Graphical PowerShell application designed to help investigators, security analysts, and IT professionals examine email headers for signs of phishing or spoofing. The tool parses headers from .eml and .msg files, highlights important fields, and provides insights into SPF, DKIM, and DMARC results.
- GUI-based interface using
System.Windows.Forms - Load
.emlor.msg (actually via COM and/or dll support!)files directly - Parses and highlights:
SPF,DKIM, andDMARCresults- Common headers like
From,To,Subject, etc. - All
Receivedroutes
- Color-coded verdicts (green for pass, red for fail)
- Export results to:
- Plain text (
.txt) - Comma-separated values (
.csv)
- Plain text (
-
Run the script in a PowerShell console:
.\phat.ps1
-
Paste headers manually or load a .eml/.msg file.
-
Click "Check" to parse and display header information.
-
Optionally, click "Export TXT" or "Export CSV" to save the analysis.
Windows PowerShell
.NET Framework (for Windows Forms) PowerShell Execution Policy allowing script execution (e.g. RemoteSigned)
For .msg support you need Outlook installed! Or download msgreader.dll and put it in root dir of phat.ps1 (https://github.com/Sicos1977/MSGReader)

