Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

PhishLumos: An Adaptive Multi-Agent System for Proactive Phishing Campaign Mitigation

Daiki Chiba, Hiroki Nakano, Takashi Koide

TL;DR

PhishLumos addresses the limitations of content-based phishing defenses by introducing an adaptive multi-agent system that pursues campaign-level mitigation through infrastructure signals. It uses a central Supervisor and specialized/synthesis LLM-powered agents to pivot investigations from evasive URLs to hosting, DNS/IP, and TLS infrastructure, generating validated detection rules. On real-world data, it achieves 100% median campaign coverage and identifies campaigns roughly eight days before expert confirmation, while also discovering thousands of additional malicious URLs and maintaining high precision even in content-inaccessible settings. This proactive approach shifts defense from reactive blocking to proactive mitigation, strengthening protection for vulnerable users and critical digital services.

Abstract

Phishing attacks are a significant societal threat, disproportionately harming vulnerable populations and eroding trust in essential digital services. Current defenses are often reactive, failing against modern evasive tactics like cloaking that conceal malicious content. To address this, we introduce PhishLumos, an adaptive multi-agent system that proactively mitigates entire attack campaigns. It confronts a core cybersecurity imbalance: attackers can easily scale operations, while defense remains an intensive expert task. Instead of being blocked by evasion, PhishLumos treats it as a critical signal to investigate the underlying infrastructure. Its Large Language Model (LLM)-powered agents uncover shared hosting, certificates, and domain registration patterns. On real-world data, our system identified 100% of campaigns in the median case, over a week before their confirmation by cybersecurity experts. PhishLumos demonstrates a practical shift from reactive URL blocking to proactive campaign mitigation, protecting users before they are harmed and making the digital world safer for all.

PhishLumos: An Adaptive Multi-Agent System for Proactive Phishing Campaign Mitigation

TL;DR

PhishLumos addresses the limitations of content-based phishing defenses by introducing an adaptive multi-agent system that pursues campaign-level mitigation through infrastructure signals. It uses a central Supervisor and specialized/synthesis LLM-powered agents to pivot investigations from evasive URLs to hosting, DNS/IP, and TLS infrastructure, generating validated detection rules. On real-world data, it achieves 100% median campaign coverage and identifies campaigns roughly eight days before expert confirmation, while also discovering thousands of additional malicious URLs and maintaining high precision even in content-inaccessible settings. This proactive approach shifts defense from reactive blocking to proactive mitigation, strengthening protection for vulnerable users and critical digital services.

Abstract

Phishing attacks are a significant societal threat, disproportionately harming vulnerable populations and eroding trust in essential digital services. Current defenses are often reactive, failing against modern evasive tactics like cloaking that conceal malicious content. To address this, we introduce PhishLumos, an adaptive multi-agent system that proactively mitigates entire attack campaigns. It confronts a core cybersecurity imbalance: attackers can easily scale operations, while defense remains an intensive expert task. Instead of being blocked by evasion, PhishLumos treats it as a critical signal to investigate the underlying infrastructure. Its Large Language Model (LLM)-powered agents uncover shared hosting, certificates, and domain registration patterns. On real-world data, our system identified 100% of campaigns in the median case, over a week before their confirmation by cybersecurity experts. PhishLumos demonstrates a practical shift from reactive URL blocking to proactive campaign mitigation, protecting users before they are harmed and making the digital world safer for all.

Paper Structure

This paper contains 16 sections, 2 figures, 6 tables, 2 algorithms.

Table of Contents

  1. Introduction
  2. Related Work
  3. Proposed System
  4. System Overview
  5. Threat Model
  6. Core Components and Workflow
  7. Adaptive Pivotal Analysis
  8. Data Acquisition and Context Management
  9. Campaign Analysis and Rule Generation
  10. Experiments
  11. Experimental Setup
  12. Proactive Mitigation and Social Impact
  13. Performance on Evasive Targets
  14. Qualitative Analysis with Case Studies
  15. Ablation Study of System Components
  16. ...and 1 more sections

Figures (2)

  • Figure 1: The core concept of PhishLumos.
  • Figure 2: System Architecture of PhishLumos.