Characterizing Phishing Threats with Natural Language Processing

TL;DR

This paper uses NLP techniques to analyze a real-world spear phishing campaign, demonstrating how semantic similarity and clustering can identify targeted attacks and differentiate them from random spam.

Contribution

It introduces a method to quantify and characterize spear phishing attacks using NLP, focusing on semantic similarity and topical clustering of email content.

Findings

High statistical evidence (p < 10^{-4}) of targeted content in phishing emails.

Targeted recipients received topically clustered CVs.

The campaign specifically targeted certain demographics within the institution.

Abstract

Spear phishing is a widespread concern in the modern network security landscape, but there are few metrics that measure the extent to which reconnaissance is performed on phishing targets. Spear phishing emails closely match the expectations of the recipient, based on details of their experiences and interests, making them a popular propagation vector for harmful malware. In this work we use Natural Language Processing techniques to investigate a specific real-world phishing campaign and quantify attributes that indicate a targeted spear phishing attack. Our phishing campaign data sample comprises 596 emails - all containing a web bug and a Curriculum Vitae (CV) PDF attachment - sent to our institution by a foreign IP space. The campaign was found to exclusively target specific demographics within our institution. Performing a semantic similarity analysis between the senders' CV attachments and the recipients' LinkedIn profiles, we conclude with high statistical certainty (p $< 10^{-4}$) that the attachments contain targeted rather than randomly selected material. Latent Semantic Analysis further demonstrates that individuals who were a primary focus of the campaign received CVs that are highly topically clustered. These findings differentiate this campaign from one that leverages random spam.