Automating Phishing Email Analysis: From .EML to Verdict in 30 Seconds

Despite billions spent on email security, phishing remains the #1 initial access vector for cyberattacks. The 2025 Verizon DBIR attributes 36% of all breaches to phishing — a number that's been stubbornly consistent for five years.

Why? Because phishing exploits human psychology, not software vulnerabilities. And modern phishing campaigns are increasingly sophisticated:

• Business Email Compromise (BEC): No malware, no malicious links — just a convincing impersonation asking for a wire transfer.
• Spear phishing with AI-generated content: Attackers use LLMs to craft personalized, grammatically perfect lures.
• Multi-stage attacks: Initial emails are benign, building trust before delivering the payload in a follow-up.
• QR code phishing (quishing): Bypasses URL scanners by embedding malicious links in images.

Email gateways catch the obvious stuff. The emails that reach your employees' inboxes are the ones that passed automated filters — and they need human (or AI) analysis.

When an employee reports a suspicious email, a SOC analyst typically performs this analysis:

1. Header Analysis: Examine the email headers for SPF/DKIM/DMARC results, originating IP address, mail server chain, and any signs of spoofing.
2. Sender Verification: Does the display name match the actual email address? Is the domain legitimate? Check WHOIS for recently registered domains.
3. URL Analysis: Extract all links, check against reputation databases (VirusTotal, URLhaus), inspect for typosquatting or homograph attacks.
4. Attachment Analysis: If present, check file type by magic bytes (not extension), scan against malware databases, inspect macro content.
5. Content Analysis: Assess urgency language, impersonation attempts, grammar anomalies, and social engineering tactics.
6. Verdict: Classify as malicious, suspicious, or clean, with a confidence score.

This process takes 15-30 minutes per email for an experienced analyst. During a phishing campaign targeting your organization, the queue can grow faster than analysts can process it.

AI excels at phishing analysis because the process is structured, evidence-based, and requires cross-referencing multiple data sources — exactly what language models are designed for.

Here's how automated analysis works:

Upload the .EML file. The raw email file contains everything — headers, body, attachments, and metadata — that web-based email clients strip out.

Automated header parsing. The system extracts and analyzes authentication results (SPF, DKIM, DMARC), traces the mail server chain, and identifies the true originating IP.

URL and domain intelligence. Every link is extracted, expanded (for shortened URLs), and checked against threat intelligence databases. Domain age, registration details, and SSL certificate analysis happen automatically.

Content analysis with AI reasoning. The AI evaluates the email body for social engineering patterns: urgency pressure, authority impersonation, emotional manipulation, and request for sensitive actions (wire transfers, credential entry, file downloads).

Confidence-scored verdict. The result isn't just "malicious" or "clean" — it's a detailed breakdown with a confidence score and specific evidence for each factor.

Individual email analysis is valuable, but the real power comes from patterns across your organization:

• Repeat sender domains: Is the same spoofed domain targeting multiple employees?
• Campaign detection: Are 20 employees receiving variations of the same lure?
• Historical false positive patterns: Your organization's analyst feedback teaches the system which types of alerts are legitimate internal communications.
• Targeted role analysis: Are executives receiving more BEC attempts? Are finance teams seeing more invoice fraud?

Over time, the analysis system builds an organizational baseline that makes each subsequent analysis more accurate and contextually aware.

Detection without response is just expensive monitoring. An effective phishing analysis workflow includes automated response actions:

• Block malicious URLs across your email gateway and web proxy.
• Quarantine similar emails that match the campaign's IOC pattern.
• Notify affected users with specific guidance ("Do not click the link in the email from accounts@paypa1.com").
• Create an incident if the phishing email was opened or links were clicked.
• Update organizational IOC database with extracted indicators for future detection.

The faster this loop runs, the less damage a phishing campaign can do. Going from 30-minute manual analysis to 30-second automated analysis means you can respond before most employees even see the email.