{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,6]],"date-time":"2026-01-06T13:25:13Z","timestamp":1767705913038,"version":"3.44.0"},"publisher-location":"Cham","reference-count":56,"publisher":"Springer Nature Switzerland","isbn-type":[{"type":"print","value":"9783031859595"},{"type":"electronic","value":"9783031859601"}],"license":[{"start":{"date-parts":[[2025,1,1]],"date-time":"2025-01-01T00:00:00Z","timestamp":1735689600000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.springernature.com\/gp\/researchers\/text-and-data-mining"},{"start":{"date-parts":[[2025,1,1]],"date-time":"2025-01-01T00:00:00Z","timestamp":1735689600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.springernature.com\/gp\/researchers\/text-and-data-mining"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2025]]},"DOI":"10.1007\/978-3-031-85960-1_18","type":"book-chapter","created":{"date-parts":[[2025,3,6]],"date-time":"2025-03-06T07:23:52Z","timestamp":1741245832000},"page":"437-466","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":2,"title":["Characterizing the\u00a0Networks Sending Enterprise Phishing Emails"],"prefix":"10.1007","author":[{"given":"Elisa","family":"Luo","sequence":"first","affiliation":[]},{"given":"Liane","family":"Young","sequence":"additional","affiliation":[]},{"given":"Grant","family":"Ho","sequence":"additional","affiliation":[]},{"given":"M. H.","family":"Afifi","sequence":"additional","affiliation":[]},{"given":"Marco","family":"Schweighauser","sequence":"additional","affiliation":[]},{"given":"Ethan","family":"Katz-Bassett","sequence":"additional","affiliation":[]},{"given":"Asaf","family":"Cidon","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2025,3,7]]},"reference":[{"issue":"2","key":"18_CR1","doi-asserted-by":"publisher","first-page":"23","DOI":"10.1109\/MSEC.2019.2940952","volume":"18","author":"L Allodi","year":"2019","unstructured":"Allodi, L., Chotza, T., Panina, E., Zannone, N.: The need for new antiphishing measures against spear-phishing attacks. IEEE Secu. Priv. 18(2), 23\u201334 (2019)","journal-title":"IEEE Secu. Priv."},{"key":"18_CR2","unstructured":"AWS IP address ranges (2021). https:\/\/docs.aws.amazon.com\/general\/latest\/gr\/aws-ip-ranges.html"},{"key":"18_CR3","unstructured":"Bergholz, A., Chang, J.H., Paass, G., Reichartz, F., Strobel, S.: Improved phishing detection using model-based features. In: CEAS (2008)"},{"key":"18_CR4","doi-asserted-by":"crossref","unstructured":"Bitaab, M., et al.: Scam pandemic: how attackers exploit public fear through phishing. In: Symposium on Electronic Crime Research (eCrime) (2020)","DOI":"10.1109\/eCrime51433.2020.9493260"},{"key":"18_CR5","unstructured":"Browne, R.: Hackers behind Colonial Pipeline attack reportedly received \\$90 million in bitcoin before shutting down (2021). https:\/\/www.cnbc.com\/2021\/05\/18\/colonial-pipeline-hackers-darkside-received-90-million-in-bitcoin.html"},{"key":"18_CR6","unstructured":"CAIDA AS classification (2020) https:\/\/www.caida.org\/catalog\/datasets\/as-classification\/. Accessed 9 Dec 2020"},{"key":"18_CR7","unstructured":"Cidon, A., Gavish, L., Bleier, I., Korshun, N., Schweighauser, M., Tsitkin, A.: High precision detection of business email compromise. In: USENIX Security Symposium (2019)"},{"key":"18_CR8","unstructured":"Cymru, T.: IP to ASN Mapping Service. https:\/\/team-cymru.com\/community-services\/ip-asn-mapping\/"},{"key":"18_CR9","doi-asserted-by":"crossref","unstructured":"Czybik, S., Horlboge, M., Rieck, K.: Lazy gatekeepers: a large-scale study on SPF configuration in the wild. In: ACM Internet Measurement Conference (IMC) (2023)","DOI":"10.1145\/3618257.3624827"},{"key":"18_CR10","doi-asserted-by":"crossref","unstructured":"Duman, S., Kalkan-Cakmakci, K., Egele, M., Robertson, W., Kirda, E.: EmailProfiler: spearphishing filtering with header and stylometric features of emails. In: COMPSAC (2016)","DOI":"10.1109\/COMPSAC.2016.105"},{"key":"18_CR11","unstructured":"FBI: Business Email Compromise The \\$26 Billion Scam (2019). https:\/\/www.ic3.gov\/Media\/Y2019\/PSA190910"},{"key":"18_CR12","doi-asserted-by":"crossref","unstructured":"Fukushi, N., Chiba, D., Akiyama, M., Uchida, M.: A comprehensive measurement of cloud service abuse. J. Inf. Process. 29 (2021)","DOI":"10.2197\/ipsjjip.29.93"},{"key":"18_CR13","doi-asserted-by":"crossref","unstructured":"Garera, S., Provos, N., Chew, M., Rubin, A.D.: A framework for detection and measurement of phishing attacks. In: ACM Workshop on Recurring Malcode (2007)","DOI":"10.1145\/1314389.1314391"},{"key":"18_CR14","doi-asserted-by":"crossref","unstructured":"Gascon, H., Ullrich, S., Stritter, B., Rieck, K.: Reading between the lines: content-agnostic detection of spear-phishing emails. In: Bailey, M., Holz, T., Stamatogiannakis, M., Ioannidis, S. (eds.) Research in Attacks, Intrusions, and Defenses (2018)","DOI":"10.1007\/978-3-030-00470-5_4"},{"key":"18_CR15","unstructured":"Google: Gmail sending limits in Google Workspace. https:\/\/support.google.com\/a\/answer\/166852\/gmail-sending-limits-in-google-workspace?hl=en"},{"key":"18_CR16","doi-asserted-by":"crossref","unstructured":"Han, X., Kheir, N., Balzarotti, D.: PhishEye: live monitoring of sandboxed phishing kits. In: ACM CCS (2016)","DOI":"10.1145\/2976749.2978330"},{"key":"18_CR17","unstructured":"Hao, S., Syed, N.A., Feamster, N., Gray, A.G., Krasser, S.: Detecting spammers with snare: Spatio-temporal network-level automatic reputation engine. In: USENIX Security Symposium, vol.\u00a09 (2009)"},{"key":"18_CR18","unstructured":"Ho, G., et al.: Detecting and characterizing lateral phishing at scale. In: USENIX Security Symposium (2019)"},{"key":"18_CR19","unstructured":"Ho, G., Sharma, A., Javed, M., Paxson, V., Wagner, D.: Detecting credential spearphishing in enterprise settings. In: USENIX Security Symposium (2017)"},{"key":"18_CR20","unstructured":"John, J.P., Moshchuk, A., Gribble, S.D., Krishnamurthy, A.: Studying spamming botnets using botlab. In: NSDI, vol.\u00a09 (2009)"},{"issue":"4","key":"18_CR21","doi-asserted-by":"publisher","first-page":"2091","DOI":"10.1109\/SURV.2013.032213.00009","volume":"15","author":"M Khonji","year":"2013","unstructured":"Khonji, M., Iraqi, Y., Jones, A.: Phishing detection: a literature survey. IEEE Commun. Surv. Tutorials 15(4), 2091\u20132121 (2013)","journal-title":"IEEE Commun. Surv. Tutorials"},{"key":"18_CR22","unstructured":"Learn, S.: Decision Trees: Mathematical Formulation. https:\/\/scikit-learn.org\/stable\/modules\/tree.html#tree-mathematical-formulation"},{"key":"18_CR23","unstructured":"Li, V.G., Dunn, M., Pearce, P., McCoy, D., Voelker, G.M., Savage, S.: Reading the tea leaves: a comparative analysis of threat intelligence. In: USENIX Security Symposium (2019)"},{"key":"18_CR24","doi-asserted-by":"crossref","unstructured":"Livadariu, I., et al.: On the accuracy of country-level IP geolocation. In: ANRW 2020: Proceedings of the Applied Networking Research Workshop, pp. 67\u201373 (2020)","DOI":"10.1145\/3404868.3406664"},{"key":"18_CR25","doi-asserted-by":"crossref","unstructured":"Lumezanu, C., Feamster, N.: Observing common spam in twitter and email. In: Proceedings of the 2012 Internet Measurement Conference, pp. 461\u2013466 (2012)","DOI":"10.1145\/2398776.2398824"},{"key":"18_CR26","doi-asserted-by":"crossref","unstructured":"Ma, J., Saul, L.K., Savage, S., Voelker, G.M.: Beyond blacklists: learning to detect malicious web sites from suspicious URLs. In: ACM Conference on Knowledge Discovery and Data Mining (KDD) (2009)","DOI":"10.1145\/1557019.1557153"},{"key":"18_CR27","unstructured":"Maxmind database (2021). queried the geolite2 database. https:\/\/dev.maxmind.com\/geoip\/geolite2-free-geolocation-data"},{"key":"18_CR28","doi-asserted-by":"crossref","unstructured":"Medvet, E., Kirda, E., Kruegel, C.: Visual-similarity-based phishing detection. In: Proceedings of the 4th International Conference on Security and Privacy in Communication Networks, pp.\u00a01\u20136 (2008)","DOI":"10.1145\/1460877.1460905"},{"key":"18_CR29","unstructured":"Microsoft: Azure public IP prefixes (2021). https:\/\/docs.microsoft.com\/en-us\/azure\/virtual-network\/public-ip-address-prefix"},{"key":"18_CR30","unstructured":"Microsoft: Office 365 URLs and IP address ranges (2021). https:\/\/docs.microsoft.com\/en-us\/microsoft-365\/enterprise\/urls-and-ip-address-ranges?view=o365-worldwide"},{"key":"18_CR31","unstructured":"Noroozian, A., et al.: Platforms in everything: analyzing ground-truth data on the anatomy and economics of bullet-proof hosting. In: USENIX Security Symposium, pp. 1341\u20131356 (2019)"},{"key":"18_CR32","unstructured":"Oest, A., et al.: PhishTime: continuous longitudinal measurement of the effectiveness of anti-phishing blacklists. In: USENIX Security Symposium (USENIX) (2020)"},{"key":"18_CR33","unstructured":"Oest, A., et al.: Sunrise to sunset: analyzing the end-to-end life cycle and effectiveness of phishing attacks at scale. In: USENIX Security Symposium (USENIX) (2020)"},{"key":"18_CR34","unstructured":"Peering DB (2021). https:\/\/www.peeringdb.com\/"},{"key":"18_CR35","unstructured":"Perlroth, N.: Hackers are targeting nuclear facilities, homeland security dept. and F.B.I. say (2017). https:\/\/www.nytimes.com\/2017\/07\/06\/technology\/nuclear-plant-hack-report.html"},{"key":"18_CR36","doi-asserted-by":"crossref","unstructured":"Poese, I., Uhlig, S., Ali\u00a0Kaafar, M., Donnet, B., Gueye, B.: IP geolocation databases: unreliable? In: SIGCOMM CCR, vol.\u00a041 (2011)","DOI":"10.1145\/1971162.1971171"},{"key":"18_CR37","doi-asserted-by":"crossref","unstructured":"Prakash, P., Kumar, M., Kompella, R.R., Gupta, M.: Phishnet: predictive blacklisting to detect phishing attacks. In: IEEE INFOCOM (2010)","DOI":"10.1109\/INFCOM.2010.5462216"},{"key":"18_CR38","unstructured":"Qian, Z., Mao, Z.M., Xie, Y., Yu, F.: On network-level clusters for spam detection. In: NDSS (2010)"},{"key":"18_CR39","doi-asserted-by":"crossref","unstructured":"Ramachandran, A., Feamster, N.: Understanding the network-level behavior of spammers. In: Proceedings of the 2006 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications, pp. 291\u2013302 (2006)","DOI":"10.1145\/1159913.1159947"},{"key":"18_CR40","unstructured":"Security, H.N.: Only 14% of domains worldwide truly protected from spoofing with DMARC enforcement. https:\/\/www.helpnetsecurity.com\/2021\/03\/23\/domains-protected-dmarc\/"},{"key":"18_CR41","unstructured":"Shah, N., Ho, G., Schweighauser, M., Afifi, M.H., Cidon, A., Wagner, D.A.: A large-scale analysis of attacker activity in compromised enterprise accounts. CoRR abs\/2007.14030 (2020). https:\/\/arxiv.org\/abs\/2007.14030"},{"key":"18_CR42","unstructured":"Sheng, S., Wardman, B., Warner, G., Cranor, L., Hong, J., Zhang, C.: An empirical analysis of phishing blacklists (2009)"},{"key":"18_CR43","unstructured":"Silva, R.D., Nabeel, M., Elvitigala, C., Khalil, I., Yu, T., Keppitiyagama, C.: Compromised or attacker-owned: a large scale classification and study of hosting domains of malicious URLs. In: USENIX Security Symposium (USENIX) (2021)"},{"key":"18_CR44","doi-asserted-by":"crossref","unstructured":"Simoiu, C., Zand, A., Thomas, K., Bursztein, E.: Who is targeted by email-based phishing and malware? Measuring factors that differentiate risk. In: Proceedings of the ACM Internet Measurement Conference, pp. 567\u2013576 (2020)","DOI":"10.1145\/3419394.3423617"},{"key":"18_CR45","unstructured":"SpamAssasin AutoWhitelist. https:\/\/cwiki.apache.org\/confluence\/display\/SPAMASSASSIN\/AutoWhitelist"},{"key":"18_CR46","doi-asserted-by":"crossref","unstructured":"Stone-Gross, B., Kruegel, C., Almeroth, K., Moser, A., Kirda, E.: Fire: finding rogue networks. In: Annual Computer Security Applications Conference (2009)","DOI":"10.1109\/ACSAC.2009.29"},{"key":"18_CR47","doi-asserted-by":"crossref","unstructured":"Stringhini, G., Thonnard, O.: That ain\u2019t you: blocking spearphishing through behavioral modelling. In: DIMVA (2015)","DOI":"10.1007\/978-3-319-20550-2_5"},{"key":"18_CR48","doi-asserted-by":"crossref","unstructured":"Sun, Z., et al.: From victims to defenders: an exploration of the phishing attack reporting ecosystem. In: International Symposium on Research in Attacks, Intrusions, and Defenses (RAID) (2024)","DOI":"10.1145\/3678890.3678926"},{"key":"18_CR49","doi-asserted-by":"crossref","unstructured":"Thomas, K., et al.: Data breaches, phishing, or malware? Understanding the risks of stolen credentials. In: ACM CCS (2017)","DOI":"10.1145\/3133956.3134067"},{"key":"18_CR50","doi-asserted-by":"crossref","unstructured":"Tian, K., Jan, S.T., Hu, H., Yao, D., Wang, G.: Needle in a haystack: tracking down elite phishing domains in the wild. In: ACM Internet Measurement Conference (IMC) (2018)","DOI":"10.1145\/3278532.3278569"},{"key":"18_CR51","unstructured":"Vaas, L.: How hackers broke into John Podesta, DNC Gmail accounts (2016). https:\/\/nakedsecurity.sophos.com\/2016\/10\/25\/how-hackers-broke-into-john-podesta-dnc-gmail-accounts\/"},{"key":"18_CR52","unstructured":"Whittaker, C., Ryner, B., Nazif, M.: Large-scale automatic classification of phishing pages. In: NDSS (2010)"},{"issue":"4","key":"18_CR53","doi-asserted-by":"publisher","first-page":"171","DOI":"10.1145\/1402946.1402979","volume":"38","author":"Y Xie","year":"2008","unstructured":"Xie, Y., Yu, F., Achan, K., Panigrahy, R., Hulten, G., Osipkov, I.: Spamming botnets: signatures and characteristics. ACM SIGCOMM Comput. Commun. Rev. 38(4), 171\u2013182 (2008)","journal-title":"ACM SIGCOMM Comput. Commun. Rev."},{"key":"18_CR54","doi-asserted-by":"crossref","unstructured":"Yardi, S., Romero, D., Schoenebeck, G., Boyd, D.: Detecting spam in a Twitter network. First Monday (2010)","DOI":"10.5210\/fm.v15i1.2793"},{"key":"18_CR55","doi-asserted-by":"crossref","unstructured":"Zhang, P., et al.: CrawlPhish: large-scale analysis of client-side cloaking techniques in phishing. In: IEEE Symposium on Security and Privacy (S &P) (2021)","DOI":"10.1109\/SP40001.2021.00021"},{"key":"18_CR56","doi-asserted-by":"crossref","unstructured":"Zhang, Y., Hong, J.I., Cranor, L.F.: Cantina: a content-based approach to detecting phishing web sites. In: International Conference on World Wide Web (WWW) (2007)","DOI":"10.1145\/1242572.1242659"}],"container-title":["Lecture Notes in Computer Science","Passive and Active Measurement"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/978-3-031-85960-1_18","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,9,6]],"date-time":"2025-09-06T08:54:15Z","timestamp":1757148855000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/978-3-031-85960-1_18"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025]]},"ISBN":["9783031859595","9783031859601"],"references-count":56,"URL":"https:\/\/doi.org\/10.1007\/978-3-031-85960-1_18","relation":{},"ISSN":["0302-9743","1611-3349"],"issn-type":[{"type":"print","value":"0302-9743"},{"type":"electronic","value":"1611-3349"}],"subject":[],"published":{"date-parts":[[2025]]},"assertion":[{"value":"7 March 2025","order":1,"name":"first_online","label":"First Online","group":{"name":"ChapterHistory","label":"Chapter History"}},{"value":"PAM","order":1,"name":"conference_acronym","label":"Conference Acronym","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"International Conference on Passive and Active Network Measurement","order":2,"name":"conference_name","label":"Conference Name","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"2025","order":5,"name":"conference_year","label":"Conference Year","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"10 March 2025","order":7,"name":"conference_start_date","label":"Conference Start Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"12 March 2025","order":8,"name":"conference_end_date","label":"Conference End Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"26","order":9,"name":"conference_number","label":"Conference Number","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"pam2025","order":10,"name":"conference_id","label":"Conference ID","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"https:\/\/udesa.edu.ar\/pam25","order":11,"name":"conference_url","label":"Conference URL","group":{"name":"ConferenceInfo","label":"Conference Information"}}]}}