Referring to FIG. 2D, at step 218, the enterprise user device 140 may receive a user input. For example, a user (i.e., a cybersecurity analyst, information technology specialist, and/or other employee performing network security analysis), may interact with the indicators of compromise interface. In some instances, in receiving the user input, the enterprise user device 140 may receive input information indicating that a particular attachment and/or URL should be flagged for further analysis, identifying other attachments and/or URLs for further analysis, providing feedback (e.g., indicating whether or not an attachment and/or URL was correctly identified as compromised), indicating that information is incorrectly clustered, indicating that a particular indicator of compromise should be filtered out in the future (e.g., because it is a generic indicator of compromise) and/or other input information.

At step 219, the enterprise user device 140 may send user interaction information (e.g., based on the user input received at step 218) to the campaign identification platform 110. At step 220, the campaign identification platform 110 may receive the user interaction information sent at step 219.

At step 221, the campaign identification platform 110 may retrain the one or more neural networks based on the user interaction information received at step 220. For example, the campaign identification platform 110 may relabel clustered information and/or message metadata in the one or more neural networks based on feedback and/or other information received at step 220.