CIC-Trap4Phish: A Unified Multi-Format Dataset for Phishing and Quishing Attachment Detection
Fatemeh Nejati, Mahdi Rabbani, Morteza Eskandarian, Mansur Mirani, Gunjan Piya, Igor Opushnyev, Ali A. Ghorbani, Sajjad Dadkhah
TL;DR
This paper tackles the fragmentation of phishing/quishing data across common attachment formats by introducing CIC-Trap4Phish, a unified multi-format dataset covering Word, Excel, PDF, HTML, and QR codes. It delivers static feature extraction pipelines for the first four formats and a dual approach for QR codes (CNN-based image analysis and URL lexical analysis with lightweight LLMs), paired with SHAP-informed feature selection to create compact, discriminative feature subsets. Lightweight classifiers (Random Forest, XGBoost, and Decision Tree) achieve near-perfect to high accuracy across formats, while QR-code detection favors textual URL analysis over image-based methods due to intrinsic visual similarities in QR encodings. The dataset is publicly available through CIC’s portal, enabling robust cross-format evaluation, faster screening, and improved explainability in practical phishing defenses.
Abstract
Phishing attacks represents one of the primary attack methods which is used by cyber attackers. In many cases, attackers use deceptive emails along with malicious attachments to trick users into giving away sensitive information or installing malware while compromising entire systems. The flexibility of malicious email attachments makes them stand out as a preferred vector for attackers as they can embed harmful content such as malware or malicious URLs inside standard document formats. Although phishing email defenses have improved a lot, attackers continue to abuse attachments, enabling malicious content to bypass security measures. Moreover, another challenge that researches face in training advance models, is lack of an unified and comprehensive dataset that covers the most prevalent data types. To address this gap, we generated CIC-Trap4Phish, a multi-format dataset containing both malicious and benign samples across five categories commonly used in phishing campaigns: Microsoft Word documents, Excel spreadsheets, PDF files, HTML pages, and QR code images. For the first four file types, a set of execution-free static feature pipeline was proposed, designed to capture structural, lexical, and metadata-based indicators without the need to open or execute files. Feature selection was performed using a combination of SHAP analysis and feature importance, yielding compact, discriminative feature subsets for each file type. The selected features were evaluated by using lightweight machine learning models, including Random Forest, XGBoost, and Decision Tree. All models demonstrate high detection accuracy across formats. For QR code-based phishing (quishing), two complementary methods were implemented: image-based detection by employing Convolutional Neural Networks (CNNs) and lexical analysis of decoded URLs using recent lightweight language models.