Abstract-Spear phishing is a widespread concern in the modern network security landscape, but there are few metrics that measure the extent to which reconnaissance is performed on phishing targets. Spear phishing emails closely match the expectations of the recipient, based on details of their experiences and interests, making them a popular propagation vector for harmful malware. In this work we use Natural Language Processing techniques to investigate a specific real-world phishing campaign and quantify attributes that indicate a targeted spear phishing attack. Our phishing campaign data sample comprises 596 emails -all containing a web bug and a Curriculum Vitae (CV) PDF attachment -sent to our institution by a foreign IP space. The campaign was found to exclusively target specific demographics within our institution. Performing a semantic similarity analysis between the senders' CV attachments and the recipients' LinkedIn profiles, we conclude with high statistical certainty (p < 10 −4 ) that the attachments contain targeted rather than randomly selected material. Latent Semantic Analysis further demonstrates that individuals who were a primary focus of the campaign received CVs that are highly topically clustered. These findings differentiate this campaign from one that leverages random spam.Spear phishing has grown to be the predominant vector used to compromise an organization [1]. Federally Funded Research and Development Centers (FFRDCs) and University Affiliated Research Centers (UARCs) have seen an uptick in a specific form of phishing attempt in which résumés or Curriculum Vitae (CVs) are sent directly to researchers by supposed job candidates. Over the last few years MIT Lincoln Laboratory has become interested in one such campaign originating from a foreign IP space. On the surface, these messages are job applications from seemingly distinguished researchers, and each email contains a cover letter and CV. While it is certainly unusual that our institution -which hires exclusively US citizens -would receive applications en masse from a foreign source, the main point of concern in these emails is a 1-pixel image containing a malicious link. This web bug suggests the individual or group behind these messages is acting in a purposefully adversarial manner.If these emails are random spam -that is, if messages are sent randomly to targets without forethought -the situation poses little threat. However, the adversary may be directing specific CVs to specific recipients in order to maximize the This paper has been accepted for publication by the IEEE Conference on Communications and Network Security in September 2015 at Florence, Italy. Copyright may be transferred without notice, after which this version may no longer be accessible. probability that the target will respond to the message. If our organization is the target of such a spear phishing campaign, it implies the adversary is conducting reconnaissance on our colleagues in order to determine their research backgrounds or interests. Such foreign int...