analyze_email_main.py

from parse_email import parse_email
from header_analyzer import analyze_headers
from body_analyzer import analyze_body
from url_analyzer import analyze_urls

def analyze(file_path):
    # Parse
    headers, body, urls = parse_email(file_path or "")

    # Analyze
    header_findings, header_score = analyze_headers(headers or {})
    body_findings, body_score, highlighted_body, body_verdict = analyze_body(body or "")
    url_findings, url_score = analyze_urls(urls or [])

    # Score
    total_score = (header_score or 0) + (body_score or 0) + (url_score or 0) * 1.5
    try:
        total_score = float(total_score)
    except Exception:
        total_score = 0.0
    total_score = max(0.0, min(total_score, 100.0))
    total_score_rounded = round(total_score)

    # Verdict
    if total_score >= 70:
        verdict = "🚨 Malicious"
    elif 50 <= total_score < 70:
        verdict = "⚠️ Suspicious"
    elif 30 <= total_score < 50:
        verdict = "📩 Spam"
    else:
        verdict = "✅ Safe"

    # Attack type
    body_lower = (body or "").lower()
    attack_type = "General Phishing"
    if any(word in body_lower for word in ["invoice", "payment", "wire transfer", "bank details"]):
        attack_type = "Invoice/Payment Fraud (BEC)"
    elif any(word in body_lower for word in ["password", "verify", "account", "login", "credentials"]):
        attack_type = "Credential Harvesting (Phishing)"
    elif any("reply-to mismatch" in f.lower() for f in header_findings):
        attack_type = "Business Email Compromise (BEC)"
    elif any("spam" in f.lower() for f in body_findings):
        attack_type = "Spam / Marketing"
    elif verdict == "✅ Safe":
        attack_type = "Benign / Normal Email"

    # Tags
    tags = []
    for finding in (header_findings + body_findings + url_findings):
        fl = finding.lower()
        if "domain" in fl:
            tags.append("Suspicious Sender Domain")
        if "phishing" in fl or "malicious url" in fl or "urlhaus" in fl:
            tags.append("Phishing / Malicious URL")
        if "urgent" in fl or "suspicious phrase" in fl:
            tags.append("Urgent Language")
        if "spam" in fl or "marketing" in fl:
            tags.append("Spam Tone")
        if "spf" in fl or "dkim" in fl or "dmarc" in fl:
            tags.append("Auth Failures (SPF/DKIM/DMARC)")

    summary = {
        "Final Verdict": verdict,
        "Attack Type": attack_type,
        "Attack Score": total_score_rounded,
        "Main Tags": ", ".join(sorted(set(tags))) if tags else "No special tags",
    }

    details = {
        "Header Findings": header_findings or [],
        "Body Findings": body_findings or [],
        "URL Findings": url_findings or [],
        "Highlighted Body": highlighted_body or "",
    }

    return summary, details