EPhishCADE: A Privacy-Aware Multi-Dimensional Framework for Email Phishing Campaign Detection

TL;DR

EPhishCADE is a privacy-aware, multi-dimensional framework that automatically detects email phishing campaigns by analyzing structural and contextual features, reducing analyst workload and enabling collaborative threat identification.

Contribution

It introduces the first privacy-aware, multi-dimensional approach combining structural and contextual analysis for email phishing detection, with a hierarchical architecture and graph-based similarity measures.

Findings

Effective detection of phishing campaigns across multiple dimensions.

Reduces analyst workload and enhances collaborative threat sharing.

Benchmark results show improved performance over previous structure-based methods.

Abstract

Phishing attacks, typically carried out by email, remain a significant cybersecurity threat with attackers creating legitimate-looking websites to deceive recipients into revealing sensitive information or executing harmful actions. In this paper, we propose {\bf EPhishCADE}, the first {\em privacy-aware}, {\em multi-dimensional} framework for {\bf E}mail {\bf Phish}ing {\bf CA}mpaign {\bf DE}tection to automatically identify email phishing campaigns by clustering seemingly unrelated attacks. Our framework employs a hierarchical architecture combining a structural layer and a contextual layer, offering a comprehensive analysis of phishing attacks by thoroughly examining both structural and contextual elements. Specifically, we implement a graph-based contextual layer to reveal hidden similarities across multiple dimensions, including textual, numeric, temporal, and spatial features, among attacks that may initially appear unrelated. Our framework streamlines the handling of security threat reports, reducing analysts' fatigue and workload while enhancing protection against these threats. Another key feature of our framework lies in its sole reliance on phishing URLs in emails without the need for private information, including senders, recipients, content, etc. This feature enables a collaborative identification of phishing campaigns and attacks among multiple organizations without compromising privacy. Finally, we benchmark our framework against an established structure-based study (WWW \textquotesingle 17) to demonstrate its effectiveness.