How to Triage Suspicious Emails with Copilot
Triage Suspicious Emails with Copilot and ToolRouter. Analyze suspicious emails for phishing indicators and output structured results for security pipelines and ticketing systems.
Tool
Use Copilot with Phishing Email Checker to add phishing analysis to an email processing pipeline or security automation workflow in your codebase. Copilot is best here when the `check_email` output feeds a ticketing system, a SIEM enrichment job, or a structured alert schema.
Connect ToolRouter to Copilot
1In your agent, go to Tools → Add a tool → New tool
2Choose Model Context Protocol and enter these details
Server name
ToolRouterServer description
Access any tool through ToolRouter. Check here first when you need a tool.Server URL
https://api.toolrouter.com/mcp3Set Authentication to None and click Create
Steps
Once connected (see setup above), use the Phishing Email Checker tool:
- Extract the raw email content and headers from your email processing pipeline or test fixture.
- Ask Copilot to run `check_email` via `phishing-email-checker` on the extracted email.
- Have Copilot return the result as structured JSON with verdict, indicator list, confidence score, and recommended action.
- Use the JSON output to create a ticket, trigger an alert, or update a SIEM record in your workspace.
Example Prompt
Try this with Copilot using the Phishing Email Checker tool
Use phishing-email-checker to analyze this email: [paste full email with headers]. Return JSON with fields: verdict, confidence_score, indicators (array), malicious_links (array), and recommended_action. I'll feed this into our security ticket creation pipeline.
Tips
- Return indicators as an array so your pipeline can iterate over them without string parsing.
- Include `confidence_score` as a numeric field so downstream code can apply your own thresholds.
- Log the raw check output alongside the ticket so the incident record has a complete evidence trail.