A local phishing analysis utility for rapid IOC extraction and analyst-focused risk scoring.
- Impact: Improves phishing triage speed with structured and repeatable analysis output.
- Scale: Runs locally and supports JSON workflows for analyst tooling and automation.
- Use case: SOC inbox triage, phishing investigations, and threat reporting.
- Screenshot:
- Demo GIF:
- IOC extraction from suspicious email content
- ATT&CK mapping suggestions for analyst context
- Risk scoring and report-friendly output
PhishSense includes built-in AI safety and security controls to prevent misuse, injection, or unsafe LLM output.
📘 View Security Guardrails and Analyst Briefing
- 🖥️ Python 3.8+
- 🦙 Ollama installed and running locally
- 💾 LLM model pulled (e.g.
mistral)
Step 1
Open your terminal and run:
curl -fsSL https://ollama.com/install.sh | shThis:
-Downloads the latest ollama binary
-Installs it to /usr/local/bin/ollama
-Sets up required services
Step 2 : Verify Installation
ollama --version
sudo systemctl stop ollamaStep3 : Pull your first model
# Pull a model using Ollama
ollama pull mistral
# Run the model locally
ollama run mistral
# Run the phishing analysis tool
python src/phishsense.py src/example_email.txtgit clone https://github.com/FoxSecIntel/PhishSense.gitpython src/phishsense.py src/example_email.txt You should get an output like:
--- PHISHSENSE REPORT ---
Summary: This email impersonates Microsoft and urges the user to reset their password at a fake domain. It creates urgency by threatening suspension.
IOCs:
- http://login.microsoft-reset.com
- login.microsoft-reset.com
MITRE ATT&CK Techniques:
- T1566.001 (Spearphishing via Link)
- T1204.002 (User Execution: Malicious Link)
Risk Score: 9/10
phishsense/
├── .gitignore
├── requirements.txt
├── README.md
└── src/
├── phishsense.py # Main script
├── prompt_template.txt # Prompt used to drive LLM output
└── example_email.txt # Sample phishing input
Edit src/prompt_template.txt to: Change tone or language Add or remove specific fields Make the output format fit your team/SIEM/SOAR system
No data leaves your laptop. No API keys or cloud LLMs. Ideal for security-conscious environments and offline SOCs.
MIT - free for personal or commercial use.
# 1) Run a core check
# 2) Request JSON output
# 3) Pipe into jq for analyst workflows