How to Triage Suspicious Emails with Claude
Triage Suspicious Emails with Claude and ToolRouter. Analyze suspicious emails for phishing indicators in headers, links, and content before taking any action.
Tool
Use Claude with Phishing Email Checker to investigate a reported email and get a verdict with a full explanation. Claude can walk through the specific indicators — spoofed sender headers, mismatched reply-to addresses, malicious link destinations, urgency language — and explain what each one means in plain terms for the person who reported it.
Connect ToolRouter to Claude
1Open connector settings Open Settings
2Add a custom connector with these details
Name
ToolRouterURL
https://api.toolrouter.com/mcp3Let Claude set you up Open Claude
Steps
Once connected (see setup above), use the Phishing Email Checker tool:
- Copy the raw email content, headers, and any embedded links into the conversation.
- Ask Claude to run `check_email` via `phishing-email-checker` on the email.
- Ask Claude to explain which specific indicators are most diagnostic — header anomalies, link mismatches, or content patterns.
- Ask Claude to produce a plain-English verdict you can send back to the person who reported the email.
Example Prompt
Try this with Claude using the Phishing Email Checker tool
Use phishing-email-checker to analyze this email. [paste full email with headers]. Tell me the verdict, list the specific phishing indicators found, explain what each one means, and give me a one-paragraph response I can send back to the employee who reported it.
Tips
- Include the full raw headers, not just the visible from address — header analysis catches spoofing that the visible sender hides.
- Ask Claude to explain indicators in plain English so you can communicate the finding to non-technical employees.
- Ask whether the email matches known phishing campaigns, not just whether individual indicators are present.