Phish verification page

A customer’s IT team gets a frantic ticket: “This email looks like phishing — should I declare an incident?” Before they spin up an investigation, they want to rule out the boring explanation: it was your phishing simulation. The Phish Verification Page at verify.infimasec.com answers that question in seconds. Upload the email, get a verdict.

This is a public web page — no login. Share the URL with your customers’ IT teams so they can self-serve the check without paging you.

Tip

If you’ve deployed the Report Phishing button for this client, you can usually skip the verification page entirely. When a user clicks the button on a suspicious email, we tell them immediately whether it was a simulation — no .eml export, no upload, no ticket-and-wait. The verification page is the manual fallback for users who didn’t have the button (no deployment yet, mobile mail clients, manual-setup clients), or for IT teams investigating an email after the fact.

When to use it

• A customer’s IT team escalates a suspicious email and wants to rule out (or in) the simulation before opening an incident.
• A user reported “this is real phishing” through their own channels (not the Report Phishing button) and you want to confirm at a glance whether it’s actually one of your tests.
• You’re auditing whether a phishing test rotation landed correctly during a rollout.
• A user got a training reminder or onboarding email that looks unusual to them, and someone wants to confirm we sent it.

You’ll need

• The suspicious email saved as a .eml file (the standard email-with-headers format every mail client can export).

How to save an email as .eml:

• Outlook (desktop) — open the email → File → Save As, pick .eml as the format. Outlook sometimes defaults to .msg; switch the file-type dropdown to Outlook Message Format - Unicode’s .eml sibling.
• Outlook on the web / new Outlook — open the email → three-dot menu → Save as → .eml.
• Gmail web — open the email → three-dot menu inside the open message → Download message. The downloaded file is .eml.
• Apple Mail — drag the message to your desktop; it saves as .eml.

If your mail client only exports forwarded versions (Outlook’s “Forward as Attachment”), that works too — what we need is the headers-intact original.

Verify an email

1. Save the suspicious email as a .eml file using the directions for your mail client above.

2. Open verify.infimasec.com.

3. Upload the .eml file through the upload control on the page.

4. Read the verdict. The page returns one of these answers:

   • “This was an INFIMA phishing simulation” — yes, we sent it as part of a test. Often the page surfaces which test and when, so you can cross-reference against your dashboard activity log.
   • “This is a legitimate INFIMA email” — yes, we sent it, but as training delivery, an onboarding email, a reminder, or similar — not a phishing test. The user can safely interact with it.
   • “This does not appear to be from INFIMA” — we didn’t send it. The customer’s IT team should treat it on its merits — could be real phishing, a third-party legitimate email, or anything else. We can’t tell them which from this tool alone.

You’ll know it worked when

• The page returned a verdict (one of the three above) rather than an “upload failed” error.
• The verdict matches your expectation, or at least gives you a starting point for the next step (close the ticket, dig deeper, or escalate to incident response).

Frequently asked

Can the customer’s IT team use this directly, or is it partner-only? Anyone can use it — verify.infimasec.com is a public page with no login. Share the URL freely with customers’ IT teams; that’s the intended use. Faster for them, less pressure on you.

My upload returns “this does not appear to be from INFIMA” but I’m sure we sent it. Three things to check, in order: (1) the file you uploaded is the original headers-intact .eml, not a forwarded copy where the forwarding mail client stripped or replaced the headers; (2) you uploaded the right email (sometimes the customer attaches the wrong one); (3) the email is genuinely from us — confirm against the activity log for the user in question. If you’ve ruled out 1 and 2 and the activity log shows we sent it, contact our support team with the .eml so we can dig in.

The user already clicked the link in the simulation. Does the verdict change? Yes — for simulations specifically, the page surfaces whether the user has already clicked. That’s useful when the customer’s IT team finds the email in the user’s mailbox after a click event has already fired: you can confirm we recorded the click.

Can I verify an email that’s already been deleted or moved? Only if you can recover the .eml. Check the customer’s mail server retention (some retain a copy in journal archives even after the user deletes), or check the user’s Deleted Items / Junk. If it’s truly gone from the mailbox, there’s nothing to upload — but you can cross-reference the user’s recent phishing test activity in the dashboard to make an educated guess.

Does the verification page work for emails sent to manual-setup clients? Yes — the verdict is based on the email’s contents, not on who received it. As long as we sent it, the page recognizes it regardless of whether the recipient’s client is sync’d or manual.

Does uploading a .eml reveal the email’s content to anyone else? The uploaded file is processed to extract the verdict and then discarded. We don’t archive uploads for browsing, and the page isn’t connected to any shared inbox or third-party. That said, treat the URL the same way you treat any external upload: don’t share it on a screen where the contents of the uploaded email would be sensitive.

Can I verify multiple emails in bulk? Not from this page — it’s one upload at a time. For bulk audits during a test rollout, use the phishing activity view in the dashboard, which shows every test we sent to that client without needing to re-upload anything.

My customer’s IT team is asking me to whitelist verify.infimasec.com. There’s nothing to whitelist for this tool — the page is fetched directly in their browser and doesn’t need any allow-listing on their mail security stack.

Related

• Read phishing activity — in-app view of every phishing test sent to a specific client’s users; useful for cross-referencing the verification result.
• Report Phishing button — what users click when they think they’ve spotted phishing; this verification page is the manual fallback when they didn’t (or couldn’t) use the button.