Phishing Forensics Sandbox — Detailed Summary
Core Idea & Inspiration The project was inspired by a real-life phishing incident where even a technically aware person almost got tricked by a highly realistic fake email. The key issue was that phishing signals exist, but they are hidden deep in headers, domains, and encoding. Normal users cannot access or understand them.
The goal was to build a tool that makes hidden phishing signals visible, understandable, and actionable in real-time.
What the System Does The system is a Chrome extension with an AI backend that analyzes emails and generates a forensic-level phishing report.
When a user scans an email, it provides:
Risk Score (0–100) with threat levels (Low to Critical) Header Analysis (sender mismatch, spoofing detection) URL Analysis (unshortening and destination detection) Homograph Detection (fake domains like googIe.com) AI Attack Narrative (what attacker is trying to do) User Impact Explanation (what happens if user clicks) Recommended Actions (clear next steps)
The key difference is that it does not just detect phishing — it explains it like a forensic analyst.
Risk Scoring System
score_final = 0.35 * S_rules + 0.35 * S_intel + 0.30 * S_ai
Where:
S_rules = deterministic signals (headers, keywords) S_intel = threat intelligence (domain age, reputation) S_ai = contextual reasoning
This ensures balanced, reliable, and explainable scoring.
System Architecture
The system is divided into three layers:
Chrome Extension
Extracts email data from Gmail, Outlook, and Yahoo Injects Scan Email button Displays results in popup UI
Backend (Node.js)
Receives email data Builds structured AI prompt Calls AI API Returns JSON report
AI Layer
Acts like a forensic analyst Performs signal analysis, reasoning, and attack reconstruction Outputs structured JSON Data Flow
User clicks Scan Email data extracted Sent to backend AI analyzes JSON report returned UI displays results
This ensures fast response and real-time feedback.
Key Challenges Faced
Prompt Engineering It was difficult to make the AI consistently return structured JSON. Multiple iterations were required.
Homograph Detection Fake domains use visually identical characters. This required AI reasoning and planned preprocessing.
DOM Variations Different email platforms have different structures, making extraction challenging.
Speed vs Accuracy Balancing fast response with deep analysis was difficult.
Scope Control We avoided adding too many features and focused on a complete working product.
Key Learnings
AI prompts behave like software systems and need testing and refinement. Integration and system design are harder than just using AI. Security tools must be simple, fast, and accessible.
The biggest insight was that a tool is only useful if users can understand and use it instantly.
Final Impact
This system transforms phishing detection from hidden technical analysis into clear, explainable intelligence.
It detects threats, explains them, simulates outcomes, and guides users.
In one line:
It turns phishing detection into a clear story instead of raw data.
Built With
- chrome
- cors
- css3
- express.js
- extension
- groq
- html5
- javascript
- node.js
Log in or sign up for Devpost to join the conversation.