PhishIntentionLLM: Phishing Intent Analysis
- PhishIntentionLLM is an intent-aware framework where LLMs detect phishing and discern attacker objectives using multi-agent and retrieval-augmented techniques.
- The system integrates diverse architectures—debate-driven reasoning, structured output, and personalized retrieval—to enhance precision and explainability.
- Empirical results show that multi-agent frameworks improve precision, recall, and F1 scores while bolstering resilience against adversarial attacks.
PhishIntentionLLM denotes an intent-centric research direction in which LLMs are used not only to decide whether content is phishing, but also to infer the attacker’s operative objective and provide structured analyst-facing evidence. In the narrow sense, it is the name of a multi-agent retrieval-augmented generation framework for phishing website screenshots that classifies four phishing intentions from visual evidence. In a broader adjacent literature, the same label is used as a design pattern for email- and website-oriented systems that combine LLM reasoning, debate, retrieval, explainability, and context grounding to move beyond binary phishing detection toward intention-aware analysis (Li et al., 21 Jul 2025).
1. Conceptual scope and definitions
PhishIntentionLLM departs from conventional phishing detection by treating “intent” as a first-class target. In the website setting, the explicit intention taxonomy comprises Credential Theft, Financial Fraud, Malware Distribution, and Personal Information Harvesting, and the task is multi-label because a single phishing page may simultaneously solicit credentials and broader personal data (Li et al., 21 Jul 2025). In the email setting, one influential formulation instead operationalizes intent by delivery vector: after deciding whether an email is malicious, the model assigns “Phishing via Link,” “Phishing via Attachment,” “Phishing via Service,” or “Other,” thereby mapping inbox-visible text to the attacker’s primary inducement mechanism (Eilertsen et al., 17 Jun 2025).
A related but finer-grained view decomposes phishing into manipulation techniques rather than end goals. In that formulation, phishing emails are annotated with 40 psychological manipulation techniques in a multi-label regime, including Baiting, Curiosity Appeal, Request For Minor Favor, Authority, Threatening, Time Pressure, and Semantic Attack. The resulting perspective is complementary rather than contradictory: attacker intention can be modeled at the level of the desired victim action, the delivery vector, or the persuasion technique used to induce compliance (Dalmiere et al., 26 Jun 2025).
This diversity of definitions implies that PhishIntentionLLM is best understood as a family of intent-aware phishing-analysis systems rather than a single fixed architecture. A plausible implication is that the field is converging on a layered interpretation of phishing content in which binary maliciousness, operational objective, and persuasion strategy are separable but interacting analytical targets.
2. Email-centric architectures and reasoning patterns
One prominent email-oriented instantiation is debate-driven multi-agent detection. In that design, the email text is analyzed by two debaters—Agent+ arguing that the message is phishing and Agent− arguing that it is legitimate—followed by a judge agent that consumes four arguments across two rounds and outputs a binary verdict with a rationale , formalized as (Nguyen et al., 27 Mar 2025). The core claim is that structured adversarial reasoning reduces single-agent confirmation bias, especially for emails that are superficially legitimate but contain mismatched domains, unusual credential requests, or context misalignment.
A second architecture grounds decisions in structured outputs rather than open-ended narratives. In one zero-shot email system, the LLM receives subject, sender, body, and URLs and must emit a JSON object containing Is_Phishing, Risk, Social_Engineering_Elements, Actions, and Reason. The intent-centric component lies in surfacing social-engineering cues and recommended actions rather than returning only a class label (Lee, 7 Feb 2025). This style of interface is operationally significant because it embeds triage-ready evidence directly into the classification pipeline.
A third line of work places the user’s historical communications at the center of the inference process. Instead of asking whether an email is globally suspicious, the detector retrieves a compact set of the user’s historical legitimate emails, adds real-time domain and URL reputation, and conditions the LLM on this personalized evidence. The LLM then returns a structured decision, phishing score, risk level, social-engineering elements, recommended actions, and a brief reason (Barwani et al., 29 Jan 2026). This shifts the decision problem from generic phishing classification toward context-sensitive deviation detection.
Across these variants, the recurrent motif is that phishing intent is rarely inferred from one signal alone. The systems differ in orchestration—debate, structured prompting, retrieval conditioning—but all treat contextual reasoning, not merely lexical pattern matching, as the decisive mechanism.
3. PhishIntentionLLM as a website-intention framework
As a proper system name, PhishIntentionLLM refers to a multi-agent RAG framework for phishing website screenshots. Its pipeline is hierarchical. A Vision Analysis Agent extracts textual and interface cues from the screenshot. A Context Enrichment Agent augments those cues using a Basic Threat Pattern Repository. A Classification Agent proposes the top intention hypotheses. Four specialist agents—Credential Theft, Financial Fraud, Malware Distribution, and Personal Information—then conduct category-specific analysis. A Validation Agent reconciles their outputs into final labels, confidence, and evidence chains (Li et al., 21 Jul 2025).
The framework formalizes its knowledge sources as
for common phishing patterns, visual deception techniques, and text-based manipulation patterns, and
for category-specific features, targets, specialized techniques, and distinctive indicators. This decomposition is important because it separates general phishing priors from class-specific cues such as login-form structure for Credential Theft or payment-flow artifacts for Financial Fraud (Li et al., 21 Jul 2025).
The ground-truth dataset contains 2,063 phishing website screenshots drawn from public datasets, with class counts of 1,696 for Credential Theft, 408 for Personal Information Harvesting, 222 for Financial Fraud, and 68 for Malware Distribution. Intention multiplicity is nontrivial: 1,757 samples have one intention, 281 have two, and 25 have three. On this benchmark, GPT-4o reaches a micro-precision of 0.7895, while Gemini 2.0 attains the highest reported micro-F1 of 0.8371 and accuracy of 0.8987 within the same framework. Relative to a single-agent baseline under Gemini 2.0, the multi-agent formulation improves micro-precision from 0.4014 to 0.7843, micro-recall from 0.6341 to 0.8976, and micro-F1 from 0.4916 to 0.8371. On credential theft, the framework reports precision 0.8545, described as an approximately 4% improvement over prior work (Li et al., 21 Jul 2025).
The same work also uses GPT-4o to annotate a larger corpus of roughly 9K samples for phishing intention profiling across sectors. This suggests that multi-agent intention recognition is being positioned not only as a detection aid but also as an intelligence-generation mechanism for campaign analysis and sectoral threat characterization.
4. Retrieval, personalization, and memory as intent-grounding mechanisms
Retrieval is a central mechanism in PhishIntentionLLM-style systems, but different papers use it for different kinds of grounding. In the user-centric email setting, each incoming message is embedded with all-MiniLM-L6-v2 at dimension , L2-normalized, indexed in FAISS, and matched against the user’s historical legitimate emails using cosine similarity. The system retrieves top- examples, extracts sender domain and URLs from the query email, queries VirusTotal across 75 engines, and conditions the LLM on the combined evidence. With this RAG conditioning, Llama4-Scout improves from F1 0.9333 to 0.9703 and reduces FPR from 0.1200 to 0.0400, a 66.7% reduction in false positives (Barwani et al., 29 Jan 2026).
A different retrieval design appears in AdaPhish, where phishing analysis is coupled with privacy-preserving anonymization and a vector database. Anonymized email text is embedded using text-embedding-3-small at 1,536 dimensions and stored in Chroma. The system retrieves nearest neighbors and computes a reciprocal-distance weighted label estimate
followed by a confidence decay term
0
and an adaptive ensemble with a GPT analyzer. The best ensemble result reported is Accuracy 98.41%, Precision 99.60%, and Recall 97.22% (Meguro et al., 5 Feb 2025).
The website-intention PhishIntentionLLM also uses retrieval, but not for user personalization. Its RAG layer draws from phishing-specific knowledge repositories rather than personal inbox history. The contrast is revealing: user-centric RAG asks whether the email fits the recipient’s normal communication pattern, whereas intention-oriented website RAG asks which phishing objective is most consistent with the observed visual and textual artifacts (Li et al., 21 Jul 2025).
These designs collectively indicate that “retrieval” in this literature is not a single technique but a family of grounding strategies. It may represent user history, curated security knowledge, prior phishing cases, or threat-intelligence context. The common function is to constrain LLM inference with externally anchored evidence.
5. Evaluation, explainability, and empirical trade-offs
Empirically, multi-agent reasoning can substantially improve email classification. In the debate-driven system, mixed-agent configurations consistently outperform homogeneous ones across UoT, Ling, Nazario_5, Nigerian_Fraud, and SpamAssassin. On Ling, for example, GPT-4/LLaMA-2/GPT-4 reaches 99.43% accuracy and F1 0.99, outperforming homogeneous GPT-4/GPT-4/GPT-4 by +0.67 percentage points. The same study reports that added CoT or role prompting does not improve on the best mixed-agent baseline; on Ling, CoT drops to 99.12%, role prompting to 98.95%, and CoT+Role to 98.77% (Nguyen et al., 27 Mar 2025).
Intent categorization is also viable on inbox-visible text alone. In the MITRE ATT&CK T1566-inspired taxonomy, gpt-4o-mini reaches 94.00% detection accuracy and 86.05% category accuracy in zero-shot mode for binary detection plus intent categorization, while few-shot prompting improves category accuracy to 95.35% but lowers detection accuracy to 92.00%. Claude 3.5 Haiku and Phi-4 show different trade-offs, and Qwen exhibits severe formatting sensitivity, with near-zero performance in some few-shot settings because incorrect output formatting is counted as error (Eilertsen et al., 17 Jun 2025).
Explainability introduces an additional axis of evaluation. In the CC-SHAP study, explanation quality is measured by prediction–explanation token alignment. LLaMA 7B achieves phishing CC-SHAP 0.9659 ± 0.0304 and ham CC-SHAP 0.9779 ± 0.0169, yet its phishing accuracy on the 40-email explanation set is only 40%. Wizard 7B, by contrast, reaches phishing accuracy 80% and ham accuracy 95% but has much lower CC-SHAP values, 0.1231 ± 0.0906 for phishing and 0.1924 ± 0.1283 for ham (Kuikel et al., 16 Jun 2025). The result is a clear trade-off: better alignment between explanations and internal token attributions does not guarantee better phishing decisions.
EXPLICATE pushes this trade-off into a hybrid ML–XAI–LLM architecture. Its enhanced logistic-regression model reports held-out accuracy 98.36%, phishing precision 97.99%, recall 98.84%, and F1 98.66% on 38,601 samples, while its LLM explanation layer achieves explanation accuracy 94.2% and label consistency 96.8% relative to the underlying model (Lim et al., 22 Mar 2025). A plausible implication is that PhishIntentionLLM systems may increasingly separate the decision module from the explanation module, using different model classes for classification fidelity and rationale fidelity.
6. Robustness, deployment constraints, and adversarial pressure
The most important counterpoint to the optimism around PhishIntentionLLM is robustness. In content-only email detection, LLM-PEA shows that frontier models remain vulnerable to adversarial refinement, prompt injection, and multilingual drift. On a balanced dataset with the structured prompt, GPT-4o reaches 95% accuracy, Claude Sonnet 4 reaches 94%, and Grok-3 reaches 88%. Yet adversarial paraphrasing flips 4.2% of previously correct GPT-4o decisions and 12.7% of Claude Sonnet 4 decisions to “Safe,” while multilingual deployment sharply increases false positives; Claude’s aggregate FPR rises from 2.4% in English to 24.1% across Bangla, Chinese, and Hindi (Hassan et al., 10 Dec 2025).
Prompt injection is even more acute in multimodal phishing-site detectors. “Clouding the Mirror” shows that HTML-, URL-, and screenshot-based LLM phishing detectors are vulnerable to indirect PI embedded in attacker-controlled content. On HTML-based prompt injection, GPT-5 exhibits 39.9% attack success in a standard setting, reduced to 0.3% by InjectDefuser; on URL-only PI, the same defense reduces GPT-5 ASR from 20.0% to 0.0%. The defense combines prompt hardening with UUID-bounded untrusted regions, allowlist-based retrieval augmentation, and output validation (Koide et al., 5 Feb 2026). For PhishIntentionLLM-style pipelines, this establishes that multimodal competence and semantic richness do not obviate the need for strict separation between instruction space and attacker-controlled evidence.
Real-world attack evolution also matters. In organizational phishing simulations totaling 71,309 emails, QR-code “quishing” and traditional button-click phishing are statistically equivalent at luring users to landing pages within a ±1% TOST margin, while OSINT-plus-LLM phishing can be substantially more effective in some environments: the medium company records a visit rate of 31.48% for LLM-assisted emails among opens, and the small company records 66.6% (Weinz et al., 17 May 2025). This suggests that intent-aware systems must account for delivery-vector stealth and personalization depth, not only for textual maliciousness.
Operationally, many PhishIntentionLLM variants converge on similar deployment practices: strict output schemas, low-temperature inference, confidence-conditioned escalation, preservation of security-critical indicators during truncation, and human review for low-confidence or high-impact cases. These are not incidental implementation choices. They are the mechanisms by which intent-centric LLM systems are made auditable enough to function in high-friction security environments.