As a particular example, the campaign identification platform 110 may identify that, for a particular attachment based cluster, a URL is known to host malicious content. Additionally or alternatively, the campaign identification platform 110 may identify that a sender, IP address, organization, country, and/or combination thereof is known to be a source of malicious content. Identifying these indicators of compromise may be useful (e.g., to a threat research or other cybersecurity analyst) in further researching a threat corresponding to this particular cluster. As an additional example, the campaign identification platform 110 may identify information about messages used to deliver threats, and may cluster the information and/or message metadata accordingly (e.g., based on a sender, IP address, organization name, country, and/or other data).

At step 215, the campaign identification platform 110 may send indicators of compromise information to the enterprise user device 140 (e.g., based on the indicators of compromise identified at step 214). In some instances, the campaign identification platform 110 may also send one or more commands directing the enterprise user device 140 to display an indicators of compromise interface based on the indicators of compromise, which may cause the enterprise user device 140 to generate and/or display an indicators of compromise interface based on the indicators of compromise information.