PhishIntel: Toward Practical Deployment of Reference-Based Phishing Detection

TL;DR

PhishIntel is a practical phishing detection system that combines fast local checks with slower online analysis to enable real-time, accurate detection of phishing URLs, including zero-day threats.

Contribution

The paper introduces PhishIntel, a novel system architecture that balances detection speed and accuracy for real-world deployment of reference-based phishing detectors.

Findings

Achieves low latency in phishing detection

Effectively detects zero-day phishing URLs

Demonstrates practical applications in email security

Abstract

Phishing is a critical cyber threat, exploiting deceptive tactics to compromise victims and cause significant financial losses. While reference-based phishing detectors (RBPDs) have achieved notable advancements in detection accuracy, their real-world deployment is hindered by challenges such as high latency and inefficiency in URL analysis. To address these limitations, we present PhishIntel, an end-to-end phishing detection system for real-world deployment. PhishIntel intelligently determines whether a URL can be processed immediately or not, segmenting the detection process into two distinct tasks: a fast task that checks against local blacklists and result cache, and a slow task that conducts online blacklist verification, URL crawling, and webpage analysis using an RBPD. This fast-slow task system architecture ensures low response latency while retaining the robust detection capabilities of RBPDs for zero-day phishing threats. Furthermore, we develop two downstream applications based on PhishIntel: a phishing intelligence platform and a phishing email detection plugin for Microsoft Outlook, demonstrating its practical efficacy and utility.