A SOC-oriented phishing email analysis tool that analyzes raw .eml files and classifies emails as LEGIT, SUSPICIOUS, or PHISHING using real-world detection logic.
Designed to simulate Tier-1 / Tier-2 SOC analyst workflows.
- Email header analysis (SPF, DKIM, DMARC)
- Authentication domain vs visible sender mismatch detection
- Brand impersonation detection (banks & financial services)
- URL extraction and risk analysis
- Phishing language detection
- Risk scoring engine
- SOC-style analysis report
git clone https://github.com/yourusername/phishing-email-analyzer.git
cd phishing-email-analyzer
pip install -r requirements.txtEnter the file path for the email file (.eml): /path/to/email.eml| Category | Detection Condition | Score |
|---|---|---|
| SPF | SPF authentication failed or missing | +1 |
| DKIM | DKIM authentication failed or missing | +1 |
| DMARC | DMARC policy failed | +3 |
| Domain Alignment | Authentication domain ≠ visible sender domain | +4 |
| Reply-To Mismatch | Reply-To domain differs from From domain | +4 |
| Brand Impersonation | High-value brand impersonation (Bank / Finance / Tech) | +5 |
| IP Reputation | Sender IP has poor reputation | +2 |
| Body Analysis | Low-risk phishing language | +1 |
| Body Analysis | Urgent or manipulative language | +3 |
| Body Analysis | Credential harvesting / account threat language | +5 |
| URL Analysis | Suspicious URL patterns | +1 |
| URL Analysis | Redirector or shortened URLs | +4 |
| URL Analysis | Highly malicious external URLs | +6 |
| URL Domain Mismatch | Embedded URLs do not belong to sender domain | +3 |
| Total Score Range | Verdict |
|---|---|
| 0 – 5 | LEGIT |
| 6 – 11 | SUSPICIOUS |
| ≥ 12 | PHISHING |
| Verdict | Severity | Action |
|---|---|---|
| LEGIT | None | No action required |
| SUSPICIOUS | Medium | User caution advised, monitor activity |
| PHISHING | High | Block email, alert security team immediately |