An approach is proposed to support neutralizing real cyber threats to training materials by intercepting, modifying and redistributing active content(s) of an email arrived at a recipient's email account. Specifically, when the recipient triggers an active content such as an URL link embedded in and/or opens an attachment to the email, the triggered active content is synchronously intercepted and examined in real time for potential malicious intent of a phishing attack. If the active content is determined to be malicious, the malicious active content in the email is then disassembled and deactivated while the payload is reconstructed with links and markings for training purposes. The recipient is then provided with an anti-phishing training exercise, wherein content of the training exercise is specifically customized for the recipient based on the reconstructed payload of the received email and/or the recipient's security posture and awareness.