Objective
Phishing triage is high-volume, repetitive, and experience-dependent — exactly the kind of work where junior analysts drown and tooling can help. For my M.S. capstone at Lewis University (September–December 2025), I designed and built an end-to-end system that ingests raw email files, enriches them with external threat intelligence, and produces a classification — legitimate, uncertain, or phishing — with a justification a human analyst can read, verify, and act on. The design draws directly on my production phishing-analysis experience at CAMS.
Tools & Technologies
- Python — pipeline core: MIME parsing, feature extraction, orchestration
- VirusTotal API — URL and indicator reputation enrichment
- Google Gemini — LLM-based contextual analysis and risk scoring
- Streamlit — the SOC analyst dashboard
Architecture / Workflow
raw email file (.eml)
└─ 1. MIME parsing — headers, body, URLs, attachments
└─ 2. URL reputation — VirusTotal API scans
└─ 3. LLM contextual analysis — linguistic cues,
spoofed-domain signals, urgency patterns
└─ 4. Risk scoring & classification
(legitimate / uncertain / phishing)
+ analyst-readable justification
└─ 5. Streamlit dashboard — risk badge,
phishing score, parsed details,
VirusTotal results
What I Built
- A multi-layer detection pipeline where each layer contributes independent signal: structural (headers and routing), reputational (VirusTotal verdicts on extracted URLs), and contextual (LLM analysis of language, sender/domain mismatch, and social-engineering cues).
- Explainable output by design — every classification ships with a written justification citing the specific signals that drove the score, so the system supports an analyst’s decision instead of replacing it.
- A Streamlit dashboard presenting risk badges, phishing scores, parsed email details, and raw VirusTotal scan results — built so triage works at any analyst experience level.
Key Findings
- Combining signal types beats any single detector: emails that pass reputation checks (clean URLs, no known-bad indicators) still get caught by linguistic analysis — urgency framing, credential-harvesting language, display-name spoofing.
- The “uncertain” class is a feature, not a weakness. Forcing binary verdicts on ambiguous emails is how real pipelines generate false negatives; routing genuine ambiguity to a human is the honest design.
- LLM justifications must be grounded in extracted evidence — the pipeline feeds the model parsed artifacts (actual headers, actual URLs, actual VirusTotal verdicts) rather than asking it to speculate.
Skills Demonstrated
Security tool development in Python, email forensics (header analysis, MIME structure, URL behavior), threat-intelligence API integration, LLM application design with explainability requirements, dashboard/UX design for SOC workflows.
What I Learned
Building detection tooling forces precision that using it never does. Every design decision — what to parse, which signals to weight, when to defer to a human — encodes a judgment about how phishing actually works, and my production triage experience at CAMS was the difference between a class project and a tool shaped like real SOC work.
Next Steps
- Batch ingestion mode for mailbox-scale triage rather than single-file analysis
- Feedback loop: analyst verdicts on “uncertain” emails refine future scoring
- Detonation-adjacent features — attachment hashing and sandbox API integration