Characterizing the Networks Sending Enterprise Phishing Emails

TL;DR

This study analyzes the network delivery infrastructure behind enterprise phishing emails using a large, year-long dataset of billions of emails and over 800,000 delivered phishing messages to reveal how phishing originates from specific networks and how those origins change over time. By tracing email delivery paths via RECEIVED headers and evaluating network-based features, the authors show that even heavily reputable networks (e.g., Amazon and Microsoft) contribute substantial phishing traffic, while many high-concentration networks are transient. They demonstrate that static blocklists are insufficient and develop a dynamic detector that updates network-origin features daily, achieving a 3–5% increase in detected enterprise phishing without raising false positives in production. The work highlights the importance of temporal dynamics, AS-level and IP-level reputation signals, and hosting-provider abuse as levers for defense, and suggests practical implications for both technical and policy-based controls to curb enterprise phishing. Overall, the findings advocate moving beyond static defenses toward adaptive, network-aware phishing detection informed by real-world traffic patterns and delivery routes.

Abstract

Phishing attacks on enterprise employees present one of the most costly and potent threats to organizations. We explore an understudied facet of enterprise phishing attacks: the email relay infrastructure behind successfully delivered phishing emails. We draw on a dataset spanning one year across thousands of enterprises, billions of emails, and over 800,000 delivered phishing attacks. Our work sheds light on the network origins of phishing emails received by real-world enterprises, differences in email traffic we observe from networks sending phishing emails, and how these characteristics change over time. Surprisingly, we find that over one-third of the phishing email in our dataset originates from highly reputable networks, including Amazon and Microsoft. Their total volume of phishing email is consistently high across multiple months in our dataset, even though the overwhelming majority of email sent by these networks is benign. In contrast, we observe that a large portion of phishing emails originate from networks where the vast majority of emails they send are phishing, but their email traffic is not consistent over time. Taken together, our results explain why no singular defense strategy, such as static blocklists (which are commonly used in email security filters deployed by organizations in our dataset), is effective at blocking enterprise phishing. Based on our offline analysis, we partnered with a large email security company to deploy a classifier that uses dynamically updated network-based features. In a production environment over a period of 4.5 months, our new detector was able to identify 3-5% more enterprise email attacks that were previously undetected by the company's existing classifiers.

Figures (13)

• Figure 1: Example of email delivery with multiple mail servers. Barracuda collects and analyzes emails from the recipient's mail servers.
• Figure 2: Cumulative fraction of phishing emails per campaign.
• Figure 3: Cumulative fraction of phishing emails by originating IP address. The 200 highest-volume sending IP addresses account for around 50% of phishing emails.
• Figure 4: Cumulative fraction of phishing emails sent across the ASes of an email's originating IP address.
• Figure 5: Cumulative fraction of phishing emails as a function of phishing probability of an AS, including AS phishing concentration categories. In January 2021, AS 206067 and AS 52000 had probabilities of phishing of 99.8% (with 6550 delivered phishing emails) and 100% (with 1673 delivered phishing emails), respectively.