Skip to content

AnandSundar/PhishSentinel

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

7 Commits
Β 
Β 
Β 
Β 

Repository files navigation

πŸ•΅οΈ PhishSentinel

AI-Powered Phishing Email Threat Analyzer

Python 3.11+ LangGraph OpenAI GPT-4o Streamlit

PhishSentinel autonomously analyzes suspicious emails, scores their threat level from 0–100, extracts attack indicators, and presents findings in a live dashboard β€” in under 10 seconds.

image

image

🎯 What is This?

PhishSentinel is an intelligent security tool that detects phishing emails β€” fake emails designed to trick you into giving up passwords, clicking dangerous links, or sending money to scammers. Think of it as a digital detective that reads every suspicious email and tells you exactly how dangerous it is.

Phishing is the #1 cyber threat of 2026, costing businesses over $3.5 billion every year. Criminals now use artificial intelligence (AI β€” computer systems that can learn and make decisions) to craft fake emails that are nearly indistinguishable from real ones. These attacks fool even careful, tech-savvy employees. Every company, from small startups to Fortune 500 giants, desperately needs better tools to catch these threats before they cause damage.

What makes PhishSentinel different from basic spam filters is that it uses an AI agent β€” a program that reasons step-by-step like a human security analyst β€” instead of simple keyword matching. While traditional tools look for words like "urgent" or "click here," PhishSentinel understands context, analyzes email headers (the behind-the-scenes routing information), detects visual tricks like lookalike domain names, and weighs 12 different risk factors to produce a reliable threat score.

πŸ’Ό For Managers: PhishSentinel demonstrates production-level skills in AI agent design, cybersecurity tooling, and full-stack Python development. It is the kind of tool real SOC (Security Operations Center) teams request but rarely have. The architecture mirrors enterprise threat intelligence platforms costing tens of thousands of dollars per year.


✨ Features

Feature What It Does (Plain English)
SPF Check SPF (Sender Policy Framework) β€” checks whether the email was sent from an authorized server for that domain, detecting spoofed sender addresses
DKIM Check DKIM (DomainKeys Identified Mail) β€” verifies a digital signature embedded in the email to prove it wasn't tampered with during transit
DMARC Check DMARC (Domain-based Message Authentication, Reporting, and Conformance) β€” tells receiving servers what to do with emails that fail SPF or DKIM checks
Homoglyph Detection Detects lookalike Unicode characters in domain names (like using "Π°mazon.com" with a Cyrillic 'Π°' instead of Latin 'a') that trick the human eye
Urgency Analysis AI scans the email body for pressure tactics like "Act now!" or "Your account will be suspended" that rush victims into mistakes
IOC Extraction IOC (Indicators of Compromise) β€” automatically pulls out malicious URLs, suspicious IP addresses, and questionable domains as evidence
Threat Scoring Converts 12 individual indicator results into a single 0–100 threat score using weighted algorithms
Radar Chart Plotly visualization showing all 12 indicator scores at once, making attack patterns instantly visible
Gauge Chart Color-coded speedometer-style display showing the overall threat level (Safe, Suspicious, Likely Phishing, or Critical)
IOC Export Download extracted threat indicators as CSV files for use in other security tools
Analysis History SQLite database storing previous analyses with timestamps, so you can track threats over time
.EML File Upload Import raw email files directly from Outlook, Thunderbird, or other email clients
Structured LLM Output Uses Pydantic (a Python library for data validation) to ensure AI responses follow a predictable format

πŸ—οΈ How It Works (Architecture)

Plain English Explanation

When you paste an email into PhishSentinel, it passes through 7 specialized AI agents arranged in a pipeline called a graph. Each agent has one job: the first reads and decodes the email, the second checks authentication headers, the third scans the message body for suspicious language, the fourth extracts dangerous links, and so on. These agents pass information forward like an assembly line, with conditional branches that skip unnecessary steps for safe emails. Finally, a scoring agent weighs all findings and a report generator writes a human-readable summary. The entire process completes in seconds, and results are saved to a local database.

Agent Flow Diagram

β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚                        PhishSentinel                            β”‚
β”‚                     LangGraph Agent Flow                        β”‚
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜

  πŸ“§ Raw Email Input
        β”‚
        β–Ό
β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚  1. Email Parser  β”‚  ← Extracts headers, body, attachments
β””β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
         β”‚
         β–Ό
β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚  2. Header Agent  β”‚  ← Checks SPF, DKIM, DMARC, IP hops
β””β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
         β”‚
    β”Œβ”€β”€β”€β”€β”΄β”€β”€β”€β”€β”
    β”‚ All     β”‚
    β”‚ auth    β”‚ ← Conditional branch (LangGraph edge)
    β”‚ pass?   β”‚
    β””β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”˜
    NO   β”‚ YES
    β”‚    └──────────────────────┐
    β–Ό                           β–Ό
β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”     β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚ Deep Header  β”‚     β”‚  Skip deep inspection β”‚
β”‚ Inspection   β”‚     β”‚  (fast path)          β”‚
β””β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”˜     β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
       β”‚                        β”‚
       β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
                   β–Ό
         β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
         β”‚  3. Body Agent  β”‚  ← LLM scans for urgency, brand
         β””β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”˜    impersonation, homoglyph domains
                  β”‚
                  β–Ό
         β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
         β”‚  4. IOC Extract β”‚  ← Pulls IPs, URLs, domains as
         β””β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”˜    Indicators of Compromise
                  β”‚
                  β–Ό
         β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
         β”‚  5. Scoring     β”‚  ← Weights 12 indicators β†’ 0–100
         β””β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”˜    threat score
                  β”‚
                  β–Ό
         β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
         β”‚  6. Report Gen  β”‚  ← GPT-4o writes analyst narrative
         β””β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”˜
                  β”‚
                  β–Ό
         β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
         β”‚  7. SQLite Save β”‚  ← Stores analysis for history tab
         β””β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”˜
                  β”‚
                  β–Ό
         πŸ“Š Streamlit Dashboard

Technology Stack

Layer Technology Why We Chose It
AI Agent Framework LangGraph LangGraph (a LangChain extension for building stateful, multi-actor applications) lets us define complex agent workflows as graphs with conditional edges, making the pipeline modular and easy to extend
Language Model OpenAI GPT-4o GPT-4o provides excellent reasoning for security analysis tasks while supporting structured output via function calling, ensuring consistent data formats
Web Dashboard Streamlit Streamlit (a Python library for creating data apps) allows rapid UI development without writing HTML/JavaScript, perfect for data-heavy security tools
Charts Plotly Plotly creates interactive, publication-quality visualizations that render beautifully in browsers and export cleanly to images
Email Parsing Python email stdlib Python's built-in email library handles MIME (Multipurpose Internet Mail Extensions) encoding, attachments, and header parsing without external dependencies
Data Storage SQLite SQLite (a serverless, self-contained database engine) requires zero setup, stores data in a single file, and handles thousands of analyses without configuration
Config/Secrets python-dotenv + st.secrets python-dotenv loads API keys from .env files locally; st.secrets manages them securely in Streamlit Cloud β€” keeping credentials out of code
Language Python 3.11+ Python 3.11 offers better error messages, faster performance, and modern typing features that make complex agent code more maintainable

πŸ” The 12 Phishing Indicators

# Indicator Category Max Score Plain English Explanation
1 SPF Check Header 10 SPF (Sender Policy Framework) β€” verifies the email came from an authorized mail server for the sender's domain; failure suggests spoofing
2 DKIM Check Header 10 DKIM (DomainKeys Identified Mail) β€” validates a cryptographic signature proving the email wasn't modified after being sent
3 DMARC Check Header 10 DMARC tells email providers what to do with messages that fail authentication; absence means no enforcement policy
4 Reply-To Mismatch Header 10 When the "Reply-To" address differs from the "From" address, scammers may be redirecting responses to a different account
5 Return-Path Mismatch Header 10 The Return-Path (where bounced emails go) should match the sender; mismatches indicate potential spoofing
6 Suspicious IP Chain Header 10 Traces the path through mail servers (IP hops); blacklisted IPs or unexpected geographic routes raise flags
7 Message-ID Anomaly Header 10 Legitimate emails have properly formatted Message-IDs; suspicious patterns may indicate mass spam tools
8 Urgency Signals Body (AI) 10 Phrases creating artificial pressure like "Immediate action required" or "24 hours only" β€” classic manipulation tactics
9 Credential Harvesting Cues Body (AI) 10 Requests for passwords, credit card numbers, or account verification β€” legitimate services rarely ask for these via email
10 Brand Impersonation Body (AI) 10 Emails claiming to be from banks, tech companies, or government agencies that use unofficial domains or slight name variations
11 Suspicious Link Analysis Body (AI) 10 URLs that redirect through trackers, use URL shorteners to hide destinations, or contain typos of real domains
12 Homoglyph Domain Detection Body (AI) 10 Internationalized domain names using visually similar Unicode characters (Cyrillic 'Π°' vs Latin 'a') to impersonate trusted brands

Threat Score Legend

THREAT SCORE LEGEND
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
  0 – 20  β”‚ βœ… Safe              β”‚ No significant indicators found
 21 – 45  β”‚ ⚠️  Suspicious       β”‚ Minor anomalies, exercise caution  
 46 – 74  β”‚ 🚨 Likely Phishing   β”‚ Multiple strong indicators present
 75 – 100 β”‚ ☠️  Critical         β”‚ High-confidence phishing attack
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

πŸ–₯️ Dashboard Screenshots

Threat Analysis Tab

The main dashboard showing a Plotly gauge chart with threat score 87/100 (Critical), four metric cards, and a radar chart plotting all 12 indicator scores.

Threat Analysis Tab

image

IOC Report Tab

The IOC (Indicator of Compromise) report tab showing extracted malicious URLs, sender IPs, and suspicious domains in a sortable table with CSV export.

IOC Report Tab

image

Analysis History Tab

The history tab showing the last 20 email analyses stored in SQLite, with timestamps, threat scores, and clickable rows to reload past results.

Analysis History Tab

image

πŸš€ Installation & Setup

Prerequisites

Before you begin, ensure you have:

Quick Start (5 Steps)

# Step 1: Clone the repository
git clone https://github.com/AnandSundar/phishsentinel.git
cd phishsentinel

# Step 2: Create a virtual environment
python -m venv venv
source venv/bin/activate  # On Windows: venv\Scripts\activate

# Step 3: Install dependencies
pip install -r requirements.txt

# Step 4: Set your OpenAI API key
cp .env.example .env
# Edit .env and add: OPENAI_API_KEY=your_key_here

# Step 5: Run the app
streamlit run app.py

The app will open at http://localhost:8501 in your browser.

πŸ’‘ Pro Tip: Test the app immediately using the included sample email: samples/sample_phish.eml


πŸ“ Project Structure

phishsentinel/
β”‚
β”œβ”€β”€ πŸ“„ app.py                    # Streamlit UI entry point β€” run this to start the app
β”‚
β”œβ”€β”€ πŸ€– agent/
β”‚   β”œβ”€β”€ __init__.py
β”‚   β”œβ”€β”€ graph.py                 # LangGraph StateGraph β€” defines the AI agent pipeline
β”‚   β”œβ”€β”€ nodes.py                 # 7 agent node functions (the "workers" in the pipeline)
β”‚   β”œβ”€β”€ state.py                 # Shared data structure passed between agents
β”‚   └── schemas.py               # Data models for structured AI output (Pydantic)
β”‚
β”œβ”€β”€ πŸ› οΈ  utils/
β”‚   β”œβ”€β”€ email_parser.py          # Reads and extracts raw email components
β”‚   β”œβ”€β”€ homoglyph.py             # Detects lookalike Unicode characters in domains
β”‚   β”œβ”€β”€ scoring.py               # Converts indicator results into 0–100 threat score
β”‚   └── db.py                    # SQLite database read/write helpers
β”‚
β”œβ”€β”€ πŸ“Š data/
β”‚   └── phishsentinel.db         # Auto-created SQLite database (analysis history)
β”‚
β”œβ”€β”€ πŸ“§ samples/
β”‚   └── sample_phish.eml         # Demo phishing email β€” use this to test the app instantly
β”‚
β”œβ”€β”€ πŸ“Έ docs/screenshots/         # Dashboard screenshots for this README
β”‚
β”œβ”€β”€ .env.example                 # Template for your API key config
β”œβ”€β”€ requirements.txt             # Python package dependencies
└── README.md                    # You are here

πŸ” Security & Privacy

PhishSentinel is designed with privacy as a core principle:

No Email Storage by Default

Emails are analyzed in memory and never stored. Only the analysis results (threat scores, extracted IOCs, summary text) are saved to the local SQLite database. The original email content is discarded after processing completes. This means sensitive email content stays ephemeral β€” there is no growing archive of private communications on your server.

API Key Safety

Your OpenAI API key is protected through multiple layers:

  • Local development: Stored in .env file (which is gitignored by default)
  • Production deployment: Managed via st.secrets in Streamlit Cloud
  • Never in code: The application reads from environment variables, keeping credentials out of version control

Local-First Design

PhishSentinel runs entirely on your own machine or private server. Emails are sent to only two places:

  1. Your local SQLite database β€” for history storage
  2. OpenAI's API β€” for AI analysis (via encrypted HTTPS connection)

No third-party analytics, no external logging services, no data brokers.

OpenAI Data Handling

According to OpenAI's API data usage policy, data sent through the API:

  • Is NOT used to train OpenAI's models
  • Is retained temporarily only for abuse monitoring (up to 30 days for enterprise, shorter for standard)
  • Can be zero retention for eligible enterprise customers

⚠️ Important: Do not analyze emails containing sensitive personal data (SSNs, medical records, passwords) unless you have reviewed OpenAI's data usage policy and your organization's data handling requirements.


πŸ’Ό Why This Project Matters

The Real-World Problem

Phishing is the #1 cyber threat facing businesses today. According to the FBI's Internet Crime Complaint Center, phishing attacks cost organizations over $3.5 billion annually. In 2026, AI-generated phishing emails have become nearly impossible to distinguish from legitimate communications β€” even security professionals fall for sophisticated attacks.

Yet most companies still rely on basic spam filters that use simple keyword matching. They need intelligent tools that understand context, detect nuanced deception, and provide actionable intelligence β€” exactly what PhishSentinel delivers.

Skills Demonstrated

Building PhishSentinel required mastery of eight critical engineering skills:

  • πŸ€– AI Agent Architecture β€” Designed a multi-node agent system using LangGraph with conditional branching and state management
  • πŸ”— LLM Integration β€” Integrated OpenAI GPT-4o with structured output schemas for reliable, parseable results
  • πŸ”’ Cybersecurity Domain Knowledge β€” Implemented SPF/DKIM/DMARC authentication checks and IOC extraction patterns used by enterprise SOC teams
  • πŸ“Š Data Visualization β€” Created interactive Plotly charts (gauge, radar) that communicate threat data intuitively
  • πŸ—„οΈ Database Design β€” Built a SQLite-backed history system with proper schema design and query optimization
  • πŸ§ͺ Input Validation β€” Handled raw email parsing, file uploads, and edge cases in user-provided data
  • 🌐 Full-Stack Development β€” Delivered a complete application from backend AI agents to frontend dashboard
  • πŸ“ Technical Documentation β€” Produced clear README and inline documentation for maintainability

Enterprise-Grade Patterns

PhishSentinel mirrors the architectural patterns found in commercial threat intelligence platforms costing $50,000+ per year:

  • Agent Graphs β€” Modular AI components that can be extended or replaced independently
  • Structured LLM Output β€” Using Pydantic schemas to ensure AI responses are machine-parseable
  • IOC Extraction β€” Automated threat indicator harvesting for integration with SIEM (Security Information and Event Management) tools
  • Scoring Algorithms β€” Weighted multi-factor analysis rather than binary yes/no decisions

🎯 Bottom line: PhishSentinel is not a tutorial project. It is a working security tool built with the same architectural patterns (agent graphs, structured LLM output, IOC extraction) used in enterprise threat intelligence platforms costing tens of thousands of dollars per year.


πŸ—ΊοΈ Roadmap

Feature Status Target
Core 12-indicator analysis βœ… Complete v1.0
Streamlit dashboard βœ… Complete v1.0
SQLite history βœ… Complete v1.0
VirusTotal API integration (URL scanning) πŸ”„ In Progress v1.1
Bulk .eml folder analysis πŸ“‹ Planned v1.1
Slack/Teams alert webhook πŸ“‹ Planned v1.2
PDF report export πŸ“‹ Planned v1.2
Multi-language phishing detection πŸ’‘ Idea v2.0
Outlook add-in integration πŸ’‘ Idea v2.0

Status Key:

  • βœ… Complete β€” Ready to use
  • πŸ”„ In Progress β€” Currently being developed
  • πŸ“‹ Planned β€” Scheduled for upcoming release
  • πŸ’‘ Idea β€” Under consideration

🀝 Contributing

We welcome contributions from the security and AI community!

How to Contribute

  1. Fork the Repository: Click the "Fork" button on GitHub
  2. Create a Branch: git checkout -b feature/your-feature-name
  3. Make Changes: Write code, add tests, update docs
  4. Commit: git commit -m "Add: your feature description"
  5. Push: git push origin feature/your-feature-name
  6. Pull Request: Open a PR with a clear description of changes

Code Standards

  • Formatting: Use Black (black .)
  • Type Hints: All functions must have type annotations
  • Docstrings: Google-style docstrings for all public functions
  • Tests: Include tests for new indicators or features

Adding a New Phishing Indicator

Want to make PhishSentinel smarter? Here's how to add a new detection indicator:

  1. Define the Logic: Create a function in utils/ (e.g., utils/new_detector.py)
  2. Add to Pipeline: Import and call your function in agent/nodes.py (in the appropriate agent node)
  3. Update State: Add the new indicator to agent/state.py (in PhishingAnalysisState)
  4. Update Scoring: Add weight to utils/scoring.py (INDICATOR_WEIGHTS)
  5. Update Schema: Add to agent/schemas.py (in IndicatorResult or similar)
  6. Update UI: Add visualization in app.py

Follow the node pattern: Each agent node receives the current state, performs analysis, and returns an updated state. The graph handles passing data between nodes.


πŸ“„ License

This project is licensed under the MIT License β€” see the LICENSE file for details.

What This Means

  • βœ… Commercial use allowed
  • βœ… Modification allowed
  • βœ… Distribution allowed
  • βœ… Private use allowed
  • ⚠️ No warranty provided

πŸ“¬ Contact


Built with β˜• and too much threat intelligence

πŸ•΅οΈ Stay suspicious. Stay safe.

About

Agentic AI Phishing Email Analyzer with LangGraph and Streamlit

Resources

Stars

0 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors