D-Fence: A Flexible, Efficient, and Comprehensive Phishing Email Detection System

Phishing continues to be a major security concern for organizations around the globe. Past works proposed classifiers to detect phishing emails; however many of them are based on rules, whereas others are typically standalone models focusing on one specific component of emails (say, URL strings). In this work, we take a different approach and propose a multi-modular and comprehensive phishing email detection system, called D-Fence. The different modules of D-Fence — structure module, text module, and URL module — detect phishing attempts in different components of an email. This allows D-Fence to cover larger attack surfaces while also offering flexible (model) configurations with reduced computational overhead. We carry out experiments on a large-scale real-world email dataset comprising mails from multiple enterprises. Our evaluations demonstrate the effectiveness of D-Fence in detecting phishing emails that do not have malicious intentions manifesting in all email components; D-Fence achieves a high recall of 0.99 at a low false-positive rate of 1 in 10K. Furthermore, we perform systematic evaluations to find and evaluate cost-efficient model configurations for D-Fence; the results reveal that D-Fence maintains high detection capability while bringing significant savings in computational time.