In some instances, in inputting this information and/or message metadata into the one or more neural networks, the campaign identification platform 110 may input unordered data of variable sizes. For example, the campaign identification platform 110 may input data corresponding to a first attachment that has five associated features and a second attachment that has three associated features. Typically, neural networks may be applied to fixed representations or sequences of data. One or more aspects of the disclosure provide a solution that overcomes this constraint, however, and these aspects enable successful analysis of unordered and variable data by neural networks. For example, such aspects of the disclosure enable processing of unordered data of variable size as opposed to merely data of a fixed sequence or representation.

Referring to FIG. 2C, at step 213, the campaign identification platform 110 may use a clustering algorithm to cluster the numerical representations output by the one or more neural networks. For example, the campaign identification platform 110 may cluster the numerical representations to produce clusters of forensics data and/or message metadata corresponding to groups of related threats and/or potential campaigns. Additionally or alternatively, the campaign identification platform 110 may cluster the numerical representations related to a particular attachment or URL together. In some instances, the campaign identification platform 110 may use a clustering algorithm such as connectivity based clustering, centroid based clustering, distribution based clustering, density based clustering, grid based clustering, and/or other clustering techniques.