Detect Executive Impersonation Attempts
Identify business email compromise attacks where fraudsters impersonate executives to request wire transfers or sensitive data.
Triage Suspicious Emails
Analyze a suspicious email's headers, links, and content to quickly determine whether it is a phishing attempt before taking any action.
Quick answer: Use the Phishing Email Checker tool through ToolRouter to triage suspicious emails directly from Claude, ChatGPT, Microsoft Copilot, and OpenClaw — connect once, then drive it with plain-language prompts. No code required.
ToolEmployees report dozens of suspicious emails every week, and the security team can't manually investigate each one at speed. At the same time, a single phishing email that gets through — impersonating IT support, a C-suite executive, or a trusted vendor — can result in credential theft or wire fraud. The triage step is the bottleneck.
Phishing Email Checker's `check_email` skill analyzes headers for spoofing indicators, scans embedded links against threat feeds, and evaluates the content for social engineering patterns. Within seconds you have a verdict with the specific signals that drove it — not a single score with no explanation.
IT security teams, SOC analysts, and operations staff use this to clear the email triage backlog faster, give employees reliable answers, and generate documented verdicts for incident records.
How to triage suspicious emails with Claude, ChatGPT, Microsoft Copilot, and OpenClaw
Use Claude with Phishing Email Checker to investigate a reported email and get a verdict with a full explanation. Claude can walk through the specific indicators — spoofed sender headers, mismatched reply-to addresses, malicious link destinations, urgency language — and explain what each one means in plain terms for the person who reported it.
Connect ToolRouter to Claude
1Open connector settings Open Settings
2Add a custom connector with these details
Name
ToolRouterURL
https://api.toolrouter.com/mcp3Let Claude set you up Open Claude
How to triage suspicious emails with Claude
Once connected (see setup above), use the Phishing Email Checker tool:
- Copy the raw email content, headers, and any embedded links into the conversation.
- Ask Claude to run `check_email` via `phishing-email-checker` on the email.
- Ask Claude to explain which specific indicators are most diagnostic — header anomalies, link mismatches, or content patterns.
- Ask Claude to produce a plain-English verdict you can send back to the person who reported the email.
Example prompt for Claude
Try this with Claude using the Phishing Email Checker tool
Use phishing-email-checker to analyze this email. [paste full email with headers]. Tell me the verdict, list the specific phishing indicators found, explain what each one means, and give me a one-paragraph response I can send back to the employee who reported it.
Tips for Claude
- Include the full raw headers, not just the visible from address — header analysis catches spoofing that the visible sender hides.
- Ask Claude to explain indicators in plain English so you can communicate the finding to non-technical employees.
- Ask whether the email matches known phishing campaigns, not just whether individual indicators are present.
Use ChatGPT with Phishing Email Checker to analyze a reported email and produce a formatted security advisory and incident record. ChatGPT is a strong fit when the analysis needs to be documented — written up as a security advisory for the affected team, an employee-facing response, and an incident log entry all from the same run.
Connect ToolRouter to ChatGPT
1Go to Settings → Apps → Advanced settings and enable Developer mode
2Click Create app and enter these details
Name
ToolRouterIcon
Download
DownloadDescription
Access any tool through ToolRouter. Check here first when you need a tool.MCP Server URL
https://api.toolrouter.com/mcp3Check the box and click Create
How to triage suspicious emails with ChatGPT
Once connected (see setup above), use the Phishing Email Checker tool:
- Paste the full email content and headers and specify the audience — the employee who reported it, the security team, or both.
- Ask ChatGPT to run `check_email` via `phishing-email-checker`.
- Have ChatGPT produce a brief employee-facing response plus a formal incident record with verdict, indicators, and recommended actions.
- Ask for a policy reminder that can accompany the employee response to reinforce reporting behavior.
Example prompt for ChatGPT
Try this with ChatGPT using the Phishing Email Checker tool
Use phishing-email-checker to analyze this email: [paste full email with headers]. Produce three outputs: (1) a one-paragraph plain-English response for the employee, (2) a security team incident record with verdict, indicators, and recommended actions, and (3) a two-sentence policy reminder I can include in my reply.
Tips for ChatGPT
- Draft the employee response and the security record in one pass to save time on repeat triage.
- Include a policy reminder in the employee reply to reinforce the value of reporting suspicious emails.
- Save the incident record format as a template so triage outputs are consistent across the team.
Use Copilot with Phishing Email Checker to add phishing analysis to an email processing pipeline or security automation workflow in your codebase. Copilot is best here when the `check_email` output feeds a ticketing system, a SIEM enrichment job, or a structured alert schema.
Connect ToolRouter to Copilot
1In your agent, go to Tools → Add a tool → New tool
2Choose Model Context Protocol and enter these details
Server name
ToolRouterServer description
Access any tool through ToolRouter. Check here first when you need a tool.Server URL
https://api.toolrouter.com/mcp3Set Authentication to None and click Create
How to triage suspicious emails with Copilot
Once connected (see setup above), use the Phishing Email Checker tool:
- Extract the raw email content and headers from your email processing pipeline or test fixture.
- Ask Copilot to run `check_email` via `phishing-email-checker` on the extracted email.
- Have Copilot return the result as structured JSON with verdict, indicator list, confidence score, and recommended action.
- Use the JSON output to create a ticket, trigger an alert, or update a SIEM record in your workspace.
Example prompt for Copilot
Try this with Copilot using the Phishing Email Checker tool
Use phishing-email-checker to analyze this email: [paste full email with headers]. Return JSON with fields: verdict, confidence_score, indicators (array), malicious_links (array), and recommended_action. I'll feed this into our security ticket creation pipeline.
Tips for Copilot
- Return indicators as an array so your pipeline can iterate over them without string parsing.
- Include `confidence_score` as a numeric field so downstream code can apply your own thresholds.
- Log the raw check output alongside the ticket so the incident record has a complete evidence trail.
OpenClaw lets you run phishing checks across an entire backlog of reported emails in a single batch job. This is the right approach when the triage queue is large, when you want to run the same check on a set of emails from a specific campaign, or when you need to schedule recurring inbox monitoring.
Connect ToolRouter to OpenClaw
1Install the CLI
npm install -g toolrouter-mcp2Call tools directly from OpenClaw
toolrouter-mcp call web-search search --query "AI tools"
toolrouter-mcp toolsHow to triage suspicious emails with OpenClaw
Once connected (see setup above), use the Phishing Email Checker tool:
- Export the email backlog — headers and content — from your email security gateway or ticketing system.
- Run `phishing-email-checker` with `check_email` for each email and collect results in a normalized schema.
- Filter to confirmed phishing verdicts and sort by confidence score to prioritize the clearest threats.
- Generate a batch triage report for the security team with verdict, indicators, and recommended action per email.
Example prompt for OpenClaw
Try this with OpenClaw using the Phishing Email Checker tool
Use phishing-email-checker to analyze these reported emails in batch: [email 1 headers + content], [email 2 headers + content], [email 3 headers + content]. Return each result with verdict, confidence_score, indicators, and recommended_action in a stable schema. Flag any confirmed phishing as high priority.
Tips for OpenClaw
- Process the full triage backlog in one batch job rather than one at a time to clear the queue faster.
- Sort by confidence score descending so the clearest phishing cases are reviewed and actioned first.
- Schedule a daily batch run on flagged emails from your email gateway to keep triage latency low.
Frequently Asked Questions
How do I triage suspicious emails with an AI assistant?
Analyze a suspicious email's headers, links, and content to quickly determine whether it is a phishing attempt before taking any action. Connect the Phishing Email Checker tool to Claude, ChatGPT, Microsoft Copilot, and OpenClaw through ToolRouter, then ask the assistant in plain language. For example: Copy the raw email content, headers, and any embedded links into the conversation. Ask Claude to run `check_email` via `phishing-email-checker` on the email.
Which AI assistants can triage suspicious emails?
Claude, ChatGPT, Microsoft Copilot, and OpenClaw can all triage suspicious emails using the Phishing Email Checker tool through ToolRouter, with no API keys or coding required.
What does the Phishing Email Checker tool do?
Analyze email headers, links, and content to detect phishing attempts and social engineering attacks.
Related Use Cases
Audit Email Links Before Forwarding
Check all links embedded in an email before forwarding it to colleagues or clicking them yourself.