WO2021242687A1 - Computer-implemented methods and systems for pre-analysis of emails for threat detection - Google Patents

Computer-implemented methods and systems for pre-analysis of emails for threat detection Download PDF

Info

Publication number
WO2021242687A1
WO2021242687A1 PCT/US2021/033885 US2021033885W WO2021242687A1 WO 2021242687 A1 WO2021242687 A1 WO 2021242687A1 US 2021033885 W US2021033885 W US 2021033885W WO 2021242687 A1 WO2021242687 A1 WO 2021242687A1
Authority
WO
WIPO (PCT)
Prior art keywords
email
mailbox
user
remediation
folder
Prior art date
Application number
PCT/US2021/033885
Other languages
French (fr)
Inventor
Tyler BREAM
Raymond W. WALLACE
Kevin O'brien
James Luciani
Original Assignee
GreatHorn, Inc.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by GreatHorn, Inc. filed Critical GreatHorn, Inc.
Publication of WO2021242687A1 publication Critical patent/WO2021242687A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection

Definitions

  • the present application relates generally to an email security system for analyzing incoming emails to detect security threats such as, e.g., phishing attempts, account take over, credential theft, and impersonation attacks.
  • FIG. 1 is a simplified block diagram of an exemplary email system in accordance with one or more embodiments.
  • FIG. 2 is a block diagram illustrating an exemplary mailbox in accordance with one or more embodiments.
  • FIGS. 3-5 are flowcharts illustrating exemplary processes for analyzing emails in accordance with one or more embodiments.
  • a computer-implemented method for detecting email security threats. The method includes the steps of: (a) discovering and retrieving an email received in a user's email mailbox, the email being automatically pushed into a pre-analysis folder in the email mailbox; (b) analyzing the email to detect security threats and to determine if remediation of the email is needed; (c) performing a remediation action on the email when remediation is determined to be needed in (b); and (d) releasing the email to an inbox folder of the user's mailbox when no remediation is determined to be needed in (b).
  • an email security system includes at least one processor, memory associated with the at least one processor, and a program supported in the memory.
  • the program contains a plurality of instructions which, when executed by the at least one processor, cause the at least one processor to: (a) discover and retrieve an email received in a user's email mailbox, the email being automatically pushed into a pre-analysis folder in the email mailbox; (b) analyze the email to detect security threats and to determine if remediation of the email is needed; (c) perform a remediation action on the email when remediation is determined to be needed in (b); and (d) release the email to an inbox folder of the user's mailbox when no remediation is determined to be needed in (b).
  • FIG. 1 illustrates an exemplary email system in accordance with one or more embodiments.
  • the system includes an email server system 10 and a plurality of client computers 12.
  • client computers 12 include personal computers (including desktop, notebook, and tablet computers) and smart phones (e.g., the Apple iPhone and Android-based smart phones).
  • the client computers 12 use an email client application, e.g., Microsoft Outlook or Gmail client, to receive emails and to compose and send emails.
  • the email server system 10 and the client computers 12 are connected by a network 14.
  • the network 14 may comprise any network or combination of networks including, without limitation, the Internet, a local area network, a wide area network, a wireless network, and a cellular network.
  • the email server system 10 can comprise a cloud-based email service like, e.g., G Suite or Office S65. Alternatively, the email server system 10 can be an on-premises system.
  • the email server system 10 includes a database for storing emails, and provides mailboxes for users.
  • the email server system 10 and the email client applications allow users to receive emails and to compose and send emails.
  • each mailbox 28 has a plurality of folders including, e.g., an inbox folder 30, a sent items folder 32, and a deleted items folder 34.
  • each user mailbox 28 also includes a pre-analysis folder 36 used for analyzing incoming emails for security threats by an email security system 16 as further discussed below.
  • the email security system 16 is preferably cloud-based and interacts with the email server system 10 to analyze incoming emails to the client computers 12 for security threats. As discussed below, the email security system 16 pulls emails off the email server system 10 from the user's pre-analysis folder, analyzes and remediates the emails, and places them back to reduce security threats for the client computers 12.
  • Various embodiments disclosed herein relate to pre-analysis of emails for security threats, i.e., analyzing emails after they have been delivered to the user's mailbox but preferably before they are visible to the user.
  • pre-analysis process 200 when the pre-analysis process 200 is turned on, all incoming emails for a user at step 202 are automatically funneled into a pre-analysis folder 36 in the user's mailbox 28 at step 204. (Otherwise, the analysis is performed on emails in the user's inbox 28.) The emails will remain in the pre analysis folder 36 until they are analyzed by the email security system 16. Once analysis and any remediation at step 206 is completed by the email security system 16, the email is released at step 208 arriving at the user's inbox folder 30 or other final destination at step 210.
  • emails are analyzed to identify any anomalous, suspicious, or malicious patterns.
  • Different elements of an email e.g., body, header content, and metadata
  • the analysis process determines if remediation is required and the appropriate remediation actions to take.
  • remediation actions are performed on anomalous, suspicious, or malicious items based on the analysis results and the organization's policies.
  • Remediation actions can include things like adding a banner message, moving an email to a folder, or quarantining a message.
  • FIG. 4 depicts an exemplary analysis process 300 in accordance with one or more embodiments.
  • the user's mailbox rules are configured to funnel all incoming emails 302 into a pre-analysis folder at step 304 when pre-analysis is enabled.
  • the email service provider offers server side rules that match as soon as an email arrives in the email server 10.
  • the email security system 16 creates a rule that will push all new emails into the pre analysis folder and stop all other filters (with certain possible exceptions) from working.
  • the email security system 16 will discover the email from that folder at step 306 when pre-analysis is enabled. Then, the email will be analyzed at step 308 by the email security system 16 to detect security threats. During and after the analysis, the system determines what remediation action will take place. In one or more embodiments, the following different types of remediation actions are possible:
  • the email is not deemed to be anomalous, suspicious, or malicious, and no action is taken at step 314 and the email is moved to its final destination.
  • the final destination may be the user's inbox 316. Alternatively, the final destination can be another folder in the user's mailbox specified by filters configured for the mailbox.
  • the email security system 16 replicates the rule logic of the host email service because the rules in server 10 are turned off after the pre-analysis rule. This enables the email security system 16 to be much more creative and perform a higher level of service than what is offered in server 10.
  • step 310 An action is taken at step 310 and the email is moved at step 312 to its final destination. For instance, the email is bannered with a warning and then moved to its final destination folder (be it the inbox or another folder).
  • a threat is detected at step 318, and an action is taken. For instance, the email is removed or quarantined at step 320.
  • the email security system 16 uses various fail-safe measures to minimize disruption in the delivery of emails to users in the event of an operation failure.
  • the pre-analysis folders can be visible or hidden to users. If they are visible, a user can delete the folder unless the admin rules prevent deletion. In the event, the user deletes the folder, analysis of emails continues, but the emails are initially delivered to the user's inbox folder. After a period of time, the pre-analysis folder is recreated and process continues as before using the pre-analysis folder.
  • the email security system 16 implements a filter rule that operates on an email when it arrives at the end mailbox.
  • This filter is created by the security system and causes the email to be initially placed in the pre-analysis folder rather than the inbox. A user could potentially open up the list of filters and then delete this rule. In the event this occurs, the system will recreate the rule.
  • FIG. 5 illustrates an exemplary process 400 of analyzing emails by the email security system 16 in accordance with one or more embodiments.
  • the email security system 16 scans the pre-analysis folder of each mailbox at 402, and processes the discovered emails at 404. New emails and unanalyzed emails are analyzed at 404. In the event the analysis process in the security system fails, the system will repeat the process (for a given period of time) until the analysis has been completed.
  • the security system fails to analyze an email for a prolonged period of time, the unanalyzed email is automatically moved (i.e., force released) into the inbox at 406 so that it is accessible by the user.
  • the security system allows an admin to configure how much time must pass before an email is force released from the pre-analysis folder to the inbox.
  • a monitoring system the Mail Analytics and Statistics Collector (MAS Collector) is employed in the server 16, which monitors a subset of customer mailboxes by determining if the pre-analysis folder is displaying anomalous behavior.
  • the MAS Collector statistically chooses a number of customer mailboxes on which to operate in order to minimize resource consumption. The number of applicable mailboxes and rate at which such tests occur are configurable.
  • MAS Collector transitions to a state wherein it performs a more comprehensive analysis of the foldering system associated with the customer.
  • the types of anomalies under scrutiny by the MAS Collector include, but are not limited to, the number of emails in the pre-analysis folder at each moment in time and whether that number is growing or shrinking, as well as the maximum length of time that any given email resides within the pre-analysis folder while waiting to be remediated and moved. Should the MAS Collector detect a pathological condition, it will inform the flush mechanisms previous described as input to potentially make a decision to flush the customer mailboxes and will alert an administrator to the fact that the condition has occurred and needs to be acted upon.
  • the processes for detecting email threats of the email security system 16 described above may be implemented in software, hardware, firmware, or any combination thereof.
  • the processes are preferably implemented in one or more computer programs executing on a programmable computer (which can be part of the email security system 16) including at least one processor, a storage medium readable by the processor (including, e.g., volatile and non-volatile memory and/or storage elements), and input and output devices.
  • a programmable computer which can be part of the email security system 16
  • Each computer program can be a set of instructions (program code) in a code module resident in the random access memory of the computer.
  • the set of instructions may be stored in another computer memory (e.g., in a hard disk drive, or in a removable memory such as an optical disk, external hard drive, memory card, or flash drive) or stored on another computer system and downloaded via the Internet or other network.
  • another computer memory e.g., in a hard disk drive, or in a removable memory such as an optical disk, external hard drive, memory card, or flash drive

Abstract

Computer-implemented methods and systems are disclosed for detecting email security threats. The method includes the steps of: (a) discovering and retrieving an email received in a user's email mailbox, the email being automatically pushed into a pre-analysis folder in the email mailbox; (b) analyzing the email to detect security threats and to determine if remediation of the email is needed; (c) performing a remediation action on the email when remediation is determined to be needed in (b); and (d) releasing the email to an inbox folder of the user's mailbox when no remediation is determined to be needed in (b).

Description

COMPUTER-IMPLEMENTED METHODS AND SYSTEMS FOR PRE-ANALYSIS OF EMAILS FOR THREAT DETECTION
CROSS REFERENCE TO RELATED APPLICATIONS
[0001] This application claims priority from U.S. Provisional Patent Application No. 63/031,164 filed on May 28, 2020 entitled COMPUTER-IMPLEMENTED METHODS AND SYSTEMS FOR PRE-ANALYSIS OF EMAILS FOR THREAT DETECTION, which is hereby incorporated by reference.
BACKGROUND
[0002] The present application relates generally to an email security system for analyzing incoming emails to detect security threats such as, e.g., phishing attempts, account take over, credential theft, and impersonation attacks.
BRIEF DESCRIPTION OF THE DRAWINGS
[0003] FIG. 1 is a simplified block diagram of an exemplary email system in accordance with one or more embodiments.
[0004] FIG. 2 is a block diagram illustrating an exemplary mailbox in accordance with one or more embodiments.
[0005] FIGS. 3-5 are flowcharts illustrating exemplary processes for analyzing emails in accordance with one or more embodiments.
BRIEF SUMMARY OF THE DISCLOSURE
[0006] In accordance with one or more embodiments, a computer-implemented method is disclosed for detecting email security threats. The method includes the steps of: (a) discovering and retrieving an email received in a user's email mailbox, the email being automatically pushed into a pre-analysis folder in the email mailbox; (b) analyzing the email to detect security threats and to determine if remediation of the email is needed; (c) performing a remediation action on the email when remediation is determined to be needed in (b); and (d) releasing the email to an inbox folder of the user's mailbox when no remediation is determined to be needed in (b).
[0007] In accordance with one or more embodiments, an email security system is disclosed. The system includes at least one processor, memory associated with the at least one processor, and a program supported in the memory. The program contains a plurality of instructions which, when executed by the at least one processor, cause the at least one processor to: (a) discover and retrieve an email received in a user's email mailbox, the email being automatically pushed into a pre-analysis folder in the email mailbox; (b) analyze the email to detect security threats and to determine if remediation of the email is needed; (c) perform a remediation action on the email when remediation is determined to be needed in (b); and (d) release the email to an inbox folder of the user's mailbox when no remediation is determined to be needed in (b).
DETAILED DESCRIPTION
[0008] FIG. 1 illustrates an exemplary email system in accordance with one or more embodiments. The system includes an email server system 10 and a plurality of client computers 12. Non-limiting examples of client computers 12 include personal computers (including desktop, notebook, and tablet computers) and smart phones (e.g., the Apple iPhone and Android-based smart phones). The client computers 12 use an email client application, e.g., Microsoft Outlook or Gmail client, to receive emails and to compose and send emails. The email server system 10 and the client computers 12 are connected by a network 14. The network 14 may comprise any network or combination of networks including, without limitation, the Internet, a local area network, a wide area network, a wireless network, and a cellular network.
[0009] The email server system 10 can comprise a cloud-based email service like, e.g., G Suite or Office S65. Alternatively, the email server system 10 can be an on-premises system. The email server system 10 includes a database for storing emails, and provides mailboxes for users. The email server system 10 and the email client applications allow users to receive emails and to compose and send emails. As depicted in FIG. 2, each mailbox 28 has a plurality of folders including, e.g., an inbox folder 30, a sent items folder 32, and a deleted items folder 34. In accordance with one or more embodiments, each user mailbox 28 also includes a pre-analysis folder 36 used for analyzing incoming emails for security threats by an email security system 16 as further discussed below.
[0010] The email security system 16 is preferably cloud-based and interacts with the email server system 10 to analyze incoming emails to the client computers 12 for security threats. As discussed below, the email security system 16 pulls emails off the email server system 10 from the user's pre-analysis folder, analyzes and remediates the emails, and places them back to reduce security threats for the client computers 12.
[0011] Various embodiments disclosed herein relate to pre-analysis of emails for security threats, i.e., analyzing emails after they have been delivered to the user's mailbox but preferably before they are visible to the user. Referring to FIG. 3, when the pre-analysis process 200 is turned on, all incoming emails for a user at step 202 are automatically funneled into a pre-analysis folder 36 in the user's mailbox 28 at step 204. (Otherwise, the analysis is performed on emails in the user's inbox 28.) The emails will remain in the pre analysis folder 36 until they are analyzed by the email security system 16. Once analysis and any remediation at step 206 is completed by the email security system 16, the email is released at step 208 arriving at the user's inbox folder 30 or other final destination at step 210.
[0012] In the analysis phase, emails are analyzed to identify any anomalous, suspicious, or malicious patterns. Different elements of an email (e.g., body, header content, and metadata) are inspected to identify threat indicators based on both the built-in system policies as well as those configured by the organization admin. The analysis process determines if remediation is required and the appropriate remediation actions to take.
[0013] In the remediation phase, remediation actions are performed on anomalous, suspicious, or malicious items based on the analysis results and the organization's policies. Remediation actions can include things like adding a banner message, moving an email to a folder, or quarantining a message.
[0014] FIG. 4 depicts an exemplary analysis process 300 in accordance with one or more embodiments. The user's mailbox rules are configured to funnel all incoming emails 302 into a pre-analysis folder at step 304 when pre-analysis is enabled. The email service provider offers server side rules that match as soon as an email arrives in the email server 10. The email security system 16 creates a rule that will push all new emails into the pre analysis folder and stop all other filters (with certain possible exceptions) from working.
[0015] Once in the pre-analysis folder, the email security system 16 will discover the email from that folder at step 306 when pre-analysis is enabled. Then, the email will be analyzed at step 308 by the email security system 16 to detect security threats. During and after the analysis, the system determines what remediation action will take place. In one or more embodiments, the following different types of remediation actions are possible:
(1) The email is not deemed to be anomalous, suspicious, or malicious, and no action is taken at step 314 and the email is moved to its final destination. The final destination may be the user's inbox 316. Alternatively, the final destination can be another folder in the user's mailbox specified by filters configured for the mailbox. (The email security system 16 replicates the rule logic of the host email service because the rules in server 10 are turned off after the pre-analysis rule. This enables the email security system 16 to be much more creative and perform a higher level of service than what is offered in server 10.)
(2) An action is taken at step 310 and the email is moved at step 312 to its final destination. For instance, the email is bannered with a warning and then moved to its final destination folder (be it the inbox or another folder).
(3) A threat is detected at step 318, and an action is taken. For instance, the email is removed or quarantined at step 320.
[0016] In accordance with one or more embodiments, the email security system 16 uses various fail-safe measures to minimize disruption in the delivery of emails to users in the event of an operation failure.
[0017] The pre-analysis folders can be visible or hidden to users. If they are visible, a user can delete the folder unless the admin rules prevent deletion. In the event, the user deletes the folder, analysis of emails continues, but the emails are initially delivered to the user's inbox folder. After a period of time, the pre-analysis folder is recreated and process continues as before using the pre-analysis folder.
[0018] The email security system 16 implements a filter rule that operates on an email when it arrives at the end mailbox. This filter is created by the security system and causes the email to be initially placed in the pre-analysis folder rather than the inbox. A user could potentially open up the list of filters and then delete this rule. In the event this occurs, the system will recreate the rule.
[0019] FIG. 5 illustrates an exemplary process 400 of analyzing emails by the email security system 16 in accordance with one or more embodiments. The email security system 16 scans the pre-analysis folder of each mailbox at 402, and processes the discovered emails at 404. New emails and unanalyzed emails are analyzed at 404. In the event the analysis process in the security system fails, the system will repeat the process (for a given period of time) until the analysis has been completed.
[0020] In the event the security system fails to analyze an email for a prolonged period of time, the unanalyzed email is automatically moved (i.e., force released) into the inbox at 406 so that it is accessible by the user. The security system allows an admin to configure how much time must pass before an email is force released from the pre-analysis folder to the inbox.
[0021] In accordance with one or more embodiments, a monitoring system, the Mail Analytics and Statistics Collector (MAS Collector), is employed in the server 16, which monitors a subset of customer mailboxes by determining if the pre-analysis folder is displaying anomalous behavior. The MAS Collector statistically chooses a number of customer mailboxes on which to operate in order to minimize resource consumption. The number of applicable mailboxes and rate at which such tests occur are configurable. Upon detecting potentially anomalous behavior, MAS Collector transitions to a state wherein it performs a more comprehensive analysis of the foldering system associated with the customer. The types of anomalies under scrutiny by the MAS Collector include, but are not limited to, the number of emails in the pre-analysis folder at each moment in time and whether that number is growing or shrinking, as well as the maximum length of time that any given email resides within the pre-analysis folder while waiting to be remediated and moved. Should the MAS Collector detect a pathological condition, it will inform the flush mechanisms previous described as input to potentially make a decision to flush the customer mailboxes and will alert an administrator to the fact that the condition has occurred and needs to be acted upon.
[0022] The processes for detecting email threats of the email security system 16 described above may be implemented in software, hardware, firmware, or any combination thereof. The processes are preferably implemented in one or more computer programs executing on a programmable computer (which can be part of the email security system 16) including at least one processor, a storage medium readable by the processor (including, e.g., volatile and non-volatile memory and/or storage elements), and input and output devices. Each computer program can be a set of instructions (program code) in a code module resident in the random access memory of the computer. Until required by the computer, the set of instructions may be stored in another computer memory (e.g., in a hard disk drive, or in a removable memory such as an optical disk, external hard drive, memory card, or flash drive) or stored on another computer system and downloaded via the Internet or other network.
[0023] Having thus described several illustrative embodiments, it is to be appreciated that various alterations, modifications, and improvements will readily occur to those skilled in the art. Such alterations, modifications, and improvements are intended to form a part of this disclosure, and are intended to be within the spirit and scope of this disclosure. While some examples presented herein involve specific combinations of functions or structural elements, it should be understood that those functions and elements may be combined in other ways according to the present disclosure to accomplish the same or different objectives. In particular, acts, elements, and features discussed in connection with one embodiment are not intended to be excluded from similar or other roles in other embodiments. Additionally, elements and components described herein may be further divided into additional components or joined together to form fewer components for performing the same functions. For example, the computer system may comprise one or more physical machines, or virtual machines running on one or more physical machines. In addition, the computer system may comprise a cluster of computers or numerous distributed computers that are connected by the Internet or another network.
[0024] Accordingly, the foregoing description and attached drawings are by way of example only, and are not intended to be limiting.

Claims

1. A computer-implemented method, comprising the steps of:
(a) discovering and retrieving an email received in a user's email mailbox, said email being automatically pushed into a pre-analysis folder in the email mailbox;
(b) analyzing the email to detect security threats and to determine if remediation of the email is needed;
(c) performing a remediation action on the email when remediation is determined to be needed in (b); and
(d) releasing the email to an inbox folder of the user's mailbox when no remediation is determined to be needed in (b).
2. The method of claim 1, wherein performing the remediation action on the email comprises removing or quarantining the email when a security threat is detected at step (b).
B. The method of claim 1, wherein performing the remediation action on the email comprises adding a banner message with a warning, moving the email to another folder, or quarantining the email.
4. The method of claim 1, further comprising releasing the email to the inbox folder of the user's mailbox after performing the remediation action on the email in step (c).
5. The method of claim 1, wherein analyzing the email to detect security threats comprises identifying anomalous, suspicious, or malicious patterns in the email.
6. The method of claim 1, wherein analyzing the email to detect security threats comprises inspecting a body, header content, or metadata of the email to identify threat indicators based on built-in system policies or policies configured by an organization administering the user's email mailbox.
7. The method of claim 1, wherein steps (a) through (c) are performed after the email has been delivered to the user's email mailbox and before the email is visible to the user.
8. The method of claim 1, further comprising automatically releasing the email to the inbox folder if the email has not been analyzed for more than a given period of time or if an error occurs in analyzing the email.
9. The method of claim 1, wherein the user's email mailbox is in an email server system, and the method is performed by an email security system connected to the email server system over a network.
10. The method of claim 1, further comprising monitoring the user's email mailbox to detect anomalous behavior in analyzing emails.
11. An email security system, comprising: at least one processor; memory associated with the at least one processor; and a program supported in the memory, the program containing a plurality of instructions which, when executed by the at least one processor, cause the at least one processor to:
(a) discover and retrieve an email received in a user's email mailbox, said email being automatically pushed into a pre-analysis folder in the email mailbox;
(b) analyze the email to detect security threats and to determine if remediation of the email is needed;
(c) perform a remediation action on the email when remediation is determined to be needed in (b); and
(d) release the email to an inbox folder of the user's mailbox when no remediation is determined to be needed in (b).
12. The system of claim 11, wherein performing the remediation action on the email comprises removing or quarantining the email when a security threat is detected in (b).
IB. The system of claim 11, wherein performing the remediation action on the email comprises adding a banner message with a warning, moving an email to another folder, or quarantining the email.
14. The system of claim 11, wherein the program further comprises instructions to release the email to the inbox folder of the user's mailbox after the remediation action is performed on the email in (c).
15. The system of claim 11, wherein analyzing the email to detect security threats comprises identifying anomalous, suspicious, or malicious patterns.
16. The system of claim 11, wherein analyzing the email to detect security threats comprises inspecting a body, header content, or metadata of the email to identify threat indicators based on built-in system policies or policies configured by an organization administering the user's email mailbox.
17. The system of claim 11, wherein (a) through (c) are performed after the email has been delivered to the user's email mailbox and before the email is visible to the user.
18. The system of claim 11, wherein the program further comprises instructions to automatically release the email to the inbox folder if the email has not been analyzed for more than a given period of time or if an error occurs in analyzing the email.
19. The system of claim 11, wherein the email security system is connected over a network to an email server having the user's email mailbox.
20. The system of claim 19, wherein the email server system comprises a cloud- based email system or an on-premises system.
21. The system of claim 11, wherein the program further comprises instructions to monitor the user's email mailbox to detect anomalous behavior in analyzing emails.
PCT/US2021/033885 2020-05-28 2021-05-24 Computer-implemented methods and systems for pre-analysis of emails for threat detection WO2021242687A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US202063031164P 2020-05-28 2020-05-28
US63/031,164 2020-05-28

Publications (1)

Publication Number Publication Date
WO2021242687A1 true WO2021242687A1 (en) 2021-12-02

Family

ID=78745360

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2021/033885 WO2021242687A1 (en) 2020-05-28 2021-05-24 Computer-implemented methods and systems for pre-analysis of emails for threat detection

Country Status (2)

Country Link
TW (1) TW202147158A (en)
WO (1) WO2021242687A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114760119A (en) * 2022-04-02 2022-07-15 北京安博通金安科技有限公司 Phishing mail attack detection method, device and system

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040054498A1 (en) * 2000-07-07 2004-03-18 Alexander Shipp Method of and system for, processing email
US20140230061A1 (en) * 2013-02-08 2014-08-14 PhishMe, Inc. Collaborative phishing attack detection
US20150281260A1 (en) * 2013-03-07 2015-10-01 Inquest Integrated network threat analysis
US20170048273A1 (en) * 2014-08-21 2017-02-16 Salesforce.Com, Inc. Phishing and threat detection and prevention

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040054498A1 (en) * 2000-07-07 2004-03-18 Alexander Shipp Method of and system for, processing email
US20140230061A1 (en) * 2013-02-08 2014-08-14 PhishMe, Inc. Collaborative phishing attack detection
US20150281260A1 (en) * 2013-03-07 2015-10-01 Inquest Integrated network threat analysis
US20170048273A1 (en) * 2014-08-21 2017-02-16 Salesforce.Com, Inc. Phishing and threat detection and prevention

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
ANONYMOUS: "How to Compare Email Threat Detection Capabilities", GREATHORN, 18 May 2020 (2020-05-18), XP055876534, Retrieved from the Internet <URL:https://www.greathorn.com/blog/how-to-compare-email-threat-detection-capabilities> [retrieved on 20220106] *
ASAF CIDON, NADIA KORSHUN, MARCO SCHWEIGHAUSER, ALEXEY TSITKIN, BARRACUDA NETWORKS, LIOR GAVISH, ITAY BLEIER: "High Precision Detection of Business Email Compromise High Precision Detection of Business Email Compromise", THIS PAPER IS INCLUDED IN THE PROCEEDINGS OF THE 28TH USENIX SECURITY SYMPOSIUM, 1 January 2019 (2019-01-01), XP055736904, Retrieved from the Internet <URL:https://www.usenix.org/system/files/sec19-cidon.pdf> *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114760119A (en) * 2022-04-02 2022-07-15 北京安博通金安科技有限公司 Phishing mail attack detection method, device and system
CN114760119B (en) * 2022-04-02 2023-12-12 北京安博通金安科技有限公司 Phishing mail attack detection method, device and system

Also Published As

Publication number Publication date
TW202147158A (en) 2021-12-16

Similar Documents

Publication Publication Date Title
JP6526895B2 (en) Automatic mitigation of electronic message based security threats
US11068587B1 (en) Dynamic guest image creation and rollback
US10872151B1 (en) System and method for triggering analysis of an object for malware in response to modification of that object
US10467411B1 (en) System and method for generating a malware identifier
US8839434B2 (en) Multi-nodal malware analysis
Li et al. Evidence of advanced persistent threat: A case study of malware for political espionage
US7269851B2 (en) Managing malware protection upon a computer network
US8468602B2 (en) System and method for host-level malware detection
CN108471429B (en) Network attack warning method and system
EP1805641B1 (en) A method and device for questioning a plurality of computerized devices
US8549642B2 (en) Method and system for using spam e-mail honeypots to identify potential malware containing e-mails
US8239944B1 (en) Reducing malware signature set size through server-side processing
US20080276131A1 (en) Systems and methods for event detection
US8443447B1 (en) Apparatus and method for detecting malware-infected electronic mail
CN110519150B (en) Mail detection method, device, equipment, system and computer readable storage medium
US20140165130A1 (en) Application-specific re-adjustment of computer security settings
WO2011153227A2 (en) Dynamic multidimensional schemas for event monitoring priority
EP2811714A2 (en) System and method for computer system security
US11856011B1 (en) Multi-vector malware detection data sharing system for improved detection
EP4127995B1 (en) Model for identifying the most relevant person(s) for an event associated with a resource
US20130247129A1 (en) System, method and computer program product for obtaining a reputation associated with a file
EP2856332A1 (en) Parameter adjustment for pattern discovery
WO2021242687A1 (en) Computer-implemented methods and systems for pre-analysis of emails for threat detection
JP6351827B2 (en) Virus scanning method and virus scanning apparatus
CN113449302A (en) Method for detecting malicious software

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21813261

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 21813261

Country of ref document: EP

Kind code of ref document: A1