Skip to main content

Reported Email Analysis (AI-Powered)

Sebastian Salla
Updated

CanIPhish can conduct manual or fully automated AI-powered scans of reported emails to help administrators with the burdensome task of analysing and classifying reported emails.

In this support article, we'll walk through everything you need to know about CanIPhish's AI-Powered Email Analysis Engine.

Table of Contents:

How It Works

CanIPhish has developed a fine-tuned AI model that's designed to accurately analyze and categorize emails based on a range of detection capabilities. As part of the analysis, the following is performed:

  1.  Sender Address Analysis: Check standard email security signals that many organizations use to prove an email really came from a domain.
    • SPF, DKIM, and DMARC results are extracted from the email headers.
    • If these checks fail, risk increases because spoofing is more likely.
    • Detect cases where the email was forwarded, because forwarding commonly breaks SPF and can make a legitimate email look suspicious.
  2. Infrastructure Analysis: Check sender infrastructure against threat intelligence.
    • Look up the sending IP reputation to confirm if the originating mail server is known for abuse.
    • Look up the sending domain's reputation to confirm if the email address domain is associated with spam/phishing behavior.
  3. Link Analysis: Check links embedded within the email against threat intelligence.
    • Extract URLs and their hostnames to then confirm if the domains appear in known malicious website listings.
  4. Attachment Analysis: Scan attachments for risky files and known malware.
    • Categorize attachments into high, medium, and low risk attachment types, depending on the type of file it is (e.g., executable/script files are high risk, with text files being low risk).
    • Detect attachment obfuscation techniques such as double extensions (e.g., invoice.pdf.exe) and a mismatch of the file type and declared content type.
    • Identify known malware through signature-based malware scanning on an ephemeral container running ClamAV.
  5. Sentiment Analysis: Identify the intent of the email and the action being requested of the recipient.
    • Identify whether the sender is imposing urgency or pressure on the recipient to act fast.
    • Identify whether the sender is requesting the recipient to keep the conversation a secret.
    • Identify requests for sensitive information such as passwords and payment information.
    • Identify requests for money, such as changing bank details or requesting gift cards.
  6. Relationship Analysis: Identify what relationship the sender has with the recipient.
    • Identify if an email address at the sender's domain has been successfully reported by another user for sending spam or phishing.
    • Identify if the sender and recipient have been engaged in a prolonged two-way conversation, or if communication is one-sided (e.g., the recipient has never responded).
    • Identify if the sender has just all of a sudden begun emailing the recipient, or if there is evidence of email ongoing exchanges from at least 1 month prior.
  7. Impersonation Analysis: Check for external senders attempting to masquerade as an internal employee.
    • Identify suspicious sender display names (e.g., HR, Procurement, Executive).
    • Identify whether the sender domain is internal or external to the organization (cross-referencing against verified domains).
    • Identify whether the email body mentions manager or executive names (cross-referencing against employee lists).
    • Identify a mismatch between the sender email address and the reply-to address.

Important Note: Relationship Analysis can only function if email quarantine functionality is set up. The quarantine integration provides the ability to search the user's inbox for metadata on prior email exchanges between the sender and recipient. The results of these searches are captured as a number of true/false flags, which are then provided to CanIPhish's AI model as context (i.e., prior raw emails aren't processed by CanIPhish's AI model, just true/false flags of whether certain relationship attributes were observed).

Email Analysis Output

When an email is analysed, the following information is made available:

  • Reputation Score: A score ranging from 0-100, with 0 representing a non-malicious email, and 100 representing the presence of many malicious indicators. Additionally, an AI Classification is provided, which can be one of four classifications, notably:

    1. Unknown: An unknown classification is provided if the AI Analysis Engine is unable to accurately determine what the email should be classified as.
    2. Benign: A benign classification is provided if the AI Analysis Engine believes the email is legitimate or non-malicious.
    3. Spam: A spam classification is provided if the AI Analysis Engine believes the email is spam.
    4. Malicious: A malicious classification is provided if the AI Analysis Engine believes the email is phishing or otherwise has malicious intent.

    It's important to note that an email can have a spam or malicious classification, while also having a relatively low reputation score (e.g., an email can be classified as spam while having a reputation score of 30). This just indicates that the email doesn't contain many malicious indicators, but could very well still be a spam/phishing email.

  • Authentication: An overview of whether SPF, DKIM, and DMARC authentication passed or failed, what domain email authentication was performed against, and the IP address that initially sent the email.
  • AI Summary: An overview of key information that has been extracted from the email based on the cumulation of all data available, including analysis of email headers, email body, and email attachments.
  • Scoring Reasons: A list of notable items that have impacted the reputation score assigned to the email.
  • Link Reputation: A score ranging from 0-100 for each domain extracted from the email body, with 0 representing a non-malicious domain and 100 representing the presence of many malicious indicators.
  • Attachment Reputation: A score ranging from 0-100 for each attachment included in the email, with 0 representing a non-malicious attachment and 100 representing the presence of many malicious indicators.

Reported Email Analysis Configurations

These settings can be found by navigating to Reporting > Reported Emails, then clicking the Report Email Settings button and selecting the Analysis tab.

Manual vs. Automatic Analysis

CanIPhish's Email Analysis Engine can be configured in one of two states:

  • Manual Analysis: Administrators can initiate the analysis of an email on an individual basis. The analysis can be initiated by viewing the email report, going to the analysis tab, and clicking the "Run Analysis" button.
  • Automatic Analysis: From the time of activation, all email reports will be automatically analysed by CanIPhish's Email Analysis Engine, meaning administrators can immediately see the results of the analysis upon viewing the email report.

Automatic Attribution

CanIPhish's Email Analysis Engine can automatically attribute reported emails as Actual Spam or Actual Phishing if specific conditions are met:

  • Automatically Attribute AI-Detected Spam: If the AI Analysis Engine has both a reputation score that exceeds the defined threshold AND is classified as spam, then the email report will be automatically attributed as Actual Spam.
  • Automatically Attribute AI-Detected Phishing: If the AI Analysis Engine has both a reputation score that exceeds the defined threshold AND is classified as malicious, then the email report will be automatically attributed as Actual Phishing.

 

Related articles

Comments

0 comments

Please sign in to leave a comment.

Powered by Zendesk