Phishing attacks on enterprise employees present one of the most costly and potent threats to organizations. We explore an understudied facet of enterprise phishing attacks: the email relay infrastructure behind successfully delivered phishing emails. We draw on a dataset spanning one year across thousands of enterprises, billions of emails, and over 800,000 delivered phishing attacks. Our work sheds light on the network origins of phishing emails received by real-world enterprises, differences in email traffic we observe from networks sending phishing emails, and how these characteristics change over time. Surprisingly, we find that over one-third of the phishing email in our dataset originates from highly reputable networks, including Amazon and Microsoft. Their total volume of phishing email is consistently high across multiple months in our dataset, even though the overwhelming majority of email sent by these networks is benign. In contrast, we observe that a large portion of phishing emails originate from networks where the vast majority of emails they send are phishing, but their email traffic is not consistent over time. Taken together, our results explain why no singular defense strategy, such as static blocklists (which are commonly used in email security filters deployed by organizations in our dataset), is effective at blocking enterprise phishing. Based on our offline analysis, we partnered with a large email security company to deploy a classifier that uses dynamically updated network-based features. In a production environment over a period of 4.5 months, our new detector was able to identify 3-5% more enterprise email attacks that were previously undetected by the company's existing classifiers.

翻译：企业员工面临的钓鱼攻击是组织面临的最具成本效益和潜在威胁之一。本文探讨了企业钓鱼攻击中一个研究不足的方面：成功投递钓鱼邮件背后的邮件中继基础设施。我们利用跨越数千家企业、数十亿封邮件及超过80万次已投递钓鱼攻击的全年数据集展开研究。本研究揭示了现实企业接收钓鱼邮件的网络来源、钓鱼邮件发送网络表现出的邮件流量差异，以及这些特征随时间的变化规律。令人惊讶的是，我们发现数据集中超过三分之一的钓鱼邮件源自亚马逊和微软等高信誉网络。尽管这些网络发送的绝大多数邮件是良性的，但在数据集涵盖的多个月份中，它们发送的钓鱼邮件总量始终维持在较高水平。相比之下，我们观察到大量钓鱼邮件源自那些发送邮件中绝大多数为钓鱼邮件的网络，但这些网络的邮件流量随时间波动较大。综合来看，我们的研究结果解释了为何单一防御策略（例如静态黑名单——本数据集中企业部署的邮件安全过滤器普遍采用此技术）无法有效拦截企业钓鱼攻击。基于离线分析，我们与一家大型邮件安全公司合作部署了采用动态更新网络特征的分类器。在为期4.5个月的生产环境中，新检测器能够多识别出3-5%的企业邮件攻击，这些攻击此前未被该公司现有分类器检测到。