How Phishing Detection Works, Read Through Cloudflare and Forcepoint Patents

Phishing remains the most common front door for attackers because it targets people, not systems. Detection has had to evolve well past the old approach of maintaining a blocklist of bad URLs — by the time a phishing link is on a blocklist, the campaign has usually moved on.

Two granted patents show the modern mechanism. Cloudflare's US12452303B2, "Phishing email campaign identification" (issued October 21, 2025; CPC H04L 63/1483 — phishing protection), describes recognizing a coordinated campaign rather than one message at a time. Forcepoint's US11924245B2, "Message phishing detection using machine learning characterization" (issued March 5, 2024), describes using ML to characterize whether a message is phishing. Read them at US12452303B2 and US11924245B2.

The way this actually works is characterize-then-cluster. First, characterize a single message: its language, its links, its sender reputation, its structural features — the Forcepoint grant's ML approach learns these signals rather than hand-coding them. Then, recognize the campaign: the Cloudflare grant's contribution is spotting that many superficially different messages belong to the same coordinated attack, which lets a defender neutralize the whole wave at once instead of playing whack-a-mole with individual emails.

One analogy, then gone: blocklisting was memorizing the faces of known con artists; ML characterization is learning what a con sounds like; campaign identification is realizing that fifty slightly different letters in the mailroom are all the same scam, sent by the same operation.

Why this is a business story: email security is a mature, crowded market that keeps getting re-energized by exactly this kind of capability jump. Each time attackers adapt — to AI-generated lures, to campaign rotation — defenders need a new detection layer, and that recurring need is what sustains the category's spending. The shift from URL blocklists to ML campaign detection is the sort of step-change that lets a vendor justify a platform upsell.

The grounded caveat: phishing detection is an adversarial problem, and attackers tune their lures specifically to evade classifiers. A patent describes a detection method, not its catch rate against tomorrow's campaign. But the mechanism the grants name — characterize the message, then recognize the campaign — is the durable shape of modern anti-phishing.