Update analyze_email_main.py

analyze_email_main.py

@@ -11,10 +11,6 @@ from scoring_engine import compute_final_score
 from behavioral_analyzer import analyze_behavior, behavioral_summary
 
 
-# =========================
-# MAIN ANALYSIS FUNCTION
-# =========================
-
 def analyze(file_path):
     start_time = time.time()
 
@@ -26,51 +22,52 @@ def analyze(file_path):
     # =========================
     # 🧠 ANALYZERS
     # =========================
+    header_findings, header_score, auth_summary = analyze_headers(headers, body)
+    auth_results = auth_summary  # must be dict
 
-    # Header analysis (auth, spoofing, BEC signals)
-    header_findings, header_score, auth_summary = analyze_headers(headers)
-
-    # Body heuristic / NLP analysis
     body_findings, body_score, highlighted_body, body_verdict = analyze_body(
         subject, body, urls, images
     )
 
-    # URL analysis
     url_findings, url_score = analyze_urls(urls)
 
-    # Attachment analysis
     attachment_findings, attachment_score, attachment_hashes = analyze_attachments(
         attachments
     )
 
     # =========================
-    # 🧠 BEHAVIORAL ANALYSIS (PHASE 4.3 – CORE FIX)
+    # 🧠 BEHAVIORAL ANALYSIS
     # =========================
     behavior_result = analyze_behavior(body)
     behavior_score = behavior_result["confidence_score"]
     behavior_attack = behavior_result["dominant_attack"]
     behavior_verdict = behavior_result["verdict"]
+    behavior_findings = behavior_result.get("findings", [])
     behavior_text = behavioral_summary(behavior_result)
 
     # =========================
-    # 🧮 FINAL CORRELATION SCORING
+    # 🧮 FINAL SCORING
     # =========================
     final_score, verdict, reasoning = compute_final_score(
         header_score=header_score,
         body_score=body_score,
         url_score=url_score,
         attachment_score=attachment_score,
-        behavior_score=behavior_score,  # 🔥 NEW
+        behavior_score=behavior_score,
         header_findings=header_findings,
         body_findings=body_findings,
         url_findings=url_findings,
         attachment_findings=attachment_findings,
-        auth_results=auth_summary,
-        behavior_result=behavior_result,  # 🔥 NEW
+        behavior_findings=behavior_findings,
+        auth_results=auth_results,
     )
 
+    # 🔐 Safety override
+    if behavior_verdict == "Malicious" and verdict == "✅ Safe":
+        verdict = "⚠️ Suspicious"
+
     # =========================
-    # 🏷 TAGGING ENGINE
+    # 🏷 TAGGING
     # =========================
     tags = set()
 
@@ -79,36 +76,30 @@ def analyze(file_path):
     ):
         fl = finding.lower()
 
-        if "attachment" in fl or "macro" in fl or "html" in fl:
+        if "attachment" in fl or "macro" in fl:
             tags.add("Malicious Attachment")
-
         if "reply-to" in fl or "bec" in fl:
             tags.add("BEC Indicator")
-
         if "url" in fl or "phishing" in fl:
-            tags.add("Malicious / Phishing URL")
-
+            tags.add("Malicious URL")
         if "spf" in fl or "dkim" in fl or "dmarc" in fl:
             tags.add("Email Authentication Failure")
-
         if "brand" in fl or "look-alike" in fl:
             tags.add("Brand Spoofing")
-
-        if "urgent" in fl or "immediately" in fl:
+        if "urgent" in fl:
             tags.add("Urgency / Social Engineering")
 
-    # Behavioral tags (VERY IMPORTANT)
     if behavior_attack != "None":
-        tags.add(behavior_attack.upper())
         tags.add("Behavioral Threat")
+        tags.add(behavior_attack.upper())
 
     # =========================
-    # ⏱ PROCESSING TIME
+    # ⏱ TIME
     # =========================
     processing_time = round(time.time() - start_time, 2)
 
     # =========================
-    # 📊 SUMMARY OUTPUT
+    # 📊 OUTPUT
     # =========================
     summary = {
         "Final Verdict": verdict,
@@ -119,9 +110,6 @@ def analyze(file_path):
         "Main Tags": ", ".join(sorted(tags)) if tags else "No special tags",
     }
 
-    # =========================
-    # 🔍 DETAILED OUTPUT
-    # =========================
     details = {
         "Header Findings": header_findings,
         "Body Findings": body_findings,
@@ -129,30 +117,10 @@ def analyze(file_path):
         "Attachment Findings": attachment_findings,
         "Attachment Hashes": attachment_hashes,
         "Highlighted Body": highlighted_body,
-        "Auth Results": auth_summary,
+        "Auth Results": auth_results,
         "Behavioral Analysis": behavior_result,
         "Behavioral Summary": behavior_text,
         "Scoring Reasoning": reasoning,
     }
 
     return summary, details
-
-
-# =========================
-# 🧪 LOCAL TEST
-# =========================
-if __name__ == "__main__":
-    summary, details = analyze("sample.eml")
-
-    print("\n===== SUMMARY =====")
-    for k, v in summary.items():
-        print(f"{k}: {v}")
-
-    print("\n===== DETAILS =====")
-    for k, v in details.items():
-        print(f"\n{k}:")
-        if isinstance(v, list):
-            for item in v:
-                print(f"  - {item}")
-        else:
-            print(v)