EmailSearch/EmailSearch/SpamDetection/AttachmentAnalyzer.cs

using NetOffice.OutlookApi;

namespace EmailSearch.SpamDetection;

internal static class AttachmentAnalyzer
{
    // Risk scores by extension type (0.0 = safe, 1.0 = very dangerous)
    private static readonly Dictionary<string, double> AttachmentRiskScores = new(StringComparer.OrdinalIgnoreCase)
    {
        // Critical risk - direct executables
        { ".exe", 1.0 },
        { ".scr", 1.0 },
        { ".bat", 0.95 },
        { ".cmd", 0.95 },
        { ".com", 0.95 },
        { ".pif", 0.95 },
        { ".msi", 0.9 },
        { ".vbs", 0.9 },
        { ".js", 0.9 },
        { ".ps1", 0.9 },
        { ".wsf", 0.9 },

        // High risk - macro-enabled documents
        { ".docm", 0.8 },
        { ".xlsm", 0.8 },
        { ".pptm", 0.8 },
        { ".xlam", 0.8 },

        // Medium-high risk - can contain executables
        { ".iso", 0.7 },
        { ".img", 0.7 },
        { ".lnk", 0.75 },
        { ".hta", 0.7 },

        // Medium risk - HTML can be phishing
        { ".html", 0.6 },
        { ".htm", 0.6 },
        { ".svg", 0.5 },

        // Low-medium risk - archives
        { ".zip", 0.3 },
        { ".rar", 0.35 },
        { ".7z", 0.35 },
        { ".tar", 0.3 },
        { ".gz", 0.3 }
    };

    public static double GetAttachmentRiskScore(MailItem mail)
    {
        if (mail.Attachments == null || mail.Attachments.Count == 0)
            return 0.0;

        double maxRisk = 0.0;

        foreach (var attachment in mail.Attachments)
        {
            if (attachment is Attachment att)
            {
                var name = att.FileName?.ToLowerInvariant() ?? "";
                foreach (var kvp in AttachmentRiskScores)
                {
                    if (name.EndsWith(kvp.Key))
                    {
                        maxRisk = Math.Max(maxRisk, kvp.Value);
                    }
                }
            }
        }

        return maxRisk;
    }
}