressed as an "invoice portal."
Technical tell: Hash the PDF and check VirusTotal before opening. In many invoice fraud campaigns, the attachment is a clean PDF (no malware) and the attack is purely social: the banking detail change is the payload.
6. Payroll Diversion
Pattern: Impersonates an employee submitting a direct deposit update request to payroll, redirecting salary payments to an attacker-controlled account.
From: James Whitfield <j.whitfield@yourcompany-hrportal[.]com> Subject: Direct deposit update request — James Whitfield Body excerpt: "Hi, I recently changed banks and would like to update my direct deposit information before the next pay cycle. I've attached the new bank details."
Red flags an analyst spots:
Legitimate direct deposit changes go through an authenticated HR portal or require in-person ID verification, not email submission. The sending domain impersonates the company with an added suffix (-hrportal[.]com). Payroll diversion is a targeted attack: the attacker typically researches the organization's payroll calendar to time the request just before a pay run, creating implicit urgency.
Technical tell: The employee name in the From display field is real (harvested from LinkedIn), but the domain is not. A check against the corporate directory for the employee's actual email address will reveal the mismatch immediately.
Group 3: Brand Impersonation
These lures exploit the trust built by recognizable consumer and enterprise brands to lower the recipient's defenses.
7. Shipping and Delivery Alert
Pattern: Mimics a carrier notification (FedEx, DHL, UPS) to deliver a malicious link under the pretext of a package delivery issue.
From: FedEx Delivery Notifications <tracking@fedex-parceltrack[.]info> Subject: Your package could not be delivered — reschedule now Body excerpt: "We attempted to deliver your parcel (tracking: 7489-2031-4456) but were unable to complete delivery. Click below to reschedule your delivery and pay a small customs fee of $1.99."
Red flags an analyst spots:
Legitimate carrier domains are fedex.com, dhl.com, ups.com. The domain fedex-parceltrack[.]info is neither. The "small customs fee" is a card skimming lure: the objective is not credentials but payment card data. Delivery lures spike around peak shopping periods but run year-round because package delivery is routine.
Technical tell: The $1.99 payment page will load a full card capture form (name, card number, CVV, billing address) on a domain with a recently issued HTTPS certificate. Certificate Transparency logs will show the cert was issued days before the campaign.
8. Bank Security Alert
Pattern: Impersonates a financial institution claiming the recipient's account has been flagged for suspicious activity, redirecting to a spoofed banking login to "verify identity."
From: Security Center <security-alert@firstnational-alertcenter[.]com> Subject: Unusual activity detected on your account — verify now Body excerpt: "We've detected a sign-in attempt from an unrecognized device. If this was not you, verify your identity immediately to prevent your account from being locked."
Red flags an analyst spots:
Banks communicate security alerts through authenticated in-app notifications and verified SMS, not cold emails with embedded verification links. The domain firstnational-alertcenter[.]com is not the bank's actual domain. The "unrecognized device" premise is a stock urgency trigger because it implies someone else may already have access, creating panic that overrides verification instincts.
Technical tell: The link destination behind "verify now" will resolve to a page that clones the bank's login interface but sits on an unrelated domain. Page source inspection will show the form action attribute posting credentials to the attacker's server, not the bank.
9. Streaming Service Renewal
Pattern: Claims the recipient's streaming subscription has failed to renew and requests updated payment information on a cloned billing page.
From: Netflixbilling <billing-renewal@netflx-accounts[.]com> Subject: Action required: update your payment method Body excerpt: "Your Netflix subscription could not be renewed because your payment method was declined. Update your payment details within 48 hours to avoid interruption."
Red flags an analyst spots:
netflx-accounts[.]com is a typosquat dropping one character from Netflix. Streaming services manage billing through their own authenticated account portals and do not require email-embedded links for payment updates. The 48-hour deadline creates urgency calibrated to the low perceived cost of acting (updating a card) versus the perceived loss (losing access to a service).
Technical tell: Hovering the update link will reveal a subdomain structure designed to look legitimate at a glance: accounts.netflx-accounts[.]com/billing. The registrable domain is netflx-accounts[.]com, which is the giveaway.
Group 4: Technical Attack Patterns
These variants exploit technical channels or security process familiarity to bypass controls that stop simpler lures.
10. MFA Fatigue Prompt-Bombing
Pattern: The attacker has already obtained valid credentials (via a prior phishing campaign or breach) and bombards the victim's authenticator app with push notifications until the exhausted or confused user approves one.
From: IT Security <ithelp@securityalerts-notifications[.]net> Subject: Important: Approve the pending MFA request Body excerpt: "Our systems have detected an unresolved MFA prompt for your account. If you did not initiate this, please approve the current request to dismiss it, then contact the helpdesk."
Red flags an analyst spots:
This lure is layered: the attacker combines active push-prompt bombardment with an explanatory email that reframes approving a suspicious prompt as the defensive action. The instruction "approve the current request to dismiss it" is factually backwards (approving a prompt grants access, it does not dismiss it), but it exploits the recipient's confusion during an active push flood. CISA's MFA guidance specifically flags push notification fatigue as a known attack vector.
Technical tell: The SIEM will show multiple MFA push events for the same account within a short window before the approval event. This pattern is detectable at the authentication layer, not the email layer.
11. QR Code Phishing (Quishing)
Pattern: Embeds a QR code in the email body rather than a clickable link, routing the scan to a credential page on the victim's personal mobile device where corporate email link-scanning controls do not apply.
From: HR Department <hrdept@globalcorpinc-secure[.]org> Subject: 2026 benefits enrollment — scan to access your portal Body excerpt: "Your benefits enrollment period opens today. Use the QR code below to access your secure enrollment portal on any device. Code expires at midnight."
[QR code image embedded in body]
Red flags an analyst spots:
Legitimate HR benefit portals have stable URLs distributed through authenticated intranet links, not single-use QR codes in email. The QR code sidesteps corporate secure email gateways because the encoded URL is an image, not scannable text. Once the code is scanned on a personal phone, the victim leaves the corporate environment entirely.
Technical tell: Extract the QR code using a QR reader in a sandboxed environment or a tool like ZXing Decoder. The decoded URL will contain the attacker's domain. The email body will have no visible href links, which is itself anomalous and a signal for sandbox-based analyzers to flag.
12. Callback / TOAD Phishing
Pattern: Telephone-Oriented Attack Delivery (TOAD) emails contain no malicious link or attachment. Instead, they instruct the recipient to call a phone number controlled by the attacker, where a "support agent" extracts credentials or installs remote access software verbally.
From: IT Support Desk <support@corpitservices-helpdesk[.]com> Subject: Subscription renewal confirmation — call to cancel Body excerpt: "Your enterprise security subscription has been renewed for $349.99. If you did not authorize this charge, call our billing support team immediately at +1 (888) 555-0174 to cancel."
Red flags an analyst spots:
This lure exploits loss aversion (an unexpected charge of $349.99) and routes the response through a phone call rather than a link, bypassing URL inspection controls entirely. Attackers answering the callback number impersonate IT support and social-engineer the caller into providing credentials, installing a remote access tool, or making a wire transfer. SANS ISC researchers documented a significant rise in TOAD campaigns in 2023 and 2024.
Technical tell: There are no URLs, no attachments, and no authentication failures to catch this variant at the email gateway. Detection relies on user awareness training and anomaly detection on outbound calls to unfamiliar numbers.
Group 5: Spear Phishing
These attacks are targeted rather than broadcast: the attacker invests time researching the specific victim to make the lure credible to that individual.
13. LinkedIn Recruiter Spear Phish
Pattern: Impersonates a recruiter with a personalized message referencing the victim's actual job title, employer, and skills (scraped from their public LinkedIn profile), delivering a malicious "job description" PDF or credential-harvesting "application portal."
From: Rachel Kim, Talent Acquisition <r.kim@talentsearchpartners-global[.]com> Subject: Exclusive opportunity for senior SOC analysts — confidential Body excerpt: "Hi [First Name], I came across your profile and was impressed by your experience in threat detection and incident response at [Current Employer]. I have an exclusive opening at a Fortune 500 security team that matches your background precisely. I've attached the role brief. Keen to have a quick call?"
Red flags an analyst spots:
The personalization is the attack: the victim's name, employer, and skills are all real. The recruiter firm domain talentsearchpartners-global[.]com does not resolve to a real recruiting company in any business registry. The attached PDF is either a credential-harvesting link or an Office document with a macro. This pattern targets security professionals specifically because they are high-value individuals whose credentials, once compromised, provide access to sensitive detection infrastructure.
Technical tell: The PDF attachment hash will not appear in VirusTotal if the campaign is fresh (zero-day distribution). Behavioral detonation in Any.run will reveal outbound connections to command-and-control infrastructure when the document is opened.
14. Vendor Compromise Thread Hijack
Pattern: An attacker who has already compromised a legitimate vendor's email account replies to an existing email thread with a malicious invoice, updated payment instructions, or a malware attachment. Because the reply inherits the genuine thread history, it passes every external trust signal.
[Reply in existing email thread with a real vendor, 12 previous messages visible] From: Mark Sullivan <m.sullivan@legitvendor[.]com> (this is the compromised account) Subject: Re: Re: Re: Q2 contract renewal — final documents Body excerpt: "Hi Sarah, sorry for the delay. Please find the updated contract attached with the revised payment schedule. Let me know if you have any questions before Friday."
Red flags an analyst spots:
This is the hardest variant to catch at the perimeter because the sending domain is legitimate, the account is real, and the thread history is genuine. The signals are behavioral: the attachment appears in a thread where no attachment was previously expected, the request introduces a banking or payment change, and the tone or phrasing is subtly inconsistent with prior messages from that contact. Out-of-band verification by phone to the known vendor contact is the only reliable control.
Technical tell: SPF, DKIM, and DMARC will all pass because the email genuinely originates from the vendor's mail server. The IOC is in the attachment or link, not the headers. Endpoint detection tools (EDR) are more likely to catch this post-click than email gateway controls pre-delivery.
15. IT Help Desk Impersonation
Pattern: Targets new employees or users who have recently submitted IT tickets, using ticket context to impersonate internal helpdesk staff and redirect the victim to a credential-harvesting page under the pretense of resolving a real open request.
From: IT Help Desk <helpdesk-tickets@corp-itsupport-portal[.]com> Subject: Re: Ticket #HD-8821 — your VPN issue is resolved Body excerpt: "Hi Alex, your VPN access issue has been resolved. Please click below to re-authenticate your account with the updated configuration. Your previous session tokens have been invalidated for security."
Red flags an analyst spots:
The sender domain corp-itsupport-portal[.]com is not the organization's ticketing system domain. The attacker knows the victim has an open IT ticket because they either monitored the victim's email (in a prior compromise) or made an educated guess based on common onboarding friction. The "re-authenticate" instruction provides a plausible reason for credential entry. New employees are particularly vulnerable because they do not yet have firm mental models of how legitimate IT communications look.
Technical tell: Compare the sender domain against your organization's actual helpdesk ticketing system addresses. A SIEM search for the sender domain across all employee inboxes may reveal the same lure sent to multiple recent starters, indicating a targeted onboarding campaign.
Summary Table
| Pattern | Primary Red Flag | Target |
|---|---|---|
| Fake MS365 Login | Typosquat sender domain; SPF/DKIM fail | All employees with M365 access |
| Password Expiry | External domain for internal reset | Corporate users |
| Shared Document | Sender not microsoft.com or google.com | Knowledge workers |
| CEO Fraud / Gift Card | Reply-To mismatch; isolation instruction | Admins, executive assistants |
| Invoice Fraud | Banking detail change via email | Accounts payable |
| Payroll Diversion | HR request from non-corporate domain | Payroll / HR teams |
| Shipping Alert | Carrier domain typosquat; "customs fee" | General population |
| Bank Security Alert | Financial institution not using their domain | Consumer accounts |
| Streaming Renewal | Typosquat; payment update via email link | Consumer accounts |
| MFA Prompt-Bombing | Multiple push events before approval; email reinforcement | Users with MFA enrolled |
| QR Code (Quishing) | No visible URLs; QR code only | Mobile-device users |
| Callback / TOAD | No link or attachment; phone number CTA | Anyone receiving billing emails |
| LinkedIn Recruiter | Personalized; recruiter domain not verifiable | Professionals with public profiles |
| Vendor Thread Hijack | Attachment in thread with no prior attachment | Finance, procurement, legal |
| IT Help Desk | Sender domain not ticketing system; new employee timing | Recent hires |
Field notes
New walkthroughs and detections, in your inbox
A short email when we publish something worth your time. No spam, unsubscribe in one click.
Recognizing these patterns is the first half of the skill. The second half is working one all the way through: how to analyze a phishing email walks the full SOC process from safe handling and header forensics to a documented verdict. SOCSimulator's training operations include phishing investigation scenarios where you practice parsing these patterns under realistic conditions.
Frequently Asked Questions
- What does a phishing email look like?
- Phishing emails typically impersonate a trusted brand or authority figure and create urgency to push the recipient into clicking a link, opening an attachment, or providing credentials. Common visual tells include a sender domain that does not match the claimed organization, generic greetings like 'Dear User', urgency phrases like 'your account will be suspended', and URLs that include extra subdomains or character substitutions designed to look legitimate at a glance.
- What are the most common phishing email examples?
- The highest-volume phishing patterns are credential harvesters impersonating Microsoft 365 or Google login pages, fake password-expiry notices, CEO fraud requests for gift cards, shipping delivery alerts with malicious tracking links, and bank security alerts. MFA fatigue attacks (prompt-bombing) and QR code phishing (quishing) have surged in frequency since 2023 as attackers adapt to multi-factor authentication adoption.
- How can I tell if an email is phishing?
- Check three things immediately: the sender domain (not the display name, the actual address in angle brackets), the authentication results if your mail client shows them (look for SPF or DKIM fail warnings), and the destination URL of any link before clicking (hover or long-press to preview). If any link redirects through an unrelated domain, or the sender domain differs from the brand being impersonated, treat it as phishing until analysis proves otherwise.
- What is the difference between spear phishing and phishing?
- Phishing is broadcast: the same lure is sent to thousands of recipients with no personalization, betting on a small percentage clicking. Spear phishing is targeted: the attacker researches the specific victim, using their name, role, colleagues, or recent activity to craft a message that looks credible to that individual. Spear phishing is used in business email compromise, vendor impersonation, and nation-state intrusions because the higher effort produces higher success rates against specific high-value targets.
- What are the 7 red flags of phishing?
- The seven recurring red flags are: a sender address that does not match the brand it claims (check the domain in angle brackets, not the display name); a generic greeting like 'Dear Customer' instead of your name; urgency or a threat such as 'your account will be closed in 24 hours'; a request for credentials, payment, or personal data; a link whose preview destination does not match the claimed organization; an unexpected attachment, especially a macro-enabled document; and grammar, spelling, or formatting that is subtly off. Any one flag warrants caution. Two or more together is almost always phishing.
- What are the 4 P's of phishing?
- The 4 P's are a quick mental checklist for the social-engineering pressure inside a phishing email: Pretexting (a fabricated scenario such as a locked account or unpaid invoice), Pressure (urgency or a deadline that discourages verification), Persuasion (impersonating an authority or trusted brand to borrow its credibility), and Payload (the click, attachment, credential entry, or callback the attacker actually wants). Naming the four P's in a lure makes the manipulation easier to spot before you act on it.
- Can phishing come as a text message instead of an email?
- Yes. The same lures arrive as SMS (called smishing) and as voice or callback scams (vishing). Fake package-delivery notices, bank fraud alerts, and account-suspension warnings are especially common over text because a phone screen hides the sender and the full URL. Treat an unexpected text with a link or a phone number the same way you would treat the email version: verify the sender through an independent channel before tapping anything.
Field notes
New walkthroughs and detections, in your inbox
A short email when we publish something worth your time. No spam, unsubscribe in one click.
Community
Continue the conversation
Discuss this with analysts who are actively training and working in the field.
Related Articles

How to Analyze a Phishing Email: SOC Walkthrough
A step-by-step SOC workflow to analyze a phishing email: safe handling, header forensics, URL and attachment triage, and a documented verdict.

Best EDR Tools in 2026: What Tier 1 Analysts Learn First
Best EDR tools for SOC analysts: CrowdStrike, Defender, SentinelOne, Cortex XDR and more — ranked by console learnability and job-market frequency.

Cyber Threat Hunting Tools: 13 SOC Analysts Use (2026)
Cyber threat hunting tools every SOC analyst needs: Sigma, YARA, KQL, Velociraptor, Wireshark, Zeek, MISP and more — grouped by layer with code examples.