Detecting Spear Phishing and Spoofing | BreachDocket

Spear phishing succeeds by impersonating someone you trust. A 2021 Vade Secure grant describes detecting the spoof even when the message reads as real.

Spear phishing is the hard case of email security because the attack is designed to look exactly like legitimate correspondence. There's no malicious attachment to scan, no obviously bad link — just a message that appears to come from a colleague or executive, asking for a wire transfer or a password reset. The whole attack rests on impersonation, and impersonation is precisely what a content scanner is bad at catching.

The grant US11019079B2, "Detection of email spoofing and spear phishing attacks" (issued May 25, 2021, assigned to Vade Secure Inc.), focuses on the impersonation itself. Its CPC classifications combine the phishing class H04L 63/1483 with the intrusion-detection classes H04L 63/1416 and H04L 63/1433 and the email classes H04L 51/00 and H04L 51/12 — a system reasoning about whether a message is who it claims to be.

“A computer-implemented method of detecting an email spoofing and spear phishing attack may comprise generating a contact model of a sender of emails; determining, by a hardware processor, a statistical dispersion of the generated contact model that is indicative of a spread of a distribution of data…”— U.S. Patent No. 11,019,079 source

The mechanism worth understanding is the gap between claimed identity and actual signals. A spoofed or spear-phishing email asserts an identity in its headers and display name, but the underlying routing, sending infrastructure, and behavioral fingerprint often tell a different story. The detection looks for that mismatch — the message says it's from the CFO, but everything about how it arrived says otherwise.

For defenders, the practical takeaway is that the most dangerous phishing doesn't trip the filters that catch bulk spam. It's low-volume, highly targeted, and crafted to pass content checks. Defending against it requires reasoning about sender authenticity, not message content, which is a fundamentally different analysis.

The patent reflects a broader truth about email security: the attacks that cause the largest financial losses — business email compromise, executive impersonation — are social-engineering attacks dressed as ordinary mail. Catching them means the defense has to model trust and identity, the very things the attacker is exploiting, rather than just scanning for malware.

How Spear Phishing Gets Caught When the Email Looks Legitimate