User-Centric Phishing Detection: A RAG and LLM-Based Approach

The escalating sophistication of phishing emails necessitates a shift beyond traditional rule-based and conventional machine-learning-based detectors. Although large language models (LLMs) offer strong natural language understanding, using them as standalone classifiers often yields elevated falsepositive (FP) rates, which mislabel legitimate emails as phishing and create significant operational burden. This paper presents a personalized phishing detection framework that integrates LLMs with retrieval-augmented generation (RAG). For each message, the system constructs user-specific context by retrieving a compact set of the user’s historical legitimate emails and enriching it with real-time domain and URL reputation from a cyber-threat intelligence platform, then conditions the LLM’s decision on this evidence. We evaluate four open-source LLMs (Llama4-Scout, DeepSeek-R1, Mistral-Saba, and Gemma2) on an email dataset collected from public and institutional sources. Results show high performance; for example, Llama4-Scout attains an F1-score of 0.9703 and achieves a 66.7% reduction in FPs with RAG. These findings validate that a RAG-based, user-profiling approach is both feasible and effective for building high-precision, low-friction email security systems that adapt to individual communication patterns.

💡 Research Summary

The paper addresses the growing inadequacy of traditional rule‑based and conventional machine‑learning phishing detectors, which struggle with sophisticated social‑engineering attacks and suffer from high false‑positive (FP) rates that burden users and security teams. To overcome these limitations, the authors propose a user‑centric Retrieval‑Augmented Generation (RAG) framework that enriches large language models (LLMs) with two sources of contextual evidence: (1) a personalized corpus of the user’s historical legitimate emails and (2) real‑time threat‑intelligence data (domain and URL reputation) obtained from a multi‑engine service such as VirusTotal.

The system consists of six stages. First, raw emails are decoded, normalized, and validated, retaining only subject, sender, and body fields. Second, each cleaned email is embedded using the all‑MiniLM‑L6‑v2 model (384‑dimensional vectors), L2‑normalized, and indexed in a FAISS vector database optimized for approximate nearest‑neighbor search. Third, the threat‑intelligence module extracts sender domains and URLs from the incoming email and queries up to 75 scanning engines, aggregating scores for harm, suspicion, and reputation. Fourth, when a new email arrives, its embedding is computed and the top‑k (k=5) most similar historical emails are retrieved via cosine similarity search. Fifth, a structured prompt is constructed that includes: a role assignment (“cybersecurity expert specialized in phishing detection”), the email content, the retrieved historical examples, the aggregated threat‑intelligence summary, and a JSON schema that forces the LLM to output a classification decision, phishing score (0‑10), risk level, identified social‑engineering tactics, recommended mitigations, and a brief natural‑language rationale. Sixth, the LLM is invoked through the Groq API with a low temperature (0.2) for deterministic responses; the JSON output is automatically parsed, validated, and any malformed response triggers a retry.

Four open‑source LLMs are evaluated to demonstrate the approach’s generality: Llama4‑Scout (17 B parameters, sparse MoE, 131 k token window), DeepSeek‑R1 (70 B, dense, 128 k), Mistral‑Saba (24 B, dense, 32 k), and Gemma2‑9B (9 B, dense, 8 k). All models receive identical prompts and inference settings.

The experimental dataset comprises 500 emails (250 legitimate, 250 phishing). Legitimate messages are sourced from consenting users’ personal and institutional mailboxes via read‑only IMAP; phishing samples come from public repositories and internal security feeds. Emails are sanitized: HTML stripped, footers and quoted replies pruned, personal identifiers anonymized, and near‑duplicate messages removed.

Results show that adding RAG dramatically reduces false positives across all models. Without RAG, the average FP rate is about 12 %; with RAG, it drops by an average of 66.7 %. Llama4‑Scout achieves the best performance: F1 = 0.9703, FP reduced from 4 % to 1.33 % (66.7 % reduction). Larger models also improve but the gains are modest, indicating that personalized context is the primary driver rather than sheer model size. Precision, recall, and overall accuracy remain high, confirming that the reduction in FP does not come at the cost of missed phishing detections.

The authors highlight several contributions: (1) a novel RAG‑enhanced architecture that fuses user‑specific email history with live threat intelligence, (2) a systematic evaluation methodology for multiple open‑source LLMs in both standalone and RAG‑augmented configurations, and (3) empirical evidence that personalization scales effectively from 9 B to 70 B parameter models.

Limitations include the modest dataset size, which may not capture the full diversity of enterprise email traffic, and the unquantified latency and cost of external threat‑intelligence API calls in a production setting. Future work is proposed to (a) test the framework on large‑scale corporate mail logs, (b) extend detection to multimodal phishing content such as images and attachments, and (c) incorporate privacy‑preserving techniques like federated learning and differential privacy to enable model updates without exposing raw user emails.

In conclusion, the user‑centric RAG‑LLM approach demonstrates that enriching LLMs with personalized historical context and up‑to‑date threat data can substantially lower false‑positive rates while maintaining or improving detection accuracy. This paves the way for next‑generation email security solutions that are both high‑precision and low‑friction, adapting dynamically to individual communication patterns without sacrificing operational efficiency.