This study addresses the limited robustness of existing phishing email detection methods, which rely heavily on textual features vulnerable to adversarial perturbations. To enhance reliability in real-world scenarios, the authors propose a graph-based detection framework grounded in typed entity relation modeling. The approach constructs an email graph through typed entity recognition and cross-type relation modeling, and generalizes conventional Sigma rules into data-driven typed relation masks, thereby unifying rule-based reasoning with learning mechanisms to improve both interpretability and generalization. Sparse mask selection is optimized using particle swarm optimization (PSO). Evaluated on a dataset of 29,142 emails, the method achieves an F1 score of 0.9675 and demonstrates strong resilience against Good Word insertion attacks, with only a marginal drop to 0.9579—significantly outperforming baseline models.

Here is a further shortened version (pure text, no extra formatting, academic style preserved, no content change): Abstract. With the rise of AI-generated content (AIGC), phishing actors now possess richer linguistic capabilities and evasion techniques. Most existing detectors over-rely on mutable textual features, achieving high accuracy on clean data but degrading severely under text-focused adversarial manipulation. This mirrors the lab-to-real performance gap. We investigate invariant signals in phishing emails: even when attackers modify surface text, functional intent constrains relations among typed entities. Threat-actor tradecraft is described via high-level TTPs, but rule-based systems like Sigma express invariants only through manually curated, field-specific patterns, limiting flexibility. We introduce PhishSigma++, an entity-relation-based malicious email detector for RFC822 messages that generalizes Sigma's design. It extracts 40 typed entity classes, computes 5 cross-type relations to build a typed email graph, and uses particle swarm optimization (PSO) to select a sparse discriminative mask, supporting classification and type-level evidence summary. On 29,142 messages, PhishSigma++ achieves 0.9675 F1 on clean data and outperforms text-centric baselines under non-adaptive Good Word padding at \r{ho}=0.8. It maintains 0.9579 F1, while a token-based Bayesian filter collapses to 0.0243 and a DistilBERT phishing checkpoint falls to 0.7284. Compared with traditional Sigma rules, PhishSigma++ offers higher detection, broader relational invariance coverage, and data-driven feature selection. We also show that thresholded typed relation scores encode a useful fragment of Sigma-style field conditions, unifying hand-crafted rule logic and learned relation masks in a single-email framework.