Email Add-In Embedded Analysis (AI-Powered) – Knowledge Base

CanIPhish can embed an AI-powered security coach directly into its Email Add-Ins for Outlook and Gmail, empowering employees to make quick and smart decisions as to whether an email is safe, spam, or a phishing attempt. See it in action here.

In this support article, we'll walk through everything you need to know about CanIPhish's AI-Powered Email Analysis Engine and how it works in conjunction with our Email Add-Ins.

Important Note: If you installed CanIPhish's Outlook Add-In prior to February 08, 2026, you will need to deploy our updated Outlook manifest file to use this feature. Please follow this support article for further instructions.

Table of Contents:

How It Works
Embedded Email Analysis
Email Add-In Embedded Analysis Configurations

How It Works

CanIPhish has developed a fine-tuned AI model that's designed to accurately analyze and categorize emails based on a range of detection capabilities. As part of the analysis, the following is performed:

Sender Address Analysis: Check standard email security signals that many organizations use to prove an email really came from a domain.
- SPF, DKIM, and DMARC results are extracted from the email headers.
- If these checks fail, risk increases because spoofing is more likely.
- Detect cases where the email was forwarded, because forwarding commonly breaks SPF and can make a legitimate email look suspicious.
Infrastructure Analysis: Check sender infrastructure against threat intelligence.
- Look up the sending IP reputation to confirm if the originating mail server is known for abuse.
- Look up the sending domain's reputation to confirm if the email address domain is associated with spam/phishing behavior.
Link Analysis: Check links embedded within the email against threat intelligence.
- Extract URLs and their hostnames to then confirm if the domains appear in known malicious website listings.
Attachment Analysis: Scan attachments for risky files and known malware.
- Categorize attachments into high, medium, and low risk attachment types, depending on the type of file it is (e.g., executable/script files are high risk, with text files being low risk).
- Detect attachment obfuscation techniques such as double extensions (e.g., invoice.pdf.exe) and a mismatch of the file type and declared content type.
- Identify known malware through signature-based malware scanning on an ephemeral container running ClamAV.
Sentiment Analysis: Identify the intent of the email and the action being requested of the recipient.
- Identify whether the sender is imposing urgency or pressure on the recipient to act fast.
- Identify whether the sender is requesting the recipient to keep the conversation a secret.
- Identify requests for sensitive information such as passwords and payment information.
- Identify requests for money, such as changing bank details or requesting gift cards.
Relationship Analysis: Identify what relationship the sender has with the recipient.
- Identify if an email address at the sender's domain has been successfully reported by another user for sending spam or phishing.
- Identify if the sender and recipient have been engaged in a prolonged two-way conversation, or if communication is one-sided (e.g., the recipient has never responded).
- Identify if the sender has just all of a sudden begun emailing the recipient, or if there is evidence of email ongoing exchanges from at least 1 month prior.
Impersonation Analysis: Check for external senders attempting to masquerade as an internal employee.
- Identify suspicious sender display names (e.g., HR, Procurement, Executive).
- Identify whether the sender domain is internal or external to the organization (cross-referencing against verified domains).
- Identify whether the email body mentions manager or executive names (cross-referencing against employee lists).
- Identify a mismatch between the sender email address and the reply-to address.

Important Note: Relationship Analysis can only function if email quarantine functionality is set up. The quarantine integration provides the ability to search the user's inbox for metadata on prior email exchanges between the sender and recipient. The results of these searches are captured as a number of true/false flags, which are then provided to CanIPhish's AI model as context (i.e., prior raw emails aren't processed by CanIPhish's AI model, just true/false flags of whether certain relationship attributes were observed).

Embedded Email Analysis

When an email is analyzed, the following information is made available to employees directly in CanIPhish's Email Add-Ins:

Classification: The AI Security Coach will apply one of four classifications, notably:
1. Unknown: An unknown classification is provided if the AI Security Coach is unable to accurately determine what the email should be classified as.
2. Safe: A Safe classification is provided if the AI Security Coach believes the email is legitimate or non-malicious.
3. Spam: A spam classification is provided if the AI Security Coach believes the email is spam.
4. Malicious: A malicious classification is provided if the AI Security Coach believes the email is phishing or otherwise has malicious intent.
Summary: The AI Security Coach will provide a 2-3 sentence summary outlining key information about the email, why it is suspicious (if applicable), and what it is asking the recipient.
Next Steps: Based on the email classification and specific requests within the email, the AI Security Coach will provide short, clear, and actionable guidance on what the recipient should do next.

Email Add-In Embedded Analysis Configurations

The embedded AI analysis capability can be set to one of two configurations: either Disabled (Default) or Enabled. This configuration can be found by navigating to Reporting > Reported Emails, then clicking the Report Email Settings button and selecting the Analysis tab.