Sunday, June 7, 2026

Building an AI-Powered Email Security Analyzer with n8n + Phi-3

Email remains one of the most common attack vectors used by cybercriminals. Phishing attacks, Business Email Compromise (BEC), malicious attachments, and social engineering campaigns continue to target organizations of all sizes.

Security teams often spend significant time manually reviewing suspicious emails to determine whether they are legitimate or malicious.

In this project, we will build an AI-Powered Email Security Analyzer using n8n, Ollama, and Phi-3 that automatically evaluates incoming emails and provides a security assessment.

The entire solution runs locally, giving organizations full control over sensitive email data without sending information to external AI services.


What We Are Building

Our Email Security Analyzer will:

  • Receive suspicious emails

  • Extract relevant information

  • Analyze email content

  • Identify phishing indicators

  • Assess risk levels

  • Generate a security summary

  • Recommend actions

Workflow overview:

Email Received
↓
n8n Trigger
↓
Extract Email Data
↓
Phi-3 Analysis
↓
Risk Assessment
↓
Security Report
↓
Alert / Storage

This creates an automated first-level email security analyst.


Why Use AI for Email Security?

Traditional email security tools focus on:

  • Signature matching

  • Domain reputation

  • Malware detection

However, many attacks rely on social engineering rather than malware.

Examples include:

Urgent payment requests

Password reset scams

Fake executive requests

Invoice fraud

Credential harvesting

These attacks often require contextual analysis.

This is where AI becomes valuable.


Project Architecture

Our architecture consists of:

Email Source
↓
n8n Workflow
↓
Email Parser
↓
Phi-3 Security Analyst
↓
Decision Engine
↓
Security Report

Each component performs a specific function.


Step 1: Configure Email Monitoring

Create a new workflow in n8n.

Add an email trigger such as:

IMAP Email Trigger

Configure:

  • Mail server

  • Username

  • Password

  • Folder to monitor

For testing purposes, you may use a dedicated security inbox such as:

security-review@company.com

Every new email will automatically start the workflow.


Step 2: Extract Email Components

After the email trigger, extract:

{
  "subject": "",
  "from": "",
  "reply_to": "",
  "body": ""
}

These fields contain most of the information needed for an initial security assessment.

Future versions may also analyze:

  • Attachments

  • URLs

  • Email headers


Step 3: Connect Phi-3 Through Ollama

Configure your AI node.

Model:

phi3

Endpoint:

http://localhost:11434

Phi-3 will serve as our first-level email security analyst.


Step 4: Create the Security Analysis Prompt

Prompt engineering is critical for consistent results.

Use a structured prompt:

You are a cybersecurity email analyst.

Analyze the following email for signs of:

- Phishing
- Social engineering
- Credential theft
- Business Email Compromise (BEC)
- Fraud

Provide:

1. Risk Score (1-100)
2. Risk Level
3. Suspicious Indicators
4. Explanation
5. Recommended Action

EMAIL:

Subject: {{subject}}

From: {{from}}

Reply-To: {{reply_to}}

Body:
{{body}}

This produces structured security assessments.


Example Analysis

Sample email:

Subject: Urgent Payroll Update

From: payroll-update@secure-payroll.com

Body:
Please verify your account immediately by clicking the link below.

Phi-3 may return:

Risk Score: 88

Risk Level: High

Indicators:
- Urgency language
- Account verification request
- Potential credential harvesting

Recommendation:
Do not click links. Verify sender through trusted channels.

This provides immediate value to security teams.


Step 5: Build a Risk Classification Engine

Add a Switch node in n8n.

Example logic:

Risk > 80
↓
High Risk

Risk 50-80
↓
Medium Risk

Risk < 50
↓
Low Risk

This enables automated routing.


Step 6: Generate Security Reports

Create a report template.

Example:

EMAIL SECURITY ANALYSIS

Sender:
Subject:

Risk Score:
Risk Level:

Indicators:

Recommendations:

Reports can be stored as:

  • PDF

  • JSON

  • Database records

  • Security tickets


Step 7: Security Team Notifications

For high-risk emails:

High Risk
↓
Send Alert

Possible notification channels:

  • Email

  • Slack

  • Microsoft Teams

  • Discord

  • Telegram

This allows analysts to review threats quickly.


Step 8: Building an Analyst Memory System

We can improve the analyzer using memory.

Store information such as:

{
  "known_senders": {},
  "previous_phishing": {},
  "trusted_domains": {}
}

This helps the system identify recurring threats.

Example:

Same sender detected
↓
Increase confidence score

Over time, the system becomes more effective.


Detecting Common Phishing Indicators

Phi-3 can identify patterns such as:

Urgency

Immediate action required

Your account will be suspended

Respond within 24 hours

Credential Requests

Verify your password

Confirm your account

Login to continue

Financial Fraud

Wire transfer requests

Invoice payment changes

Bank account updates

Impersonation Attempts

CEO fraud

Executive impersonation

Vendor impersonation

These are common social engineering techniques.


Adding URL Analysis

Future versions can extract URLs.

Example workflow:

Extract URL
↓
Send to Phi-3
↓
Analyze Context
↓
Assess Risk

Questions the AI can evaluate:

  • Does the URL match the sender?

  • Does the URL appear suspicious?

  • Is the request consistent with the email?

This adds another security layer.


Attachment Risk Analysis

We can also inspect attachments.

Examples:

invoice.pdf.exe

payment_document.zip

macro_enabled.xlsm

AI can generate explanations such as:

Potential malware delivery mechanism.

This helps analysts understand risks quickly.


Real-World Use Cases

Security Operations Center (SOC)

Automated email triage.


Managed Security Providers

First-level phishing review.


Small Businesses

Affordable email security analysis without dedicated analysts.


Security Awareness Programs

Training employees to recognize phishing attempts.


Limitations

This system should not replace:

  • Secure Email Gateways

  • Malware Sandboxes

  • Threat Intelligence Platforms

Instead, it complements them by providing contextual analysis.

AI should assist analysts, not replace security controls.


Why This Project Matters

Many phishing attacks succeed because users fail to recognize subtle warning signs.

By combining:

  • n8n

  • Ollama

  • Phi-3

We can create a local AI analyst that helps identify suspicious emails before they become incidents.

This provides:

  • Faster triage

  • Consistent analysis

  • Reduced analyst workload

  • Improved security visibility


Conclusion

In this project, we built a fully local AI-powered Email Security Analyzer capable of evaluating suspicious emails and generating actionable security assessments.

The workflow demonstrates how local AI can support cybersecurity operations while maintaining privacy and control over sensitive information.

More importantly, it introduces a practical use case where AI assists security professionals in identifying phishing attempts, social engineering attacks, and fraud indicators.


What's Next?

In the next article, we will take email security automation even further by building:

Detecting Phishing Emails Using Local AI and n8n

We will focus specifically on phishing detection techniques, URL analysis, sender validation, and risk scoring to create a dedicated phishing investigation workflow.

No comments:

Post a Comment

AI-Powered Software Development with n8n, Ollama, and Phi-3

  Introduction Software development is changing rapidly with the rise of Artificial Intelligence. Tasks that once required hours of manual e...