analyze_email_main.py

from parse_email import parse_email
from header_analyzer import analyze_headers
from body_analyzer import analyze_body
from url_analyzer import analyze_urls

def analyze(file_path):
    headers, body, urls = parse_email(file_path)

    header_findings, header_score = analyze_headers(headers)
    body_findings, body_score, highlighted_body = analyze_body(body)
    url_findings, url_score = analyze_urls(urls)

    total_score = header_score + body_score + url_score
    if total_score > 100:
        total_score = 100

    # --- Final verdict ---
    if total_score >= 70:
        verdict = "🚨 Malicious"
    elif 50 <= total_score < 70:
        verdict = "⚠️ Suspicious"
    elif 30 <= total_score < 50:
        verdict = "📩 Spam"
    else:
        verdict = "✅ Safe"

    # --- Attack Type ---
    body_lower = body.lower()
    if any(word in body_lower for word in ["invoice", "payment", "wire transfer", "bank details"]):
        attack_type = "Invoice/Payment Fraud (BEC)"
    elif any(word in body_lower for word in ["password", "verify", "account", "login", "credentials"]):
        attack_type = "Credential Harvesting (Phishing)"
    elif any("reply-to mismatch" in f.lower() for f in header_findings):
        attack_type = "Business Email Compromise (BEC)"
    elif any("spam" in f.lower() for f in body_findings):
        attack_type = "Spam / Marketing"
    elif verdict == "✅ Safe":
        attack_type = "Benign / Normal Email"
    else:
        attack_type = "General Phishing"

    # --- Collect tags ---
    tags = []
    for finding in header_findings + body_findings + url_findings:
        if "domain" in finding.lower():
            tags.append("Suspicious Sender Domain")
        if "phishing" in finding.lower():
            tags.append("Phishing URL")
        if "urgent" in finding.lower() or "suspicious phrase" in finding.lower():
            tags.append("Urgent Language")
        if "spam" in finding.lower():
            tags.append("Spam Tone")

    # --- Build report ---
    report = [
        f"Attack Score: {total_score}",
        f"Attack Type: {attack_type}",
        f"Final Verdict: {verdict}",
        "---- Attack Analysis Tags ----",
        ", ".join(set(tags)) if tags else "No special tags",
        "---- Detailed Findings ----",
    ]

    report.extend(header_findings + body_findings + url_findings)
    report.append("---- Highlighted Body ----")
    report.append(highlighted_body)

    return report

if __name__ == "__main__":
    file_path = "sample.eml"
    findings = analyze(file_path)
    for f in findings:
        print(f)