Email remains one of the most common attack vectors used by cybercriminals. Phishing attacks, Business Email Compromise (BEC), malicious attachments, and social engineering campaigns continue to target organizations of all sizes.
Security teams often spend significant time manually reviewing suspicious emails to determine whether they are legitimate or malicious.
In this project, we will build an AI-Powered Email Security Analyzer using n8n, Ollama, and Phi-3 that automatically evaluates incoming emails and provides a security assessment.
The entire solution runs locally, giving organizations full control over sensitive email data without sending information to external AI services.
What We Are Building
Our Email Security Analyzer will:
Receive suspicious emails
Extract relevant information
Analyze email content
Identify phishing indicators
Assess risk levels
Generate a security summary
Recommend actions
Workflow overview:
Email Received
↓
n8n Trigger
↓
Extract Email Data
↓
Phi-3 Analysis
↓
Risk Assessment
↓
Security Report
↓
Alert / Storage
This creates an automated first-level email security analyst.
Why Use AI for Email Security?
Traditional email security tools focus on:
Signature matching
Domain reputation
Malware detection
However, many attacks rely on social engineering rather than malware.
Examples include:
Urgent payment requests
Password reset scams
Fake executive requests
Invoice fraud
Credential harvesting
These attacks often require contextual analysis.
This is where AI becomes valuable.
Project Architecture
Our architecture consists of:
Email Source
↓
n8n Workflow
↓
Email Parser
↓
Phi-3 Security Analyst
↓
Decision Engine
↓
Security Report
Each component performs a specific function.
Step 1: Configure Email Monitoring
Create a new workflow in n8n.
Add an email trigger such as:
IMAP Email Trigger
Configure:
Mail server
Username
Password
Folder to monitor
For testing purposes, you may use a dedicated security inbox such as:
security-review@company.com
Every new email will automatically start the workflow.
Step 2: Extract Email Components
After the email trigger, extract:
{
"subject": "",
"from": "",
"reply_to": "",
"body": ""
}
These fields contain most of the information needed for an initial security assessment.
Future versions may also analyze:
Attachments
URLs
Email headers
Step 3: Connect Phi-3 Through Ollama
Configure your AI node.
Model:
phi3
Endpoint:
http://localhost:11434
Phi-3 will serve as our first-level email security analyst.
Step 4: Create the Security Analysis Prompt
Prompt engineering is critical for consistent results.
Use a structured prompt:
You are a cybersecurity email analyst.
Analyze the following email for signs of:
- Phishing
- Social engineering
- Credential theft
- Business Email Compromise (BEC)
- Fraud
Provide:
1. Risk Score (1-100)
2. Risk Level
3. Suspicious Indicators
4. Explanation
5. Recommended Action
EMAIL:
Subject: {{subject}}
From: {{from}}
Reply-To: {{reply_to}}
Body:
{{body}}
This produces structured security assessments.
Example Analysis
Sample email:
Subject: Urgent Payroll Update
From: payroll-update@secure-payroll.com
Body:
Please verify your account immediately by clicking the link below.
Phi-3 may return:
Risk Score: 88
Risk Level: High
Indicators:
- Urgency language
- Account verification request
- Potential credential harvesting
Recommendation:
Do not click links. Verify sender through trusted channels.
This provides immediate value to security teams.
Step 5: Build a Risk Classification Engine
Add a Switch node in n8n.
Example logic:
Risk > 80
↓
High Risk
Risk 50-80
↓
Medium Risk
Risk < 50
↓
Low Risk
This enables automated routing.
Step 6: Generate Security Reports
Create a report template.
Example:
EMAIL SECURITY ANALYSIS
Sender:
Subject:
Risk Score:
Risk Level:
Indicators:
Recommendations:
Reports can be stored as:
PDF
JSON
Database records
Security tickets
Step 7: Security Team Notifications
For high-risk emails:
High Risk
↓
Send Alert
Possible notification channels:
Email
Slack
Microsoft Teams
Discord
Telegram
This allows analysts to review threats quickly.
Step 8: Building an Analyst Memory System
We can improve the analyzer using memory.
Store information such as:
{
"known_senders": {},
"previous_phishing": {},
"trusted_domains": {}
}
This helps the system identify recurring threats.
Example:
Same sender detected
↓
Increase confidence score
Over time, the system becomes more effective.
Detecting Common Phishing Indicators
Phi-3 can identify patterns such as:
Urgency
Immediate action required
Your account will be suspended
Respond within 24 hours
Credential Requests
Verify your password
Confirm your account
Login to continue
Financial Fraud
Wire transfer requests
Invoice payment changes
Bank account updates
Impersonation Attempts
CEO fraud
Executive impersonation
Vendor impersonation
These are common social engineering techniques.
Adding URL Analysis
Future versions can extract URLs.
Example workflow:
Extract URL
↓
Send to Phi-3
↓
Analyze Context
↓
Assess Risk
Questions the AI can evaluate:
Does the URL match the sender?
Does the URL appear suspicious?
Is the request consistent with the email?
This adds another security layer.
Attachment Risk Analysis
We can also inspect attachments.
Examples:
invoice.pdf.exe
payment_document.zip
macro_enabled.xlsm
AI can generate explanations such as:
Potential malware delivery mechanism.
This helps analysts understand risks quickly.
Real-World Use Cases
Security Operations Center (SOC)
Automated email triage.
Managed Security Providers
First-level phishing review.
Small Businesses
Affordable email security analysis without dedicated analysts.
Security Awareness Programs
Training employees to recognize phishing attempts.
Limitations
This system should not replace:
Secure Email Gateways
Malware Sandboxes
Threat Intelligence Platforms
Instead, it complements them by providing contextual analysis.
AI should assist analysts, not replace security controls.
Why This Project Matters
Many phishing attacks succeed because users fail to recognize subtle warning signs.
By combining:
n8n
Ollama
Phi-3
We can create a local AI analyst that helps identify suspicious emails before they become incidents.
This provides:
Faster triage
Consistent analysis
Reduced analyst workload
Improved security visibility
Conclusion
In this project, we built a fully local AI-powered Email Security Analyzer capable of evaluating suspicious emails and generating actionable security assessments.
The workflow demonstrates how local AI can support cybersecurity operations while maintaining privacy and control over sensitive information.
More importantly, it introduces a practical use case where AI assists security professionals in identifying phishing attempts, social engineering attacks, and fraud indicators.
What's Next?
In the next article, we will take email security automation even further by building:
Detecting Phishing Emails Using Local AI and n8n
We will focus specifically on phishing detection techniques, URL analysis, sender validation, and risk scoring to create a dedicated phishing investigation workflow.
No comments:
Post a Comment