Skip to main content

AI-Powered Email Analysis

Sebastian Salla
Updated

CanIPhish can conduct manual or fully automated AI-powered scans of reported emails to help administrators with the burdensome task of analysing and classifying reported emails.

In this support article, we'll walk through everything you need to know about CanIPhish's AI-Powered Email Analysis Engine.

Important Note: CanIPhish's AI-Powered Email Analysis Engine is currently available in a beta release. It may be subject to frequent changes or higher-than-expected email misclassification during this time period.

How It Works

CanIPhish has developed a fine-tuned AI model that's designed to accurately analyze and categorize emails based on defined criteria. As part of the analysis, the following aspects of the reported email are looked at:

  1. Email Headers: Email headers are parsed to extract the following information:
    • Email Authentication: Did the sender pass SPF, DKIM, and DMARC authentication checks?
    • Email Sender Domain: What domain was used for email sending, and is the domain known or suspected to be malicious, or is it unusual to receive business communication from the domain? (e.g., freemail services)
    • Email Sender IP Address: What IP Address was used for email sending, and is the IP address known to be malicious?
  2. Email Body: The email body is parsed to extract the following information:
    • Email Subject: Does the email subject show signs of urgency or other suspicious indicators?
    • Email Sender Display Name & Address: Does the email sender display name and address show signs of potential impersonation or spoofing of another employee?
    • Email HTML/Text Body: Is the sender asking the recipient to perform some form of immediate action, whether it be clicking a link, scanning a QR code, downloading an attachment, or responding with information?
  3. Email Attachments: Do any attachments contain known malware? (Work In Progress)

Email Analysis Output

When an email is analysed, the following information is made available:

  • Reputation Score: A score ranging from 0-100, with 0 representing a non-malicious email, and 100 representing the presence of many malicious indicators. Additionally, an AI Classification is provided, which can be one of four classifications, notably:
    1. Unknown: An unknown classification is provided if the AI Analysis Engine is unable to accurately determine what the email should be classified as.
    2. Benign: A benign classification is provided if the AI Analysis Engine believes the email is legitimate or non-malicious.
    3. Spam: A spam classification is provided if the AI Analysis Engine believes the email is spam.
    4. Malicious: A malicious classification is provided if the AI Analysis Engine believes the email is phishing or otherwise has malicious intent.
  • Authentication: An overview of whether SPF, DKIM, and DMARC authentication passed or failed, what domain email authentication was performed against, and the IP address that initially sent the email.
  • AI Summary: An overview of key information that has been extracted from the email based on the cumulation of all data available, including analysis of email headers, email body, and email attachments.
  • Scoring Reasons: A list of notable items that have impacted the reputation score assigned to the email.
  • Link Reputation: A score ranging from 0-100 for each domain extracted from the email body, with 0 representing a non-malicious domain and 100 representing the presence of many malicious indicators.
  • Attachment Reputation: A score ranging from 0-100 for each attachment included in the email, with 0 representing a non-malicious attachment and 100 representing the presence of many malicious indicators. (Work In Progress)

Email Analysis Configurations

These settings can be found by navigating to Reporting > Reported Emails, then clicking the Report Email Settings button and selecting the Analysis tab.

Manual vs. Automatic Analysis

CanIPhish's Email Analysis Engine can be configured in one of two states:

  • Manual Analysis: Administrators can initiate the analysis of an email on an individual basis. The analysis can be initiated by viewing the email report, going to the analysis tab, and clicking the "Run Analysis" button.
  • Automatic Analysis: From the time of activation, all email reports will be automatically analysed by CanIPhish's Email Analysis Engine, meaning administrators can immediately see the results of the analysis upon viewing the email report.

Automatic Attribution

CanIPhish's Email Analysis Engine can automatically attribute reported emails as Actual Spam or Actual Phishing if specific conditions are met:

  • Automatically Attribute AI-Detected Spam: If the AI Analysis Engine has both a reputation score that exceeds the defined threshold AND is classified as spam, then the email report will be automatically attributed as Actual Spam.
  • Automatically Attribute AI-Detected Phishing: If the AI Analysis Engine has both a reputation score that exceeds the defined threshold AND is classified as malicious, then the email report will be automatically attributed as Actual Phishing.

 

Related articles

Comments

0 comments

Please sign in to leave a comment.

Powered by Zendesk