Characterizing the Networks Sending Enterprise Phishing Emails

TL;DR

This study analyzes the network origins of enterprise phishing emails over a year, revealing that reputable networks like Amazon and Microsoft are significant sources, and introduces a dynamic classifier that improves detection rates.

Contribution

It provides the first large-scale analysis of the network infrastructure behind enterprise phishing emails and develops a dynamic detection method that outperforms static blocklists.

Findings

Over one-third of phishing emails originate from reputable networks.

The volume of phishing from these networks remains high over time.

The new classifier detects 3-5% more attacks than existing methods.

Abstract

Phishing attacks on enterprise employees present one of the most costly and potent threats to organizations. We explore an understudied facet of enterprise phishing attacks: the email relay infrastructure behind successfully delivered phishing emails. We draw on a dataset spanning one year across thousands of enterprises, billions of emails, and over 800,000 delivered phishing attacks. Our work sheds light on the network origins of phishing emails received by real-world enterprises, differences in email traffic we observe from networks sending phishing emails, and how these characteristics change over time. Surprisingly, we find that over one-third of the phishing email in our dataset originates from highly reputable networks, including Amazon and Microsoft. Their total volume of phishing email is consistently high across multiple months in our dataset, even though the overwhelming majority of email sent by these networks is benign. In contrast, we observe that a large portion of phishing emails originate from networks where the vast majority of emails they send are phishing, but their email traffic is not consistent over time. Taken together, our results explain why no singular defense strategy, such as static blocklists (which are commonly used in email security filters deployed by organizations in our dataset), is effective at blocking enterprise phishing. Based on our offline analysis, we partnered with a large email security company to deploy a classifier that uses dynamically updated network-based features. In a production environment over a period of 4.5 months, our new detector was able to identify 3-5% more enterprise email attacks that were previously undetected by the company's existing classifiers.