"our detector extracts the feature vector for that URL "
You mean the parameters of the URL?
So in English they set up a lookup table keyed on the URL (can you say "pearl script"?) and every time the NIDS reported a wrong 'un it checked to see if they were going there and if the parameters looked sus enough to suggest the back end of a phishing attack IE the start of malware coming in.
Obfuscation in academic papers can be down to a)Too long in academia b) English not a first language c) BS detected.
I'll note (from the abstract) they did detect a spear phishing attack their test enterprise had not even previously noticed and their work load was 1/9 of other systems. And as they note it can be circumvented by going to HTTPS, which in a less trusting internet should be SOP. That said you should have no expectation of privacy on a job PC. It's not yours. It's theirs.
However since this is not my thing I'll leave the other 19 pages till I have nothing better to do.
But my first thought was "Doesn't a company this big reconcile the from line with actual email addresses (at least internally) ? Don't they disable outgoing links unless they are whitelisted?