Detecting and Characterizing Lateral Phishing at Scale
This work addresses the threat of phishing within enterprises, providing insights into attacker strategies and success rates, though it is incremental in applying existing methods to a new dataset.
The researchers tackled the problem of lateral phishing attacks by analyzing 113 million emails from 92 enterprises, developing a classifier that detects hundreds of real-world attacks with under four false positives per million emails.
We present the first large-scale characterization of lateral phishing attacks, based on a dataset of 113 million employee-sent emails from 92 enterprise organizations. In a lateral phishing attack, adversaries leverage a compromised enterprise account to send phishing emails to other users, benefitting from both the implicit trust and the information in the hijacked user's account. We develop a classifier that finds hundreds of real-world lateral phishing emails, while generating under four false positives per every one-million employee-sent emails. Drawing on the attacks we detect, as well as a corpus of user-reported incidents, we quantify the scale of lateral phishing, identify several thematic content and recipient targeting strategies that attackers follow, illuminate two types of sophisticated behaviors that attackers exhibit, and estimate the success rate of these attacks. Collectively, these results expand our mental models of the 'enterprise attacker' and shed light on the current state of enterprise phishing attacks.