Traditional phishing email detection relies on invisible metadata, failing to identify sophisticated phishing behaviors discernible from textual content alone. This paper proposes a large language model (LLM)-based, semantics-driven intent detection method that transcends metadata limitations, enabling both binary classification and fine-grained intent identification (e.g., credential harvesting, malware delivery). We introduce the first actionable intent taxonomy specifically designed for phishing emails and pioneer the direct application of LLMs to end-to-end intent recognition and structured threat annotation—enhancing interpretability and operational utility. Leveraging open-source models (e.g., Llama, Phi), we employ zero-shot/few-shot prompting and instruction tuning. Evaluated on a custom hybrid email dataset, our approach achieves 92.3% average accuracy and 86.7% intent-level F1-score, demonstrating that LLMs can deliver high-accuracy, interpretable phishing intent detection without domain-specific pretraining or fine-tuning.

Phishing attacks remain a significant threat to modern cybersecurity, as they successfully deceive both humans and the defense mechanisms intended to protect them. Traditional detection systems primarily focus on email metadata that users cannot see in their inboxes. Additionally, these systems struggle with phishing emails, which experienced users can often identify empirically by the text alone. This paper investigates the practical potential of Large Language Models (LLMs) to detect these emails by focusing on their intent. In addition to the binary classification of phishing emails, the paper introduces an intent-type taxonomy, which is operationalized by the LLMs to classify emails into distinct categories and, therefore, generate actionable threat information. To facilitate our work, we have curated publicly available datasets into a custom dataset containing a mix of legitimate and phishing emails. Our results demonstrate that existing LLMs are capable of detecting and categorizing phishing emails, underscoring their potential in this domain.