π‘οΈ Phishing Analyzer
This is a hybrid multi-agent phishing email analysis system, where deterministic security agents perform detection and scoring, and LLM agents are used strictly for explanation. Orchestration is handled via Prefect.
β¨ Key Features
β Deterministic phishing detection (no AI hallucinations)
β Email header analysis (SPF, DKIM, DMARC)
β Content inspection for phishing language & URLs
β DNS & WHOIS domain intelligence
β Policy-driven risk scoring
β Prefect-based orchestration
β Optional CrewAI explanation layer (non-decision-making)
β Fully unit-tested using pytest
β Python 3.11 compatible (Windows & Linux)
π§ Architecture Overview
Deterministic detection first, LLM explanation second
π Project Structure
phishing_analyzer_project/
β
βββ phishing_analyzer/
β βββ __init__.py
β βββ samples/ # Sample .eml phishing emails
β βββ detector.py # Core detection & scoring logic
β βββ guardrails.py # Safety policies, validation & redaction
β βββ prefect_flow.py # Prefect orchestration flow
β βββ crewai_explainer.py # Optional LLM explanation layer
β
βββ tests/ # Unit tests (pytest)
β βββ test_ingestion.py
β βββ test_header_analysis.py
β βββ test_content_analysis.py
β βββ test_dns_auth.py
β βββ test_domain_analysis.py
β βββ test_risk_scoring.py
β
βββ images/
β βββ title.png
β βββ architechture.png # Architecture & cover images
βββ requirements.txt
βββ pyproject.toml
βββ README.md
π How It Works
1οΈβ£ Email Ingestion
- Parses .eml files
- Extracts headers, body text, URLs, attachments
- Sanitizes content to prevent unsafe processing
2οΈβ£ Deterministic Analysis
- Headers: SPF / DKIM / DMARC validation & anomalies
- Content: Urgent language & link presence
- Domain: WHOIS age detection
- DNS Auth: SPF / DMARC / DKIM record presence
3οΈβ£ Risk Scoring
- Weighted policy-based scoring
- Produces:
- Risk score
- Severity
-Recommended action
4οΈβ£ Reporting
- Generates a structured, human-readable report
- PII-safe with automatic redaction
5οΈβ£ Optional AI Explanation (CrewAI)
- Reads the final report
- Produces analyst-style explanation
- Gracefully skips if CrewAI is not installed
β Never affects detection or scoring
βοΈ Installation
Requirements
Python 3.11 (recommended)
Install Dependencies
python -m pip install -r requirements.txt python -m pip install -e .
CrewAI is optional. Uncomment it in requirements.txt only if required.
βΆοΈ Running the Analyzer
C:\Python311\python.exe -m phishing_analyzer.prefect_flow --eml phishing_analyzer/samples/phish_high_confidence.eml
π§ͺ Testing
Run all unit tests:
python -m pytest -v
Tests cover:
- Email ingestion
- Header anomaly detection
- Content analysis logic
- DNS / WHOIS handling
- Policy-based risk scoring
π€ Sample Output (HighβConfidence Phishing)
Input
samples/phish_high_confidence.eml
================ FINAL REPORT ================
1οΈβ£ EXECUTIVE SUMMARY
This email shows strong indicators commonly associated with phishing attacks.
2οΈβ£ FINAL VERDICT
Decision: Block
3οΈβ£ RISK SCORE
Score: 36
Severity: High
4οΈβ£ KEY FINDINGS
- Header issue: SPF failed
- Header issue: DMARC failed
- Content indicator: Urgent or credential-harvesting language detected
- Domain age: Unable to determine
- Authentication issue: SPF missing
- Authentication issue: DMARC missing
- Authentication issue: DKIM missing
5οΈβ£ EVIDENCE
From Email: alert@goog1e-security.com
From Domain: goog1e-security.com
SPF Result: fail
DKIM Result: missing
DMARC Result: spf=fail dkim=none dmarc=fail
6οΈβ£ SUGGESTED ACTION
Do NOT interact with this email. Block sender and report to security.
================ AI EXPLANATION ================
{'status': 'skipped', 'reason': 'CrewAI not installed'}
π§ Design Principles
- Deterministic security logic first
- LLMs used only for explainability
- Fail-safe risk elevation
- SOC-aligned architecture
- Strong guardrails & sanitization
- High test coverage
π Future Enhancements
- Batch email analysis
- JSON / PDF report export
- GitHub Actions CI
- Docker support
- Threat intelligence feeds (VirusTotal, Talos)
π License
MIT License