Detecting and Characterizing Lateral Phishing at Scale

TL;DR

This paper provides the first large-scale analysis of lateral phishing attacks within enterprises, using a vast email dataset to identify attack patterns, quantify their prevalence, and understand attacker strategies and behaviors.

Contribution

It introduces a novel classifier for detecting lateral phishing emails at scale, with high accuracy and low false positives, and offers new insights into attacker tactics and attack success rates.

Findings

Detected hundreds of real-world lateral phishing emails

Quantified the scale and prevalence of lateral phishing attacks

Identified attacker strategies and sophisticated behaviors

Abstract

We present the first large-scale characterization of lateral phishing attacks, based on a dataset of 113 million employee-sent emails from 92 enterprise organizations. In a lateral phishing attack, adversaries leverage a compromised enterprise account to send phishing emails to other users, benefitting from both the implicit trust and the information in the hijacked user's account. We develop a classifier that finds hundreds of real-world lateral phishing emails, while generating under four false positives per every one-million employee-sent emails. Drawing on the attacks we detect, as well as a corpus of user-reported incidents, we quantify the scale of lateral phishing, identify several thematic content and recipient targeting strategies that attackers follow, illuminate two types of sophisticated behaviors that attackers exhibit, and estimate the success rate of these attacks. Collectively, these results expand our mental models of the 'enterprise attacker' and shed light on the current state of enterprise phishing attacks.