Lesson 2.3

Forward-as-Attachment

12 minutes

Regular “Forward” strips the headers. Forward-as-attachment preserves the entire message — every header, every authentication result, every hidden signal a SOC would use to trace the campaign. This is the single most important skill in Module 2. If you only remember one thing from this entire course, remember this.

The scary button is your friend.

“Forward as Attachment” (sometimes labeled “Send as Attachment” or described as “forward as .eml attachment”) is tucked into sub-menus in every mail client. That’s not because it’s dangerous — it’s because most users don’t need it. The default forward covers 99% of everyday use cases, so the preservation version gets hidden one level deeper. Security teams are the 1% that needs it. Once you know where it lives in your client, it’s a two-second action.

Modern AI makes fakes look perfect, which means the only way a SOC can tell a good fake from a real message is the metadata underneath it. Forward-as-attachment is how that metadata gets to them intact.

Why Regular Forward Fails

Hitting the normal Forward button does something that feels right but is actually destructive. Your mail client creates a brand-new email with the original’s body copy-pasted in. The new email’s headers reflect the new trip — from you, on your mail server, to the SOC. The original headers — the server chain that shows the attacker’s infrastructure — are gone. The authentication signatures that would have told the SOC whether SPF, DKIM, and DMARC passed or failed are gone, because those signatures were computed against the original message, not the forwarded copy. You’ve handed the SOC a transcript of a crime scene instead of the crime scene itself.

Per-Client Step-by-Step

The exact click path varies by client. Here are the four you’re most likely to use.

Gmail (web)

  1. Open the suspicious message.
  2. Click the three-dot menu at the top right of the message itself — not the three-dot menu of the whole Gmail window.
  3. Select Forward as attachment.
  4. Compose the report email and send.

Outlook (web / Microsoft 365)

  1. Open the suspicious message.
  2. Click the three-dot menu at the top of the message.
  3. Select Forward as attachment. On some builds you may need to expand More actions first.
  4. Compose and send.

Apple Mail (macOS)

  1. Select the suspicious message in your inbox (single click — don’t open it in its own window unless you prefer to).
  2. From the menu bar, choose Message → Forward as Attachment.
  3. Or use the shortcut: Shift+Cmd+F.
  4. Compose and send.

iOS Mail

iOS Mail does not have a native forward-as-attachment option. If the phishing message only exists on your phone, you have three workarounds:

  1. Open the same message on desktop — Gmail, Outlook web, or your desktop mail client will show the same inbox. Forward-as-attachment from there.
  2. Use your organization’s reporting add-in — many workplaces have a “Report Phishing” button baked into the mobile mail app or deployed as a Microsoft 365 / Google Workspace add-in. That button forwards as attachment automatically and is the right choice when available.
  3. Screenshot + regular forward, with a warning — if neither of the above is available, screenshot the message (Lesson 2.2), then forward it normally, and include a line in your report that says “headers were not preserved — sent from iOS Mail.” It’s a last resort, but it’s better than nothing.

Outlook Mobile (iOS/Android)

Some versions include an “Attach email” option in the compose flow. If your version has it, use it. If not, fall back to the same three-option workaround as iOS Mail.

What Happens on the Receiving End

The recipient — your SOC, your IT team, an abuse address — opens the .eml attachment in their mail client and sees your forwarded message exactly as you saw it, with every header intact. From there they can use “View Original” (Lesson 3.1) to read the raw headers, or paste them into the Show Original Decoder (Lesson 3.2) to parse the authentication results. That workflow only works because the attachment preserved what a regular forward would have destroyed.

Regular forward is fine for Grandma's recipe. Forward-as-attachment is how you preserve evidence. Know the difference.

Key Takeaways

  1. Regular Forward rewrites the headers to reflect the new trip (you → SOC), destroying the original relay chain and authentication signatures.
  2. Forward-as-attachment wraps the original message in a .eml file, preserving every header and signature exactly as received.
  3. Every major desktop mail client supports it — Gmail, Outlook, and Apple Mail all have it in a sub-menu once you know where to look.
  4. iOS Mail doesn’t support it natively; use desktop, your org’s Report Phishing button, or a labeled screenshot-plus-forward as a last resort.