Detecting and Characterizing Lateral Phishing at Scale

Authors: 

Grant Ho, UC Berkeley and Barracuda Networks; Asaf Cidon, Barracuda Networks and Columbia University; Lior Gavish and Marco Schweighauser, Barracuda Networks; Vern Paxson, UC Berkeley and ICSI; Stefan Savage and Geoffrey M. Voelker, UC San Diego; David Wagner, UC Berkeley

Distinguished Paper Award Winner

Abstract: 

We present the first large-scale characterization of lateral phishing attacks, based on a dataset of 113 million employee-sent emails from 92 enterprise organizations. In a lateral phishing attack, adversaries leverage a compromised enterprise account to send phishing emails to other users, benefitting from both the implicit trust and the information in the hijacked user’s account. We develop a classifier that finds hundreds of real-world lateral phishing emails, while generating under four false positives per every one-million employee-sent emails. Drawing on the attacks we detect, as well as a corpus of user-reported incidents, we quantify the scale of lateral phishing, identify several thematic content and recipient targeting strategies that attackers follow, illuminate two types of sophisticated behaviors that attackers exhibit, and estimate the success rate of these attacks. Collectively, these results expand our mental models of the ‘enterprise attacker’ and shed light on the current state of enterprise phishing attacks.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

BibTeX
@inproceedings {236246,
author = {Grant Ho and Asaf Cidon and Lior Gavish and Marco Schweighauser and Vern Paxson and Stefan Savage and Geoffrey M. Voelker and David Wagner},
title = {Detecting and Characterizing Lateral Phishing at Scale},
booktitle = {28th {USENIX} Security Symposium ({USENIX} Security 19)},
year = {2019},
isbn = {978-1-939133-06-9},
address = {Santa Clara, CA},
pages = {1273--1290},
url = {https://www.usenix.org/conference/usenixsecurity19/presentation/ho},
publisher = {{USENIX} Association},
month = aug,
}