Phishing Email Detector AI Agent

Introduction and Features

The Phishing Email Detector AI Agent is a sophisticated tool designed to help users identify and analyze potential phishing attempts in received emails. With this comprehensive solution, users can quickly determine if an email poses a security threat through multi-layered analysis. Key functionalities include:

• Content Analysis: Examines email text for suspicious phrases, urgency indicators, and social engineering tactics
• URL Analysis: Identifies and evaluates links for suspicious patterns, redirects, and malicious indicators
• Sender Reputation: Checks the sender's email domain against reputation databases and analyzes trustworthiness
• Header Authentication: Verifies email authentication protocols (SPF, DKIM, DMARC) to detect spoofing attempts
• AI-Powered Analysis: Leverages OpenAI's advanced models for comprehensive threat assessment
• Risk Classification: Provides detailed risk scoring and classification with actionable recommendations

Technology Stack

This project is built using the BeeAI Framework, a powerful TypeScript framework designed for building production-ready multi-agent systems. The BeeAI Framework provides

The Phishing Email Detector leverages BeeAI's agent architecture to create a specialized security agent with advanced analysis capabilities, combining multiple tools and AI models for comprehensive phishing detection.

How to Use the Phishing Email Detector AI Agent

1. Input your data: Provide the sender's email address, subject line, email content, and optionally the email headers.
2. Choose an AI Model: Select between gpt-4o (most accurate) or gpt-4o-mini (faster) models.
3. Set up alerts: Optionally provide email addresses to receive alerts when phishing emails are detected.
4. Run the Actor: Execute the actor to get a comprehensive analysis report with detailed insights.

Example JSON Input

1{
2    "email": "security@bank-secure.com",
3    "subject": "Your Account Requires Immediate Verification",
4    "content": "Dear Customer, We have detected unusual activity on your account. Please click the link below to verify your identity and secure your account: https://secure-verification.com/verify?id=12345",
5    "headers": "From: security@bank-secure.com
Return-Path: <different@suspicious.com>
Authentication-Results: spf=fail; dkim=fail",
6    "modelName": "gpt-4o",
7    "emailsToAlert": ["your-email@example.com"]
8}

Example Files

The repository includes example files to help you understand the expected input format and see how the detector differentiates between phishing and legitimate emails:

• examples/phishing_email_sample.json: A typical phishing email with multiple red flags
• examples/legitimate_email_sample.json: A legitimate email with proper authentication

These examples can be used as templates for testing the detector or understanding the format requirements.

Pricing Explanation

The current pricing model is under development. Please check Apify platform updates for the latest information about usage costs and pricing specifics.

Input and Output Examples

Input Requirements

• email: The sender's email address (required)
• subject: The subject line of the received email (required)
• content: The full content/body of the received email (required)
• headers: Optional raw email headers for authentication analysis
• modelName: The OpenAI model to use - gpt-4o or gpt-4o-mini (required)
• emailsToAlert: Optional list of email addresses to receive alerts when phishing emails are detected

Example JSON Output

1{
2    "rawResponse": "Based on the comprehensive analysis of the email's headers, sender reputation, content, and URLs, here's the detailed assessment:

1. **Classification:** Phishing
2. **Risk Score:** 9.0
3. **Risk Level:** Critical
4. **Detailed Reasons for the Classification:**
   - **Header Authentication:** The SPF and DKIM checks have failed, indicating potential spoofing. The mismatched 'From' and 'Return-Path' headers suggest the email may be deceitful.
   - **Sender Reputation:** The sender email 'janedoe@gmail.com' is a common personal email domain not aligned with the supposed sender 'security@bank-secure.com'. This mismatch is typical in phishing schemes.
   - **Content Analysis:** The email uses urgency with phrases like "unusual activity" and "immediate verification" to coax quick, uninformed action. The impersonal greeting ("Dear Customer") and suspicious link further hint at phishing.
   - **URL Safety:** The domain "secure-verification.com" is generic and not affiliated with any known brand, which is suspicious and aligns with phishing tactics aimed at credential harvesting.

5. **Recommendations for the User:**
   - Do not click on any links or download attachments from this email.
   - Verify the legitimacy by directly contacting the supposed sender (bank) using official contact details obtained independently (e.g., from a known website or bank statement).
   - Report the email to your email provider as phishing to help prevent future attacks.
   - Consider setting up additional security measures, like multi-factor authentication, for your email and bank accounts. 

This email exhibits several red flags for phishing and should be treated with extreme caution.",
3    "classification": "Phishing",
4    "riskScore": 9.5,
5    "riskLevel": "Critical",
6    "reasons": [
7        "The email headers show failed SPF and DKIM checks, indicating potential spoofing.",
8        "The 'From' address does not match the 'Return-Path', suggesting email spoofing.",
9        "The sender email 'janedoe@gmail.com' does not align with the 'From' address, indicating a mismatch.",
10        "The email content uses urgency and pressure tactics, common in phishing attempts.",
11        "The URL 'https://secure-verification.com/verify?id=12345' is suspicious due to its generic domain and lack of association with a known entity.",
12        "The email lacks personalization and uses generic greetings, typical of phishing emails.",
13        "The sender's reputation is critical due to the mismatch and the nature of the email content."
14    ],
15    "recommendations": [
16        "Do not click on any links or download attachments from this email.",
17        "Verify the legitimacy of the email by contacting the supposed sender through official channels.",
18        "Report the email to your email provider as phishing.",
19        "Ensure your email security settings are up to date to filter out similar threats.",
20        "Educate yourself on recognizing phishing attempts to avoid future risks."
21    ],
22    "senderAnalysis": {
23        "reputation_score": 9,
24        "known_malicious": false,
25        "risk_level": "critical"
26    },
27    "urlAnalysis": {
28        "suspicious_count": 0,
29        "highest_risk_score": 0
30    },
31    "headerAnalysis": {
32        "authentication_score": -10,
33        "is_suspicious": true
34    },
35    "contentAnalysis": {
36        "sentiment": "neutral",
37        "urgency_level": 0,
38        "suspicious_phrases": []
39    },
40    "input": {
41        "email": "janedoe@gmail.com",
42        "subject": "Your Account Requires Immediate Verification",
43        "content": "Dear Customer, We have detected unusual activity on your account. Please click the link below to verify your identity and secure your account: https://secure-verification.com/verify?id=12345",
44        "headers": "From: security@bank-secure.com
Return-Path: <different@suspicious.com>
Authentication-Results: spf=fail; dkim=fail",
45        "modelName": "gpt-4o"
46    }
47}

Integration Options

The Phishing Email Detector AI Agent can be integrated into your existing security infrastructure in several ways:

1. API Integration: Call the Apify Actor directly from your applications
2. Email Gateway: Set up automatic forwarding of suspicious emails for analysis
3. Security Operations Center: Incorporate into your SOC workflow for threat analysis
4. User Education: Use analysis results to educate users about phishing techniques

FAQ, Disclaimers, and Support

• How accurate is this tool? The detector uses multiple analysis layers and AI to provide high accuracy, but no detection system is 100% foolproof. Always exercise caution with suspicious emails.
• What makes this detector advanced? Unlike simple checkers, this tool performs multi-faceted analysis including content, URLs, sender reputation, and email authentication protocols.
• Can it detect sophisticated phishing attempts? Yes, by combining multiple analysis techniques with AI, the detector can identify many sophisticated phishing tactics that might bypass simpler filters.
• Support: For troubleshooting or support, please reach out to the Apify support team.

Cost Considerations

The actor's cost is based on Apify platform usage (memory allocation) and OpenAI token consumption. The following events and prices apply:

1{
2    "actor-start-gb": {
3        "eventTitle": "Actor start per 1 GB",
4        "eventDescription": "Flat fee for starting an Actor run for each 1 GB of memory.",
5        "eventPriceUsd": 0.005
6    },
7    "openai-100-tokens-gpt-4o": {
8        "eventTitle": "Price per 100 OpenAI tokens for gpt-4o",
9        "eventDescription": "Flat fee for each 100 gpt-4o tokens used.",
10        "eventPriceUsd": 0.001
11    },
12    "openai-100-tokens-gpt-4o-mini": {
13        "eventTitle": "Price per 100 OpenAI tokens for gpt-4o-mini",
14        "eventDescription": "Flat fee for each 100 gpt-4o-mini tokens used.",
15        "eventPriceUsd": 0.00025
16    }
17}

Disclaimer: This tool is intended for identifying potential phishing attempts through comprehensive analysis. While it provides detailed insights, always follow your organization's security protocols and consult with IT security experts for suspicious cases.