Phishing attacks frequently use email body obfuscation to bypass detection filters, but quantitative insights into how techniques are combined and their impact on filter scores remain limited. This paper addresses this gap by empirically investigating the prevalence, co-occurrence patterns, and spam score associations of body obfuscation techniques. Analyzing 386 verified phishing emails, we quantified ten techniques and identified significant pairwise co-occurrences revealing strategic layering. Text in Image (47.0%), Base64 Encoding (31.2%), and Invalid HTML (28.8%) were highly prevalent. We then assessed associations with scores from two prominent open-source filters, SpamAssassin and Rspamd, using multilinear regression. Our comparative regression analysis revealed highly filter-dependent impacts: the models explained 48.6% (SpamAssassin) and 32.7% (Rspamd) of score variance. While ‘Base64 Encoding’ was associated with score reduction for both filters, other techniques showed contrasting effects. For instance, ‘Text in Image’ was linked to lower scores in SpamAssassin but higher scores in Rspamd, while ‘Invalid HTML‘ was penalized by SpamAssassin but had no significant effect on Rspamd.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Measuring Modern Phishing Tactics: A Quantitative Study of Body Obfuscation Prevalence, Co-occurrence, and Filter Impact

  • Antony Dalmiere,
  • Zheng Zhou,
  • Guillaume Auriol,
  • Vincent Nicomette,
  • Pascal Marchand

摘要

Phishing attacks frequently use email body obfuscation to bypass detection filters, but quantitative insights into how techniques are combined and their impact on filter scores remain limited. This paper addresses this gap by empirically investigating the prevalence, co-occurrence patterns, and spam score associations of body obfuscation techniques. Analyzing 386 verified phishing emails, we quantified ten techniques and identified significant pairwise co-occurrences revealing strategic layering. Text in Image (47.0%), Base64 Encoding (31.2%), and Invalid HTML (28.8%) were highly prevalent. We then assessed associations with scores from two prominent open-source filters, SpamAssassin and Rspamd, using multilinear regression. Our comparative regression analysis revealed highly filter-dependent impacts: the models explained 48.6% (SpamAssassin) and 32.7% (Rspamd) of score variance. While ‘Base64 Encoding’ was associated with score reduction for both filters, other techniques showed contrasting effects. For instance, ‘Text in Image’ was linked to lower scores in SpamAssassin but higher scores in Rspamd, while ‘Invalid HTML‘ was penalized by SpamAssassin but had no significant effect on Rspamd.