It’s received so much attention in recent years that on 18 August 2017, Facebook awarded its annual Internet Defense Prize to a group of researchers from the University of California, Berkeley, that managed to create an automated spear phishing detection project. They’ve published a helpful paper on the subject which will help us get to the brass tacks of how spear phishing detection should work in a corporate environment.

What Makes Spear Phishing Such a Threat

If you want a rundown on what spear phishing is, I’ve already written about it at length in this article. The level of sophistication in a spear phishing attack can differ according to the resources available to the hacker. But in general, the goal is to create an email that perfectly mimics what the victim would receive from a trusted individual. This means that these particular emails will often lack the signs of a scam message. Since it looks legitimate, it gets the victim’s guard down, making them more susceptible to inadvertently doing harm to themselves or the companies where they are employed. Here’s the scary part: the email message could even come from the address of someone the victim trusts, spoofing the name and other details and throwing traditional detection methods off its scent.

How Algorithms Spot the Emails

Despite the fact that spear phishing emails typically look very legitimate in comparison to the messages distributed using the traditional “lottery” phishing style, the spear isn’t as sharp as it looks. Every fake message has its tell. In this particular case it’s all about making a simple heuristic analysis of all the messages sent to and from the victim, spotting patterns in both the language of the body and content of the header in the email. If you, for example, have a contact that usually messages you from the United States and suddenly receive a message from that same contact originating from Nigeria, that could be a red flag. The algorithm, known as Directed Anomaly Scoring (DAS) also looks at the message itself for signs of suspicious content. For example, if there is a link within the email to a website and the system notices that no other employees in your company have visited it, this could be marked as something suspicious. The message could be further analyzed to determine the “reputability” of the URLs contained within. Since most attackers will only spoof the sender name and not their email address, the algorithm may also try to correlate the sender name to an email used within the last few months. If the sender name and email do not correspond to anything used in the past, that will raise alarms. In a nutshell, the DAS algorithm will scan the content of the email, its header, and corporate LDAP logs to make a decision on whether the email results from a spear phishing attempt or is just a weird, but legitimate message. In its test run analyzing 370 million emails, DAS has detected 17 out of 19 attempts and had a false positive rate of 0.004%. Not bad! Now here’s another issue: Do you think that email scanners violate the privacy of individuals, even when used in a closed corporate environment purely for the detection of scams? Let’s discuss this in the comments!