Clustering

Clustering phishing and spam attackes into groups often called campaigns has been an ongoing research direction, but the work on it uses a supprisingly wide range of definitions of campaign as well as approaches to define groups. In this work we systemize prior work aiming to cluster or group phishing and spam emails using commonalities. Such commonalities can vary significantly. We looked at 23 research articles on grouping spam and phishing emails, focusing on two foundational aspects (definition of a group and use case) and four methodological aspects (dataset, input features, clustering or grouping algorithms, and evaluation strategies). We propose three definitions of `campaign’ representing how researchers approach the groupings: source-based, scam-based, and response-based. Furthermore, we discuss the various features and algorithms that have been utilized in relation to the goals of the researchers and highlight the key takeaways and recommendations for future work.

A novel framework designed to designed to extract contextual information from phishing emails. Our focus is on human-centric features, which are often overlooked in traditional approaches, as they are the features that users notice when evaluating a potentially suspicious email. By fine-tuning four transformer-based models, we accurately extract seven descriptive features from phishing email texts. Our findings indicate that language models provide a promising method for extracting contextual information from phishing emails.

There is a significant knowledge gap about the qualitative traits embedded in phishing emails, which could be useful in a range of phishing mitigation tasks. In this paper, we consider the structure of phishing emails to identify a novel set of descriptive features. We employ an iterative qualitative coding approach to identify features that are descriptive of the emails leading to the ``Phishing Codebook’’, a structured framework for extracting key phishing email information. We apply this codebook to a publicly available dataset of 503 phishing emails.