Skip to Content
Alprina is in active development. Join us in building the future of security scanning.
Security AgentsMail Agent

Mail Agent

Analyze email messages for security threats including phishing, malware, and social engineering.

Overview

Agent Name: MailAgent Scan Type: mail Credit Cost: 1 credit Target Types: Email files (.eml, .msg), email headers, attachments

Capabilities

  • Phishing detection
  • Malicious attachment analysis
  • Email header analysis
  • SPF/DKIM/DMARC validation
  • Link safety checking
  • Sender reputation analysis
  • Social engineering detection
  • Spoofing identification

Usage

# Analyze email file
alprina scan ./suspicious-email.eml --type mail
 
# Scan multiple emails
alprina scan ./inbox/*.eml --type mail
 
# API usage
curl -X POST https://api.alprina.com/v1/scan/email-report \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -d '{
    "target": "./email.eml",
    "options": {
      "check_links": true,
      "check_attachments": true,
      "check_headers": true
    }
  }'

What It Analyzes

Email Headers

  • SPF (Sender Policy Framework)
  • DKIM (DomainKeys Identified Mail)
  • DMARC (Domain-based Message Authentication)
  • Reply-To mismatches
  • Received headers
  • Authentication results

Content Analysis

  • Phishing indicators
  • Urgency tactics
  • Social engineering techniques
  • Impersonation attempts
  • Grammar/spelling anomalies
  • Brand impersonation

Links & Attachments

  • URL reputation
  • Shortened link expansion
  • Attachment file types
  • Macro detection
  • Malware signatures

Example Output

{
  "scan_id": "scan_mail909",
  "findings": [
    {
      "severity": "critical",
      "category": "phishing",
      "title": "Phishing Email Detected",
      "description": "Email impersonates legitimate sender with malicious link",
      "indicators": {
        "sender_mismatch": true,
        "suspicious_link": "http://evil-site.com/fake-login",
        "urgency_language": "Account will be closed in 24 hours",
        "spf_fail": true
      },
      "recommendation": "Block sender, delete email, report to security team"
    },
    {
      "severity": "high",
      "category": "malicious_attachment",
      "title": "Suspicious Macro-Enabled Document",
      "description": "Excel file contains obfuscated VBA macros",
      "attachment": "invoice.xlsm",
      "recommendation": "Do not open attachment. Macros may contain malware"
    }
  ],
  "email_analysis": {
    "from": "admin@examp1e.com",
    "subject": "Urgent: Verify Your Account",
    "spf": "fail",
    "dkim": "fail",
    "dmarc": "fail",
    "suspicious_score": 95
  }
}

Phishing Indicators

Common Red Flags

  1. Sender Spoofing

    Display: "Microsoft Security <security@microsoft.com>"
Actual: "attacker@evil.com"

  2. Urgency Tactics

    • “Act now or account will be closed”
    • “Verify within 24 hours”
    • “Immediate action required”

  3. Suspicious Links

    Display text: "https://paypal.com/verify"
Actual link: "http://paypa1.com/phishing"

  4. Authentication Failures

    • SPF: fail
    • DKIM: fail
    • DMARC: fail

  5. Grammar & Spelling

    • Poor grammar
    • Unusual phrasing
    • Spelling errors in official emails

URL Safety Checks

{
  "url": "https://bit.ly/abc123",
  "expanded_url": "http://malicious-site.com/phishing",
  "reputation": "malicious",
  "categories": ["phishing", "malware"],
  "safety": "unsafe"
}

Safe:

https://accounts.google.com/signin
https://www.paypal.com/us/signin

Suspicious:

http://g00gle.com/signin (homoglyph attack)
https://paypal-security.com (typosquatting)
https://192.168.1.1/phishing (IP address)

Attachment Analysis

Risky File Types

  • Executables: .exe, .scr, .com, .bat
  • Scripts: .vbs, .js, .ps1, .sh
  • Office Macros: .docm, .xlsm, .pptm
  • Archives: .zip, .rar (may contain malware)
  • Shortcuts: .lnk, .url

Safe Handling

# Never open suspicious attachments directly
# Use sandbox environment or Alprina analysis first
alprina scan ./attachment.docm --type mail

Authentication Validation

SPF Check

Pass:

Received-SPF: pass (google.com: domain of sender@example.com designates 1.2.3.4 as permitted sender)

Fail:

Received-SPF: fail (google.com: domain of sender@example.com does not designate 5.6.7.8 as permitted sender)

DKIM Check

Pass:

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=example.com...
Authentication-Results: dkim=pass

DMARC Check

Policy:

DMARC: p=reject; pct=100; rua=mailto:dmarc@example.com

Best Practices

1. Email Security Training

Teach users to:

  • Verify sender before clicking links
  • Check for authentication failures
  • Report suspicious emails
  • Never share credentials via email

2. Automated Scanning

# Scan all incoming emails
for email in inbox:
    result = alprina.scan(email, type="mail")
    if result.suspicious_score > 80:
        quarantine(email)
        alert_security_team(result)

3. Response Procedures

When phishing detected:

  1. Quarantine email
  2. Alert affected users
  3. Block sender domain
  4. Report to authorities
  5. Update email filters

Integration Examples

Email Gateway Integration

# Integrate with email gateway
def scan_incoming_email(email):
    result = alprina.scan(email, type="mail")
 
    if result.severity in ["critical", "high"]:
        return "reject"
    elif result.suspicious_score > 70:
        return "quarantine"
    else:
        return "deliver"

SOC Alert Integration

# Send high-risk emails to SOC
if result.severity == "critical":
    siem.create_alert({
        "type": "phishing_detected",
        "subject": email.subject,
        "from": email.from_address,
        "indicators": result.indicators
    })

Compliance

Helps meet:

  • DMARC Compliance - Email authentication
  • Anti-Phishing Training - SOC 2, ISO 27001
  • Incident Response - Email threat detection
Last updated on
LLM Security AgentMemory Analysis Agent