I Asked 5 AI Tools to Review the Same Phishing Email — The Results Were Alarming
I've been arguing for months that AI-powered phishing detection is overhyped. Vendors love showing demos where AI catches an obviously suspicious email. But what happens when you throw a well-crafted, targeted phishing email at multiple AI tools and compare the results?
I decided to find out.
The Test Email
I crafted a realistic phishing email — no actual malicious payload, obviously, but incorporating the techniques I see in real targeted campaigns. Here are the characteristics:
- Sender: A spoofed "no-reply" address from a domain that was one character off from a real vendor (think microsofft.com style, but for a SaaS vendor our target org actually uses)
- Subject: "Action required: Your SSO certificate expires in 48 hours"
- Body: Professional formatting mimicking the real vendor's email template. Referenced real product features. Included a legitimate-looking "renew certificate" button with an obfuscated URL using a URL shortener that redirected through a legitimate cloud service
- Social engineering: Created urgency (48-hour deadline), referenced a real technical process (SSO certificate renewal is a thing), and targeted IT staff specifically (who would be the ones handling certificate renewals)
- Headers: SPF soft fail (which is common for legitimate SaaS notifications too), no DKIM signature, valid-looking reply-to that differed from the sender
This is a well-crafted spearphish. Not the "Nigerian prince" level stuff that any filter catches. The kind of thing that actually lands in inboxes at mature organizations.
The Five AI Approaches
I tested five different approaches to AI-powered email analysis. I'm categorizing by approach rather than naming specific products, because the approach matters more than the vendor.
- Tool A: A general-purpose LLM (ChatGPT) with a simple prompt: "Analyze this email for phishing indicators"
- Tool B: A general-purpose LLM (Claude) with a detailed security analyst prompt including specific indicators to check
- Tool C: A purpose-built AI email security gateway that sits inline with mail delivery
- Tool D: An AI-powered phishing simulation platform's analysis engine
- Tool E: A SOAR platform's AI enrichment module for email analysis
The Results
| Check | Tool A | Tool B | Tool C | Tool D | Tool E |
|---|---|---|---|---|---|
| Identified as phishing | Yes | Yes | No | Yes | Uncertain |
| Caught domain spoofing | Yes | Yes | Yes | Yes | Yes |
| Caught URL obfuscation | No | Yes | No | No | Yes |
| Identified social engineering | Partial | Yes | No | Yes | No |
| Flagged header anomalies | No | Yes | Yes | No | Yes |
| False claims made | 1 | 0 | 0 | 2 | 0 |
| Confidence score | High | High | Low risk | High | Medium |
| Overall accuracy | 5/10 | 9/10 | 4/10 | 6/10 | 7/10 |
The Deep Dive
Tool A: The Casual LLM
ChatGPT with a basic prompt caught the domain spoofing — that was easy — and correctly identified the email as phishing. But it missed the URL obfuscation entirely. It looked at the visible link text and assessed it as legitimate. It noted the urgency as "potentially concerning" but didn't connect it to a social engineering tactic. And it made one false claim: it said the email contained a "suspicious attachment" when there was no attachment at all. The AI hallucinated a threat that didn't exist.
That hallucination is not harmless. In a real analysis workflow, a false claim about a malicious attachment could send an analyst down a rabbit hole investigating something that doesn't exist, wasting time during an active phishing response.
Tool B: The Prompted LLM
Claude with a detailed prompt performed significantly better. The prompt specified: check SPF/DKIM/DMARC alignment, examine all URLs including redirect chains, identify social engineering techniques, compare sender domain to known legitimate domains, and flag any header inconsistencies. With that guidance, it caught almost everything. It identified the URL shortener as an obfuscation technique, noted the urgency plus authority combination as a social engineering pattern, and correctly flagged the SPF soft fail plus missing DKIM as suspicious.
The lesson here is stark: the quality of AI email analysis is directly proportional to the quality of the prompt. Same underlying technology, dramatically different results based on how you ask.
Tool C: The AI Email Gateway
This one was the most alarming. This is a commercial product that organizations pay significant money for. It's marketed as AI-powered phishing protection. And it let the email through with a "low risk" score. It caught the domain lookalike — logged it as a note — but didn't weigh it heavily enough to trip the threshold. It missed the URL obfuscation entirely. And it didn't analyze the social engineering content at all.
Why? My theory: inline email gateways optimize for speed and false-positive avoidance. They'd rather let a suspicious email through than block a legitimate one, because blocked legitimate emails generate help desk tickets and angry users. That's a rational engineering decision. But it means the "AI-powered" label is doing less work than you think.
Tool D: The Phishing Platform
Good at recognizing the phishing pattern because that's literally what it's trained on — it runs phishing simulations, so it knows what phishing looks like. It caught the social engineering, identified the urgency tactic, and flagged it as high confidence phishing. But it missed the URL obfuscation (it only checked the visible URL, not the redirect chain) and it made two false claims: it incorrectly stated the email used a homoglyph attack (it didn't — it was a simple extra character) and claimed the sender IP was on a known blocklist (it wasn't — I checked).
Tool E: The SOAR Module
The most methodical analysis. It checked headers systematically, resolved the URL redirect chain, and identified the SPF/DKIM issues. But it classified the result as "medium confidence" and "uncertain" on the phishing determination. It presented the evidence without making a strong judgment. Analytically, that's honest — the evidence was suggestive but not conclusive without the redirect chain endpoint being known-malicious. Practically, a "medium/uncertain" result in a SOC queue is going to get deprioritized behind the 50 "high confidence" alerts ahead of it.
What This Means for Your Email Security
Five AI approaches. Accuracy scores ranging from 4/10 to 9/10. Two tools that hallucinated threats that didn't exist. One commercial product that let the phishing email through entirely. And the best performer was a general-purpose AI with a good prompt — not a purpose-built security product.
Here's what I take from this:
- AI email security is not a solved problem. If vendors tell you their AI catches "99% of phishing," ask them what kind of phishing. Bulk campaigns with known indicators? Sure. Targeted spearphishing with novel infrastructure? Not reliably.
- Prompt engineering matters more than the model. The gap between Tool A and Tool B was the prompt, not the AI. If you're using AI for email analysis, invest time in your prompts. Define exactly what you want checked.
- Hallucinations in security analysis are dangerous. An AI that confidently reports a threat that doesn't exist can waste analyst time and erode trust in the tool. This isn't a minor issue.
- Defense in depth still applies. No single AI tool should be your only phishing defense. Layer them: gateway filtering, AI analysis, user reporting, and — critically — user security awareness training. The human who pauses before clicking the "renew certificate" button is still your best last line of defense.
- Test your tools with realistic scenarios. Run tests like this against your own email security stack. Use realistic, sophisticated test cases, not obvious spam. If your tools can't catch a well-crafted spearphish, you need to know that before a real attacker finds out for you.
AI will get better at this. The tools will improve. But right now, in early 2026, AI-powered email security is a useful layer — not a reliable shield. Plan accordingly.