We all receive malicious or spammy emails from time to time, and while most are easy to tell apart from legitimate mail, there are some that require greater attention to detect. An Unsolicited Commercial Email (UCE), more commonly known as spam, may be an irritant, but it is not a threat to you. Malicious emails, on the other hand, are intended to swindle or steal, and are far more dangerous.

In their book, “Detecting and Combating Malicious Email”, Julie JCH Ryan and Cade Kamachi put malicious emails into two main categories:

  1. Messages that link to malware either as attached executable programs, or as links within the text of the email that link to malicious software downloads.
  2. Messages that induce the reader into acting against their best interests (aka phishing emails), either by adopting a frantic tone that scares the reader into thinking that her system or information has been compromised; or by pretending to seek help for someone in grave distress.

In this post, we put together a simple checklist to help you determine if the email you’re examining is malicious or legit.

Malicious email detection checklist:

Things to observe:

The grammar

  • Check the grammar. An official email will be carefully crafted and error-free. If you notice multiple mistakes, or sentences than sound like gibberish, it’s probably a malicious email.

The tone of the email

  • Does the email have a frantic tone? Phishing emails will often pretend to seek help for someone in distress or warn of suspicious activity on your account. Don’t fall for such tricks.

The domain name

  • Look at the sender’s email address. Is it from a public (like gmail or yahoo) or a company domain? An official email should have been sent using the company email address.


The raw header

  • If the email content or sender information seem suspicious, check the complete, raw header. There is a ton of information in the raw header that will tell you things that the default version you see will not.

  1. To do this on gmail, click on the 3 dots next to the reply button, and select “show original”. On Yahoo, click the gear icon above the message pane and select “View Raw Message”. On Outlook 2016, double click the email to view it in a full window, and select “File” > “Properties”. In the “Internet Headers” field at the bottom of the window, view the ‘message header’.
  2. Check the sender’s domain name and IP address.
  3. Look up the age of the domain name on Google. Malicious emails are often sent from recently created domains.
  4. Check if the email in the “Return path:” field is the same as the one in the “From:” field.


Malicious email attachments can be tricky to detect. As a general rule, you should avoid downloading ANY file you haven’t been expecting. If you know the sender and have reason to believe that the file may be important but still have doubts, contact the sender using an alternative email address or on the phone, and ask for more information.

Links embedded in the text

  • Bad actors will often use appearance coding to make a link look like it will point to something other than its actual destination. If the email content includes links, always hover over the links to check the actual URLs. If you see a trusted domain name that is slightly misspelled or a completely unknown domain name, it’s a malicious email.
  • There may also be cases where the email contains shortened links (think tinyurl, bit.ly, goo,gl), making it impossible for you to hover over the link to view the original URL. In such cases, use free services online like http://www.getlinkinfo.com/ or http://checkshorturl.com/ to check the full URL before clicking on the link.

Most importantly, when looking at an unexpected email from an unknown sender, use common sense and caution. Do you really need to open the email, or click on a link, or open that attachment? Proceed only if the answer to all those questions is ‘yes’. For all other cases, use either the “Report as spam” or “Delete” or both options.