Inspiration Phishing attacks are becoming increasingly sophisticated, bypassing traditional spam filters and tricking even tech-savvy users. We realized that existing solutions either require users to forward emails to clunky scanning services or lack the ability to actively monitor inboxes in real-time. We wanted to build a proactive, zero-trust security layer that sits between the user and their inbox—a tool that not only analyzes threats using advanced AI but also provides instant alerts the moment a malicious email arrives, protecting users before they even click a link.

What it does PhishFilter is an intelligent, real-time email security dashboard and sandbox environment. It offers three core layers of protection:

Real-Time Watchdog: Using IMAP IDLE, it maintains a persistent connection to the user's inbox, instantly detecting new emails and running them through our AI analysis pipeline without any polling delay. Multi-Vector AI Analysis: It extracts headers, IPs, and URLs, enriching the data via Firecrawl (for hidden content), VirusTotal (for threat intelligence), and IPinfo (for geolocation) before feeding the full forensic profile into our LLM for a final verdict. Safe Link Sandbox: Users can paste suspicious URLs into a secure environment where our server follows the redirect chain and analyzes the final destination, completely isolating the user from potential malware. Instant Alerts: If a threat is detected, PhishFilter instantly fires off a WhatsApp alert via Twilio and sends a detailed email report, ensuring users are notified immediately on their mobile devices. How we built it We built PhishFilter with a focus on speed, beautiful UI, and robust backend integrations:

Frontend: Built on Next.js with React and Tailwind CSS. We leveraged Framer Motion heavily to create a cinematic, state-driven UI with fluid animations, making security feel premium and engaging rather than boring. Backend: Serverless API routes handle the heavy lifting. We implemented imapflow for the persistent IMAP connection and Server-Sent Events (SSE) to stream real-time updates directly to the frontend dashboard. Analysis Pipeline: We created an orchestration layer that runs enrichment tools in parallel (Firecrawl, VirusTotal, IP geolocation, Sandbox redirect tracing) to minimize latency. AI Engine: The enriched data is passed to an LLM (Grok/OpenAI) with a strict schema to generate risk scores, extract critical threat signals, and provide human-readable summaries. Notifications: Twilio handles the WhatsApp messaging, while Nodemailer dispatches detailed HTML reports via SMTP. Challenges we ran into One of the hardest technical challenges was building the Real-Time Watchdog. Traditional IMAP polling is slow and resource-intensive. Implementing imapflow with IMAP IDLE over Server-Sent Events (SSE) required careful management of persistent connections and background streaming to ensure the UI stayed perfectly synced with the mail server without timing out. Additionally, designing the Safe Link Sandbox required us to securely follow HTTP redirect chains server-side (handling up to 10 hops) without getting caught in infinite loops or exposing our own backend to malicious payloads.

Accomplishments that we're proud of The "Wow" Factor UI: We are incredibly proud of the dynamic, glassmorphic dashboard. The transitions—especially the 2.5-second "Connecting" radar animation and the split-screen Watchdog layout—make the app feel incredibly polished. Sub-Second Threat Detection: Successfully architecting the parallel enrichment pipeline means we can take a raw email, extract data, check external APIs, run AI analysis, and fire a WhatsApp alert almost instantaneously. Zero-Trust Sandbox: Giving users a visual breakdown of a URL's entire redirect chain without them ever having to open a new tab is a massive win for user safety. What we learned IMAP Protocol Intricacies: We gained deep knowledge of how email protocols work under the hood, specifically moving from basic POP3/IMAP polling to persistent IDLE connections. Prompt Engineering for Security: We learned how to tightly constrain LLM outputs to produce reliable, deterministic JSON structures (verdicts, scores, and signals) rather than conversational text. State Management in React: Handling complex asynchronous states across multiple API boundaries and SSE streams taught us a lot about advanced React patterns and AnimatePresence in Framer Motion. What's next for PhishFilter Browser Extension Integration: We plan to properly connect our existing Chrome extension skeleton to the backend, allowing users to scan Gmail interfaces directly with a single click. Automated Remediation: Adding the ability for the Watchdog to automatically move highly malicious emails directly to the spam folder or delete them before the user even sees them. Enterprise Dashboard: Building out team-level analytics so IT administrators can see threat trends across an entire organization's domain.

Built With

  • firecrawl-api
  • framer-motion
  • imapflow
  • ipinfo
  • next.js
  • nodemailer
  • openai-api
  • react
  • server-sent-events-(sse)
  • tailwind-css
  • twilio
  • typescript
  • virustotal-api
Share this project:

Updates