About PhishGuard — Phishing Detection

Platform Overview

PhishGuard is an open-source, self-hosted phishing detection platform designed for security teams, SOC analysts, and security-aware individuals. It provides deep analysis of URLs and email messages to identify phishing threats before they cause harm.

All analysis is performed locally using heuristic and rule-based engines. External threat intelligence integrations (VirusTotal, Google Safe Browsing) are optional and require API keys.

URL Detection Checks (18+)

CRITICAL

IP Address in URL

Detects raw IP addresses used instead of domain names

CRITICAL

Punycode / Homograph

Detects IDN homograph attacks using look-alike characters

CRITICAL

Brand in Subdomain

Detects brand names placed in subdomains to trick users

CRITICAL

Brand Impersonation

Identifies typosquatted domains impersonating known brands

HIGH

Suspicious TLD

Flags TLDs commonly associated with phishing campaigns

HIGH

@ Symbol in URL

Detects redirect tricks using the @ character

HIGH

URL Encoding Obfuscation

Detects hex-encoded obfuscation in URLs

HIGH

SSL Certificate

Verifies SSL certificate validity and expiry

MEDIUM

URL Length

Flags unusually long URLs

MEDIUM

Suspicious Keywords

Detects brand names and urgency words in the URL

MEDIUM

Subdomain Depth

Flags excessive subdomain nesting

MEDIUM

Dash in Domain

Detects multiple dashes used to fake brand names

MEDIUM

URL Shortener

Identifies URL shortener services

MEDIUM

HTTPS

Checks for encrypted connection

MEDIUM

Non-Standard Port

Flags unusual port numbers

MEDIUM

Digit Ratio

Detects high proportion of digits in domain

MEDIUM

Domain Entropy

Flags high-entropy (randomly generated) domains

LOW

Open Redirect Params

Detects open redirect parameter names

Email Detection Checks (16)

CRITICAL

Dangerous Attachments

Detects executable and script file attachments

CRITICAL

Credential Request

Detects requests for passwords, PINs, and financial data

CRITICAL

Deceptive Display Name

Identifies display name spoofing of trusted brands

CRITICAL

Deceptive Link Text

Finds links where text and href point to different domains

HIGH

From / Reply-To Mismatch

Detects domain mismatch between sender and reply address

HIGH

SPF Authentication

Checks SPF email authentication result

HIGH

DKIM Signature

Checks DKIM email integrity signature

HIGH

DMARC Policy

Checks DMARC domain alignment policy

HIGH

Suspicious Links

Scans embedded links for risky TLDs and shorteners

MEDIUM

Free Email Provider

Flags businesses using free email domains

MEDIUM

Urgency / Fear Language

Detects urgency and pressure language

MEDIUM

HTML Obfuscation

Identifies hidden HTML and obfuscation techniques

MEDIUM

Message-ID Domain

Verifies Message-ID domain matches sender domain

LOW

Mail Relay Chain

Checks for excessively long mail relay chains

LOW

Generic Greeting

Detects non-personalized greetings

LOW

Spelling & Grammar

Identifies common spelling errors

Risk Levels

SAFE

Score 0–19

No significant indicators detected

LOW

Score 20–39

Minor indicators, likely benign

MEDIUM

Score 40–59

Several indicators — investigate

HIGH

Score 60–79

Strong phishing signals — avoid

CRITICAL

Score 80–100

Almost certainly phishing

REST API

JSON API for integrating PhishGuard into your workflows.

POST /api/scan/url

Analyze a URL

POST /api/scan/email

Analyze an email

GET /api/stats

Get scan statistics

GET /api/history

Get scan history (paginated)

GET /api/report/:id

Get a specific scan report

URL scan body: {"url": "https://…"}
Email scan body: {"email": "raw email text"}

Optional Integrations

Set these in your .env file to enable:

VirusTotal

Checks URLs against 70+ security engines.

VIRUSTOTAL_API_KEY=your_key

Google Safe Browsing

Real-time URL safety check used by Chrome.

GOOGLE_SAFE_BROWSING_API_KEY=your_key