WO2023196376A1 - Algorithme destiné à détecter des courriers électroniques malveillants usurpant des marques - Google Patents

Algorithme destiné à détecter des courriers électroniques malveillants usurpant des marques Download PDF

Info

Publication number
WO2023196376A1
WO2023196376A1 PCT/US2023/017530 US2023017530W WO2023196376A1 WO 2023196376 A1 WO2023196376 A1 WO 2023196376A1 US 2023017530 W US2023017530 W US 2023017530W WO 2023196376 A1 WO2023196376 A1 WO 2023196376A1
Authority
WO
WIPO (PCT)
Prior art keywords
email
name
domain name
data
determining
Prior art date
Application number
PCT/US2023/017530
Other languages
English (en)
Inventor
Durgamadhav BEHERA
Abhishek Singh
Muhammad Sachedina
Original Assignee
Cisco Technology, Inc.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from US17/867,464 external-priority patent/US20230328034A1/en
Application filed by Cisco Technology, Inc. filed Critical Cisco Technology, Inc.
Publication of WO2023196376A1 publication Critical patent/WO2023196376A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L51/00User-to-user messaging in packet-switching networks, transmitted according to store-and-forward or real-time protocols, e.g. e-mail
    • H04L51/21Monitoring or handling of messages
    • H04L51/212Monitoring or handling of messages using filtering or selective blocking
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L51/00User-to-user messaging in packet-switching networks, transmitted according to store-and-forward or real-time protocols, e.g. e-mail
    • H04L51/48Message addressing, e.g. address format or anonymous messages, aliases

Definitions

  • the present disclosure relates generally to techniques for an email-security system to detect malicious email impersonating brands.
  • Email Electronic mail, or “email,” continues to be a primary method of exchanging messages between users of electronic devices.
  • Many email sendee providers have emerged that provide users with a variety of email platforms to facilitate the communication of emails via email servers that accept, forward, deliver, and store messages for the users.
  • Email continues to be an important and fundamental method of communications between users of electronic devices as email provide users with a cheap, fast, accessible, efficient, and effective way to transmit all kinds of electronic data.
  • Email is well established as a means of day-to-day, private communication for business communications, marketing communications, social communications, educational communications, and many other types of communications.
  • email security platforms are provided by email service providers (and/or third-party security service providers) that attempt to identify and eliminate attacks on email communication channels.
  • cloud email services provide secure email gateways (SEGs) that monitor emails and implement pre-delivery protection by blocking email-based threats before they reach a mail server.
  • SEGs secure email gateways
  • These SEGs can scan incoming, outgoing, and internal communications for signs of malicious or harmful content, signs of social engineering attacks such as phishing or business email compromise, signs of data loss for compliance and data management, and other potentially harmful communications of data.
  • SEGs secure email gateways
  • These SEGs can scan incoming, outgoing, and internal communications for signs of malicious or harmful content, signs of social engineering attacks such as phishing or business email compromise, signs of data loss for compliance and data management, and other potentially harmful communications of data.
  • FIG. 1 illustrates a system-architecture diagram of an example email-security system that detects, assigns a probability score, and classifies an email indicating a likelihood of a fraudulent email.
  • FIG. 2 illustrates a component diagram of an example email-security system that detects, assigns a probability score, and classifies an email indicating a likelihood of a fraudulent email.
  • FIGS. 3 A-D illustrate flow diagrams of an example method for an email-security system to detect an email, assign a probability score, and use the probability score classify the email as an authentic email or a fraudulent email.
  • FIG. 4 illustrates an example impersonated email probability determination sequence used by an emailsecurity system to detect fraudulent emails.
  • FIG. 5 illustrates an example of a fraudulent email that is detected by an email-security system.
  • FIG. 6 illustrates a flow diagram of an example method for an email-security system to screen emails, analyze their contents, and assign a probability score and classification indicative of a probability that the screened email is fraudulent or not.
  • FIG. 7 is a computer architecture diagram showing an illustrative computer hardware architecture for implementing a computing device that can be utilized to implement aspects of the various technologies presented herein.
  • a method to perform the techniques described herein includes obtaining, at an email-security system, an email sent from a sending device to a receiving device. The method may further include extracting, from the email, first data representing a from field of the email, second data representing a Uniform Resource Locator (URL) in the email, and third data representing a reply -to address. Further, the method may include determining, using the first data, a first probability value indicating a first likelihood that the from field of the email is impersonating a brand.
  • URL Uniform Resource Locator
  • the method may include determining, using the second data, a second probability value indicating a second likelihood that the URL in the email is impersonating the brand. Further, the method may include determining, using the third data, a third probability value indicating a third likelihood that the reply -to address in the email is impersonating the brand and determining, using the first probability value, the second probability value, and the third probability value, an overall probability value indicating an overall likelihood that the email is a malicious email that is impersonating the brand.
  • the techniques described herein may be performed by a system and/or device having non- transitory computer-readable media storing computer-executable instructions that, when executed by one or more processors, performs the method described above.
  • This disclosure describes techniques for an email-security system to detect and assign probability scores to emails that indicate likelihoods of the emails being fraudulent impersonations of brands.
  • the email-security system may analyze the information contained within the emails for users and identify fraudulent emails by analyzing metadata and/or contents of the emails using rule-based analysis, recognition analysis, probabilistic analysis, machine-learning (ML) models, and so forth.
  • the email-security system may then assign the screened emails probability scores indicative of fraud, based at least in part on the extracted and analyzed information.
  • the emailsecurity system may then classify the screened emails as fraudulent or not, based at least in part on the assigned probability score.
  • the assigned probability score may be compared to a predetermined threshold value that is indicative of a high likelihood of fraudulent impersonations of brands. In this way, the email-security system is able to classify emails may as fraudulent or authentic and prevent potential malicious attacks on users.
  • the email-security system may monitor emails communicated between users of email platforms or services to detect scam emails, phishing emails, and/or other malicious emails.
  • the email-security sy stem may screen emails for monitoring and extracting information for analysis.
  • the email-security system may extract meaningful metadata from emails to determine whether the emails are scam emails or otherwise malicious. Meaningful metadata may include, for example, "From-Ficld " addresses and/or brand names for the email, “URL” addresses contained within the email, “Reply-To Field” addresses and/or brand names of the email, a Date/Time the email was communicated, attachments and/or hashes of attachments to the email, URLs in the body of the email and/or associated with unsubscribe actions, and so forth.
  • the metadata may additionally, or alternatively, include content included in the body of the email, actual attachments to the email, and/or other data of the email that may be private or confidential.
  • the metadata extracted from the email may generally be any probative information for the email security platform to determine whether an email is potentially malicious.
  • the email-security system may be configured to identify scam emails, which are often are designed to impersonate legitimate brands and are sent from the attackers to facilitate the scam.
  • an initial email may be sent from the attacker that includes a request for the target user to perform an action based on the type of scam.
  • the initial email may request a gift card code, may request a wire transfer, may request that salary be deposited into a different bank account, list of unpaid invoices, W-2 details of employee(s), sensitive information of clients, and so forth.
  • impersonation (c.g., fraudulent) emails may need to be processed to determine the legitimacy of the email.
  • processing of the extracted metadata may be initiated to analyze the extracted metadata to determine a first probability score indicative of a likelihood of scam emails, phishing emails, and/or other malicious emails.
  • the processing may include determining a display name from the “From -Field” of the email. Any determined display name may further be determined to be identified with a person and/or legitimate brand (e.g., organization). Additionally, the processing may determine, from any extracted image metadata, any person and/or legitimate brand names contained within an image text within an associated fde of the image.
  • the email-security system may then determine whether, from the extracted metadata, the legitimate brand is found and whether the display name from the email matches a redundant legitimate brand name.
  • the email-security system may determine an address domain from the “From-Field” of the email.
  • the processing by the email-security system may determine whether the address domain matches a free email service.
  • the address domain may further be compared to the legitimate brand name to determine a similarity.
  • the processing may take the determinations and combine them into the first probability score.
  • the determinations may be equally weighted or have differing weights when factored together to determine the first probability score.
  • processing of the extracted metadata may be initiated to analyze the extracted metadata to determine a second probability score indicative of a likelihood of scam emails, phishing emails, and/or other malicious emails.
  • the processing may include determining a domain name from the “Reply -To Field” of the email. Tire domain name may be compared to the free email service to determine any similarities. Additionally, the domain name from the “Reply -To Field” may be compared to the address domain from the “From-Field” to determine any similarities. Further, the processing may take the determinations and combine them into the second probability score. The determinations may be equally weighted or have differing weights when factored together to determine the second probability score.
  • processing of the extracted metadata may be initiated to analyze the extracted metadata to determine a third probability score indicative of a likelihood of scam emails, phishing emails, and/or other malicious emails.
  • the processing may include determining any “URL” contained within the email.
  • the processing may further include comparing the URL contained within the email to the address domain from the “From-Field” to determine any similarities.
  • the processing may include determining any URL associated with the unsubscribe action contained within the email. Any URL associated with the unsubscribe action may further be compared to the URL found within the email, the address domain from the “From-Field,” and any URL associated with the image text from the “From-Field” to determine any matches.
  • the processing may take the determinations and combine them into the third probability score. The determinations may be equally weighted or have differing weights when factored together to determine the third probability score.
  • processing of the extracted metadata may be initiated to analyze the extracted metadata to determine a fourth probability score indicative of a likelihood of scam emails, phishing emails, and/or other malicious emails.
  • the processing may include determining any owners (e.g., registrants, etc.) and/or legitimate brands associated with WHOIS and/or certification(s) resulting from the extracted metadata of the email.
  • the processing may include locating, from the extracted metadata, any respective WHOIS and/or certificates. Further, the processing may include determining, from the respective WHOIS and/or certificates, any associated owner. Additionally, the processing may determine any legitimate brand associated with the determined owner. Further, the processing may compare the extracted metadata to any determined legitimate brand associated with the owner and determine any similarities. Additionally, the processing may take the determinations and combine them into the fourth probability score. The determinations may be equally weighted or have differing weights when factored together to determine the fourth probability score.
  • the email-security system may be configured to process the one or more probability scores to determine a final probability score.
  • the determination of the final probability score may be by making the one or more probability scores equally weighted or assigning them differing weights to factor together and determine the final probability score.
  • the final probability score may then be assigned a classification indicative that the emails are scam emails or otherwise malicious.
  • the classification may be based upon exceeding a predetermined threshold value.
  • the predetermined threshold value may be assigned to be a threshold probability value of 0.75.
  • the final probability score exceeding the threshold probability score may render the classification of a fraudulent email to the processed email.
  • Processing is merely exemplary of one possible method of determining the final probability score.
  • a machine-learning (ML) model(s) may be trained and used to determine the final probability score from the extracted metadata.
  • the processing may compare the extracted metadata to a storage of valid domain(s), saved brand possibilities, saved past fraudulent email(s), and the like. Additionally, the foregoing may not be construed as limiting and it may be appreciated that additional processing methods may become apparent to one skilled in tire art.
  • the email-security system may further classify the scam emails into different classes from amongst a group of scam email classes. For instance, scam emails may be classified into one or more of a gift-card scam class, a wire-transfer scam class, a payroll-account scam class, an invoice scam class, an account-acquisition scam class, a phone scam class, a W-2 scam class, an aging report scam class, a merger and acquisition scam class, an executive forgery scam class, an attorney scam class, a tax client scam, an initial lure or rapport scam class, and so forth.
  • the email-security sy stem may utilize a secondary classification scan using email policies.
  • the extracted metadata from the scam email may be placed into storage.
  • the scam email may be sored in the save past fraudulent email(s) storage.
  • the metadata and/or subsequent processing may serve to train the ML model(s).
  • at least a portion of the extracted metadata from the emails may be retained (e.g., saved) to the storage.
  • the impersonated brand names extracted from the email may be stored in the saved brand possibilities.
  • legitimate domain(s) extracted from the emails may be stored in the storage under valid domains.
  • other information from the metadata may be stored in an array of different ways that are the same and/or similar to those described and alluded to herein and/or as may be apparent to one skilled in the art.
  • the fraudulent emails are quarantined, and the email-security system may prevent any further communication received from sender and/or further communication sharing similarities with the fraudulently classified, screened email.
  • the email-security system may implement various additional remedial actions.
  • the remedial actions may include harvesting the attacker information for additional detection rules, blocking the fraudulent email, reporting the attacker information to authorities, and so forth.
  • BEC fraudulent emails include various types or classes, such as wiretransfer scams, gift card scams, payroll scams, invoice scams, acquisition scams, aging report scams, phone scams, a W-2 scam class, an aging report scam class, a merger and acquisition scam class, an executive forgery scam class, an attorney scam class, a tax client scam, an initial hue or rapport scam class, and so forth.
  • the fraudulent attacks result in an organization or person under attack losing money or other financial resources.
  • the organization or person under attack may lose valuable information, such as trade secrets or other information.
  • These types of fraudulent are often multi-stage attacks.
  • the attacker sends a fake email to the victim who is usually a manager or employee in the organization.
  • This fake email may impersonate a real person who is also a legitimate employee of an organization to build a rapport and an official tone to the message.
  • the fake email may accordingly or alternatively, impersonate a brand and the email itself may be of a sophisticated construction including real domains and/or hyperlinks directed to the actual brand in an attempt to legitimize the email while requesting an action directed to a fraudulent domain and/or hyperlink.
  • brand may be interchangeable with the term “organization,” “legitimate business,” and the like. Brand may also mean an “enterprise,” “collaboration,” “government,” “agencies,” “any type of organization of people,” an “entity representative of some grouping of people,” etc. Furthermore, brand may also represent an intangible marketing and/or business concept that helps individuals identify the legitimacy of the brand, company, individual, collaboration, and the like by which the brand is associated.
  • malware may be applied to data, actions, attackers, entities, emails, etc.
  • malware may generally correspond to spam, phishing, spoofing, malware, viruses, and/or any other type of data, entities, or actions that may be considered or viewed as unwanted, negative, harmful, etc., for a recipient and/or destination email address associated with an email communication.
  • FIG. 1 illustrates a system -architecture diagram 100 of an example email-security system 102 that detects, assigns a probability score, and classifies an email indicating a likelihood of a fraudulent email.
  • the email-security system 102 may be a scalable service that includes and/or runs on devices housed or located in one or more data centers, that may be located at different physical locations.
  • the email-security system 102 may be included in an email platform and/or associated with a secure email gateway platform.
  • the email-security system 102 and the email platform may be supported by networks of devices in a public cloud computing platform, a privatc/cntcrprisc computing platform, and/or any combination thereof.
  • the one or more data centers may be physical facilities or buildings located across geographic areas that designated to store networked devices that are part of and/or support the email-security system 102.
  • the data centers may include various networking devices, as well as redundant or backup components and infrastructure for power supply, data communications connections, environmental controls, and various security devices.
  • tire data centers may include one or more virtual data centers which are a pool or collection of cloud infrastructure resources specifically designed for enterprise needs, and/or for cloud-based service provider needs.
  • the data centers (physical and/or virtual) may provide basic resources such as processor (CPU), memory (RAM), storage (disk), and networking (bandwidth).
  • the email-security system 102 may be associated with an email service platform may generally comprise any type of email service provided by any provider, including public email service providers (e.g., Google Gmail, Microsoft Outlook, Yahoo! Mail, AIL, etc.), as well as private email service platforms maintained and/or operated by a private entity or enterprise. Further, the email service platform may comprise cloud-based email service platforms (e.g., Google G Suite, Microsoft Office 365, etc.) that host email services. However, the email service platform may generally comprise any type of platform for managing the communication of email communications between clients or users. The email service platform may generally comprise a delivery engine behind email communications and include the requisite software and hardware for delivering email communications between users.
  • public email service providers e.g., Google Gmail, Microsoft Outlook, Yahoo! Mail, AIL, etc.
  • the email service platform may comprise cloud-based email service platforms (e.g., Google G Suite, Microsoft Office 365, etc.) that host email services.
  • the email service platform may generally comprise any type of platform for managing the communication of email communications between
  • an entity may operate and maintain the softw are and/or hardware of the email service platform to allow users to send and receive emails, store and review emails in inboxes, manage and segment contact lists, build email templates, manage and modify inboxes and folders, scheduling, and/or any other operations performed using email service platforms.
  • the email-security system 102 may be included in, or associated with, the email service platform.
  • the email-security system 102 may provide security analysis for emails communicated by the email service platform (e.g., as a secure email gateway).
  • a second computing infrastructure may comprise a different domain and/or pool of resources used to host the email service platform.
  • the email service platform may provide one or more email services to users of user device to enable the user devices to communicate emails.
  • Sending devices 104 may communicate with receiving devices 106 over one or more networks 108, such as the Internet.
  • the network(s) 108 may generally comprise one or more networks implemented by any viable communication technology, such as wired and/or wireless modalities and/or technologies.
  • the network(s) 108 may include any combination of Personal Area Networks (PANs), Local Area Networks (LANs), Campus Area Networks (CANs), Metropolitan Area Networks (MANs), extranets, intranets, the Internet, short-range wireless communication networks (e g., ZigBee, Bluetooth, etc.) Wide Area Networks (WANs) - both centralized and/or distributed - and/or any combination, permutation, and/or aggregation thereof.
  • the network(s) 108 may include devices, virtual resources, or other nodes that relay packets from one device to another.
  • the user devices may include the sending devices 104 that send emails and the receiving devices 106 that receive the emails.
  • the sending devices 104 and receiving devices 106 may comprise any type of electronic device capable of communicating using email communications.
  • the devices 104/106 may include one or more of different personal user devices, such as desktop computers, laptop computers, phones, tablets, wearable devices, entertainment devices such as televisions, and/or any other type of computing device.
  • the user devices 104/106 may utilize the email service platform to communicate using emails based on email address domain name systems according to techniques known in the art.
  • the email service platform may receive emails that are destined for the receiving device 106 that have access to inboxes associated with destination email addresses managed by, or provided by, the email service platform. That is, emails, including allowed emails 110, are communicated over the network(s) 108 to one or more recipient servers of the email service platform, and the email service platform determines which registered user the email is intended for based on email information such as “To,” “Cc,” Bcc,” and the like.
  • the email service platform may provide the appropriate emails to the front end for pre-preprocessing of the security analysis process.
  • the email-security system 102 may perform at least metadata extraction techniques on the emails and may further perform content pre-classification techniques on the emails in some instances.
  • the types of metadata that may be scanned for, and extracted by, the email-security system 102 includes indications of the “Reply -To Field” email address(es), the “From-Field” email address(es), the “Image” information of the emails, the “Subject” of the emails, the Date/Time associated with communication of the emails, indications of universal resource locator (URL) or other links in the emails, attachment files, hashes of attachments, fuzzy hashes extracted from the message body of the emails, content from the body of the email, etc.
  • the email service platform and/or users of the email security platform may define what information is permitted to be scanned and/or extracted from the emails, and what information is too private or confidential and is not permitted to be scanned and/or extracted from the emails.
  • the emailsecurity system 102 may perform security analysis on the email metadata using, among other techniques, security policies defined for the email security platform.
  • the security policies may be defined or created by the email-security system 102 to detect potentially malicious emails, and/or be defined and/or created by administrators or other users of the email-security system 102.
  • the email security system 102 may analyze the email metadata with reference to the security policies to determine whether or not the email metadata violates one or more security policies that indicate the respective email is potentially malicious.
  • impersonated email probability sequencing may be developed to identify malicious emails based on different words, patterns, and/or other information included in the emails.
  • ML model(s) may be trained using emails where malicious emails are labeled as malicious and benign or normal emails are labeled as benign.
  • the ML model(s) and/or the impersonated email probability sequencing may output probabilities that emails are malicious or may simply output a positive or negative result as to whether the emails are malicious or not
  • the email-security system 102 may analyze and detect non-malicious emails, or allowed emails 110, and permit the allowed emails 110 to be communicated between the user devices 104/106. In some instances the emailsecurity system 102 analyzes emails and detects that the emails are in fact malicious emails, such as fraudulent emails. [0043] As shown, the email-security system 102 may initiate a fraud detection process 112 to detect, at “1,” a screened email 114 that is sent from a sending device 104 (e.g., attacker) and to a receiving device 106 (e.g., target, victim, etc.).
  • a sending device 104 e.g., attacker
  • a receiving device 106 e.g., target, victim, etc.
  • the email-security system 102 may, at “2,” extract form the screened email 114 information from the “From-Field,” any “URL” information, information from the “Reply -To Field,” and the like of the screened email 114.
  • the email-security system may utilize a secondary classification scan using email policies.
  • the screened email 114 may be tested against algorithms (e.g., models) at “3,” such as natural language processing NLP model(s), to classify the screened email 114 into a particular class.
  • the NLP model(s) analyze the collected information of the fraudulent email and assigns, at “4,” a probability score to tire fraudulent email.
  • the screened email 114 is a request for the target user to send a payment of money in the amount of $149.99.
  • the attacker may have impersonated the name of an “Actual Brand” that may be familiar to the victim and that is permitted to request such types of payment and pretend to be acting on behalf of the brand, in this case directing the victim to make a payment via a reply to a “PAY NOW” domain.
  • the reply -to address associated with the “PAY NOW” call to action appears to be legitimate, containing elements (e.g., words) associated with the impersonated brand.
  • the email-security system 102 may, at “4,” compute probability score(s) associated with the email. After testing the collected information using the algorithms, at “3,” one or more probability scores may be determined. For example, probability scores may be independently determined for information collected from the “From-Field,” any “URL” information, information from the “Reply-To Field,” and the like. In some instances, multiple independently assigned probability scores may be further combined into a “Final Probability Score” representative of a collective probability score for the email. The “Final Probability Score” may be an average of the one or more probability scores, a weighted average, and/or any other method of combination as may be appreciated by one skilled in the art.
  • the screened email 114 is assigned four separate probability scores. After analysis of the "From -Field.” a probability score of 0.80 was determined by the algorithm at “3.” Additionally, at ”3.” the algorithm determined a probability score of 1.0 for the “URL,” a score of 0.80 for the “Reply-To Field,” and a score of 0.87 as a “Final Probability Score.”
  • the email-security system 102 may, at “5,” classify the screened email 114 as fraudulent or not. Classification of the screened email 114 as fraudulent may be achieved by comparing the probability score (e g., “Final Probability Score”) to a predetermined threshold value. In some instances, the predetermined threshold value may be assigned to be a value of 0.75. In such instances, a probability score exceeding the threshold value may result in a classification of the email as fraudulent. As such, classification as fraudulent may ensure that the email 114 is not sent to the receiving device 106 on which the victim is reading emails.
  • the probability score e g., “Final Probability Score”
  • the predetermined threshold value may be assigned to be a value of 0.75.
  • a probability score exceeding the threshold value may result in a classification of the email as fraudulent. As such, classification as fraudulent may ensure that the email 114 is not sent to the receiving device 106 on which the victim is reading emails.
  • the screened email 114 received a “Final Probability Score” of 0.87 as an average of probability scores determined for the “From Field,” “URL,” and “Reply-To Field.” As such, the “Final Probability Score” of 0.87 exceeded the threshold value of 0.75 and the screened email 114 was classified, at “5,” as a fraudulent email.
  • FIG. 2 illustrates a component diagram 200 of an example email-security system 102 that detects, assigns a probability score, and classifies an email indicating a likelihood of a fraudulent email.
  • the emailsecurity system 102 may include one or more hardware processors 202 (processors), one or more devices, configured to execute one or more stored instructions.
  • the processor(s) 202 may comprise one or more cores.
  • the emailsecurity system 102 may include one or more network interfaces 204 configured to provide communications between the email-security system 102 and other devices, such as the sending dcvicc(s) 104, receiving devices 106, and/or other systems or devices associated with an email service providing the email communications.
  • the network interfaces 204 may include devices configured to couple to personal area networks (PANs), wired and wireless local area networks (LANs), wired and wireless wide area networks (WANs), and so forth.
  • PANs personal area networks
  • LANs local area networks
  • WANs wide area networks
  • the network interfaces 204 may include devices compatible with Ethernet, Wi-FiTM, and so forth.
  • the email-security system 102 may also include computer-readable media 206 that stores various executable components (e.g., software-based components, firmware-based components, etc ).
  • the computer- readable-media 206 may store components to implement functionality described herein.
  • the computer-readable media 206 may store one or more operating systems utilized to control the operation of the one or more devices that comprise the email-security' system 102.
  • the operating system comprises the LINUX operating system.
  • the operating system(s) comprise the WINDOWS® SERVER operating system from MICROSOFT Corporation of Redmond, Washington.
  • the operating system(s) can comprise the UNIX operating system or one of its variants. It should be appreciated that other operating systems can also be utilized.
  • the computer-readable media 206 may include portions, or components, that configure the email-security system 102 to perform various operations described herein.
  • a from-field analysis component 208 may be configured to, when executed by the processor(s) 202, perform various techniques for analyzing particular email information to determine probability scores indicative of fraud.
  • the from-field analysis component 208 may utilize policies or rules to analyze email metadata to determine if the corresponding email is malicious.
  • the from-field analysis component 208 may perform various types of security analysis techniques, such as determining whether one or more of the following “Display Name” and “From,” “To”, “Cc ,” and/or “Bcc” email addresses are associated with legitimate brand names, email addresses, and/or email domains and/or free email service email addresses and/or email domains.
  • the computer-readable media 206 may further include a URL analysis component 210 that configure the email-security system 102 to perform various operations described herein.
  • the URL analysis component 210 may be configured to, when executed by the processor(s) 202, perform various techniques for analyzing particular email information to determine probability scores indicative of fraud.
  • the URL analysis component 210 may utilize policies or rules to analyze email metadata to determine if the corresponding email is malicious.
  • the URL analysis component 210 may perform various types of security analysis techniques, such as determining whether one or more of the following “URL” and/or “Unsubscribe URL” are associated with legitimate brand URL(s).
  • the computer-readable media 206 may further include a reply -to analysis component 212 that configure the email-security system 102 to perform various operations described herein.
  • the reply-to analysis component 212 may be configured to, when executed by the processor(s) 202, perform various techniques for analyzing particular email information to determine probability scores indicative of fraud.
  • the reply-to analysis component 212 may utilize policies or rules to analyze email metadata to determine if the corresponding email is malicious.
  • the reply-to analysis component 212 may perform various types of security analysis techniques, such as determining whether the “To” email address(es) are associated with legitimate brand names, email addresses, and/or email domains and/or free email service email addresses and/or email domains.
  • the computer-readable media 206 may further include a WHOIS/Certification analysis component 214 that configure the cmail-sccurity system 102 to perform various operations described herein.
  • the WHOIS/Certification analysis component 214 may be configured to, when executed by the processor(s) 202, perform various techniques for analyzing particular email information to determine probability scores indicative of fraud.
  • the WHOIS/Certification analysis component 214 may utilize policies or rules to analyze email metadata to determine if the corresponding email is malicious.
  • the WHOIS/Certification analysis component 214 may perform various types of security analysis techniques, such as determining whether one or more of the following “Display Name” and “From,” “To”, “Cc,” “Bcc,” “Reply-To Field” information, URL(s) contained within the email, domains contained within the email, and/or email addresses contained within the email are associated with legitimate brand owners via names, email addresses, and/or email domains, cross referenced against associated WHOIS and/or Certificate information.
  • the computer-readable media 206 may further include an image analysis component 216 that configure the email-security system 102 to perform various operations described herein.
  • the image analysis component 216 may be configured to, when executed by the processor(s) 202, perform various techniques for analyzing particular email information to determine probability scores indicative of fraud.
  • the image analysis component 216 may utilize policies or rules to analyze email metadata to determine if the corresponding email is malicious.
  • the image analysis component 216 may perform various types of security analysis techniques, such as determining whether one or more of the extracted metadata associated with images included in the email are associated with legitimate brand names, email addresses, and/or email domains.
  • the computer-readable media 206 may further include a final probability & classification component 218 that configure the email-security system 102 to perform various operations described herein.
  • the final probability & classification component 218 may be configured to, when executed by the processor(s) 202, perform various techniques for averaging the probability scores determined from the components 208-216 to determine the final probability score indicative of fraud.
  • the final probability & classification component 218 may utilize any one of the different ty pes of averaging including determining a mean, a median, a weighted average, a mode, and/or the like.
  • the final probability & classification component 218 may then compare the resulting final probability score to a predetermined threshold value to classify the email as a likelihood of being fraudulent. As described and alluded to herein, a final probability score exceeding the predetermined threshold value may be indicative of a fraudulent email classification.
  • the above-noted list of components and their respective processes are merely exemplary, and other types of security policies may be used to analyze the email metadata.
  • the final probability and classification component 218 may then generate result data indicating a result of tire security analysis of the email metadata usingthe policy(ies) stored in a storage 220.
  • the email security-system 102 may include the storage 220 which may comprise one, or multiple, repositories or other storage locations for persistently storing and managing collections of data such as databases, simple files, binary, and/or any other data.
  • the storage 220 may include one or more storage locations that may be managed by one or more storage/database management systems.
  • the storage 220 may include valid domain(s) 222, ML model(s) 234, saved brand possibilities 226, impersonated email probabilities 228, and saved fraudulent email(s) 230. It should be appreciated that the foregoing list is merely exemplary and the storage 220 may include additional elements that may be apparent to one skilled in the art.
  • the valid domain(s) 222 may include a database of domains determined to be valid (e.g., non-fraudulent domains). For instance, domains associated with the allowed emails 110 may be included in the valid domain(s) 222.
  • the valid domain(s) 222 may include domains that are manually inputted, domains determined to not meet the predetermine threshold value, domains associated with legitimate brands, domains determined by ML model(s) 234, and the like.
  • the ML model(s) 224 may include a database of machine learning algorithms.
  • the ML model(s) may include one or more algorithms including supervised, semi-supervised, unsupervised, and/or reinforcement.
  • the processor(s) 202 train(s) the email-security system 102 utilizing machine learning techniques, statistical analysis, or any other means by which a system may be trained to output fraudulent email detection based on input associated with screened email 114 information, established operating parameters from the computer-readable media 206, and/or production data associated with the storage 220.
  • the saved brand possibilities 226 may include a database of domains and/or a list of executives (e.g., owners, CEO(s), executive officers, etc.) found to be associated with legitimate brands.
  • the database may be formed as a historical compilation of legitimate brands found from historical uses of the email-security system 102.
  • the impersonated email probabilities 228 may store the results and/or timeline of events from the final probability & classification component 218. Additionally, or alternatively, the impersonated email probabilities 228 may be a database of historical calculation results. As such, it may be used by the final probability & classification component 218 during its operation.
  • the saved fraudulent email(s) 230 may be a database of historically classified fraudulent email(s) that are saved. As such, the saved fraudulent email(s) 230 may be used by the final probability & classification component 218 during its operation. For example, the final probability & classification component 218 may reference the saved fraudulent email(s) 230 to determine similarities between screened emails 114 and previously classified, fraudulent emails.
  • the final probability and classification component 218 may, as described and alluded to herein, classify and email as fraudulent by a comparison to a threshold value where the probability score is in excess of the threshold value.
  • an email determined to be fraudulent may further be stored in the saved fraudulent email(s) 230 of the storage 220.
  • FIG. 3 A illustrates a flow diagram of an example method 300 for extracting information and/or data from the “From -Field” of the screened email 114 of an email-security' system that is further configured to detect an email, assign a probability score, and use the probability score classify the email as an authentic email or a fraudulent email.
  • the cm ail -security system 102 may monitor emails communicated between users of email platforms or services to detect fraudulent emails, phishing emails, and/or other malicious emails.
  • the from -field analysis component (hereinafter referred to as the “FF component”) 208 may identify from-field information of a scanned email 114.
  • the FF component 208 may identify the from -field information using text recognition, NLP model(s), predetermined field analysis, and the like.
  • the FF component 208 may determine a display name from the scanned email 114. For example, the FF component 208 may be directed to a portion of the scanned email 114 detailing the display name associated with the scanned email 114. In some other instances, the FF component 208 may use textual recognition and/or NLP model(s) to determine the display name of the from field of the scanned email 114.
  • the FF component 208 may determine whether the display name is a person or not. For example, the FF component 208 may compare the display name to a look-up table of names contained within the storage 220 and/or may conduct an internet search to determine CEO names. In some other instances, the FF component 208 may utilize ML model(s) 224 to determine whether the display name is a person or not. In some further instances, the FF component 208 may compare the display name to the saved brand possibilities 226 where matches may indicate that the display name is not a person.
  • a determination that the display name is a person i.e., a “Yes” at operation 306) the method 300 may proceed to operation 308.
  • the FF component 208 may determine whether the display name matches a CEO. For example, the FF component 208 may compare the display name to a look-up table of CEO names contained within the storage 220 and/or may conduct an internet search to determine CEO names. In some other instances, the FF component 208 may utilize ML model(s) 224 to determine whether the display name matches the CEO of a legitimate brand. In some further instances, the FF component 208 may compare the display name to the saved brand possibilities 226 where CEO names may be stored and where matches may indicate that the display name matches an associated CEO. [0072] A determination that the display name is not a person (i.e., a “No” at operation 306) the method 300 may proceed to operation 310. Additionally, a determination that the display name matches a CEO name associated with a legitimate brand (i.e., a “Yes” at operation 308) the method 300 may also proceed to operation 310.
  • the FF component 208 and/or image-analysis component (hereinafter referred to as the “IA component”) 216 may determine any organization (i.e., brand name(s)) from the display name determined at operation 304. In some instances, FF component 208 and/or IA component 216 may determine any organization from the CEO name match determined at operation 308. The FF component 208 and/or IA component 216 may further determine any organization contained within any image file text found within the screened email 114. The FF component 208 and/or IA component 216 may use textual recognition and/or NLP model(s) to determine text associated with organization names.
  • the FF component 208 and/or IA component 216 may compare the image file text to the valid domains 222, the ML model(s), and/or the saved brand possibilities 226 contained within the storage 220. In some further instances, the FF component 208 and/or IA component 216 may utilize the network 108 to compare the image file text to lookup tables, organization search matches, internet searches, and/or the like.
  • the method 300 may determine whether the organization name has been found from the determination and/or information found at operation 310.
  • a determination that the organization was not found i.e., a “No” at operation 312) the method 300 may proceed to operation 314.
  • the FF component 208 may determine any image(s) files.
  • the FF component 208 may recognize images contained within the screened email 114 and access the files associated with the images. In some instances, there may be one or more images contained within the screened email 114. As such, the FF component 208 may determine the images’ files. In some further instances, there may be no images contained within the screened email 114. As such, the FF component 208 may determine that there are no image files and may move onto the next operation. In some instances, the FF component 208, at operation 314, may determine image filc(s) one at a time. In some other instances, the FF component 208 may determine one image file and move onto the next operation before returning to determine any subsequent image file contained within the screened email 114.
  • the FF component 208 may determine whether hnage(s) within die screened email 114 have been checked and whether any image(s) remain unchecked. For instance, the method 300 may, as described and alluded to herein, determine any image(s) contained within the screened email 114 one at a time. In some other instances, the method 300 may determine any image(s) contained within the screened email 114 at once. In any case, the method 300, at operation 316, may determine whether the FF component 208 has checked every image(s) within the screened email 114.
  • a determination that at least one image within the screened email 114 remains unchecked i.e., a “No” at operation 316) the method 300 may proceed to operation 318.
  • the FF component 208 may determine the text (txt) contained within the image files determined at operation 308. For example the FF component 208 may use a Tesseract OCR software to perform optical character recognition (OCR) on a text corpus. In some other instances, the FF component 208 may use TensorFlow, OpenCV, Google Cloud Vision API, Amazon Rekognition, and/or any other suitable method for determining txt contained within any image files. From operation 318, the method 300 may proceed back to operation 310. [0080] At 320, the FF component 208 may determine a from address domain.
  • OCR optical character recognition
  • the FF component 208 may be directed to a portion of the scanned email 114 detailing the display name associated with the scanned email 114.
  • the FF component 208 may use textual recognition and/or NLP to determine the display name of the from field of the scanned email 114.
  • the method 300 may proceed to operation 322. Additionally, a determination that the CEO check does not match the person determined within the display name (i.e., a “No” at operation 308) the method 300 may proceed to operation 322.
  • the FF component 208 may compare the determined from address domain, at operation 320, to determine whether the from-field domain address matches any free email service domains or not. For example, the FF component 208 may determine, at operation 320, that the from address domain is “from@realbrand.com.” The FF component 208 may, at operation 322, determine that the domain (i.e., “@realbrand.com”) does not match any free email service domains such as “@gmail.com,” “@yahoo.com,” “@hotmail.com,” and/or the like.
  • the method 300 may compare the name of the person and/or display name determined not to match a CEO, determined not to match at operation 308, to determine whether the display name matches any free email service domains or not, in a the similar and/or same way as described and alluded to above. As such, the method 300 may proceed to the next operation.
  • a determination that the from address domain, determined at operation 320, does not match any free email service domains may cause the method 300 will proceed to operation 324.
  • the FF component 208 of the method 300 may determine, from the information used at operation 322, whether that information matches any marketing mail service domains and/or names. For instance, the method may compare the information to email marketing services including “HubSpot,” “Omnisend,” “AWeber,” “Drip,” and/or the like.
  • a determination that the information compared, at operation 324, docs not match any marketing mail service(s) i.e., a “No” at operation 324) the method 300 may proceed to operations 326, 328, and 334 (Discussed in further detail below).
  • the FF component 208 may determine, from the information collected at operations 304 and/or 320, an associated whois database. From the whois database, the FF component 208 may collect a registrant organization name and a whois age data.
  • the FF component 208 may determine, from the information collected at operation 304 and/or 320, an associated secure sockets layer (SSL) certificate. From the SSL certificate, the FF component 208 may collect organization name details.
  • SSL secure sockets layer
  • the FF component 208 may determine any organization (i.e., brand name(s)) from the display name determined at operation 304 and/or the address domain determined at 320 and the whois information determined at operation 326 and/or the certificate information determined at operation 328.
  • the FF component 208 may use textual recognition and/or NLP model(s) to determine text associated with organization names. In other instances, the FF component 208 may compare the information collected at operations 304, 320, 326, and/or 328 to the valid domains 222, the ML model(s), and/or the saved brand possibilities 226 contained within the storage 220.
  • the FF component may utilize the network 108 to compare the information collected at operations 304, 320, 326, and/or 328 to lookup tables, organization search matches, internet searches, and/or the like. [0089] Upon completion of operation 330, the method 300 may proceed to operation 332. Additionally, a determination that that tire organization was found (i.e., a “Yes” at operation 312) the method 300 may also proceed to operation 332.
  • the FF component 208 may determine if the information, progressing naturally from operations 304 and 320, matches an organization name through comparison. For instance, at operation 312 the method 300 determined that an organization was found. As such, the FF component 208 may search the saved brand possibilities 226 and determine whether the organization found, at operation 312, matches a legitimate brand. In some other instances, the FF component 208 may compare the organization found at operation 312 to the valid domains 222, the ML model(s) 224, the impersonated email probabilities 228, and/or the saved fraudulent emails 230. In some further instances, the FF component 208 may conduct an internet search to determine whether the organization determined at operation 312 matches a legitimate brand.
  • the method 300 may determine whether the organization name, determined at operation 330, matches a legitimate brand.
  • the FF component 208 may determine whether a match exists using the same and/or similar processes as described and alluded to above and/or herein and/or as may be apparent to one skilled in the art.
  • a determination that the organization name does notmatch a legitimate brand i.e., a “No” at operation 332) the method 300 may continue to operation 334. Additionally, a determination that the information compared, at operation 324, does not match any marketing mail service(s) (i.e., a “No” at operation 324) the method 300 may proceed to operations 334.
  • the FF component 208 may conduct a whitelist check of the from address domain, determined at operation 320 and determined to not be associated with a free email service or marketing mail service, at operations 322 and 324, respectively.
  • the whitelist may include a list of email addresses, IP addresses, domain names, applications, and/or the like which are designated as approved. As such, the whitelist may automatically block and/or flag any of the aforementioned list items.
  • the FF component 208 may determine a similarity between the from address domain and the whitelist items.
  • the FF component 208 may use a similarity logic which may include the ML model(s) 224, mathematic probabilistic similarity logic (PSL), and/or the like or as may become apparent to one skilled in the art.
  • a similarity logic may include the ML model(s) 224, mathematic probabilistic similarity logic (PSL), and/or the like or as may become apparent to one skilled in the art.
  • the FF component 208 may determine domain name randomness.
  • the FF component 208 may use the ML model(s) 224, a detection algorithm, and/or the like.
  • the FF component 208 may utilize high entropy domain name system (DNS) queries using a URL toolbox Shannon Entropy calculator and/or the like.
  • DNS domain name system
  • the calculator may determine a given query’s entropy scoring.
  • a predetermined entropy score may be set where entropy scores of the given query, in excess of the predetermined entropy score, may be indicative of an algorithmically generated domain address (e.g., indicative of a fraudulently generated domain address).
  • the method 300 may proceed to operation 356 which will be described in more detail in FIG. 3D.
  • another operation may intercede the procession to the operation 356 wherein the brand (i.e., organization) name(s) determined to this point may be saved.
  • the brand name(s) may be saved to the saved brand possibilities 226 of the storage 220.
  • the brand name(s) may be saved to cloud storage, other computational devices, other storage, and/or the like and may be transferred to any such devices via the network 108.
  • the brand name(s) determined may serve to train the ML model(s).
  • FIG. 3B illustrates a flow diagram of an example method 300 for extracting information and/or data from the “Reply -To Field” of the screened email 114 of an cm ail -security system that is further configured to detect an email, assign a probability score, and use the probability score classify the email as an authentic email or a fraudulent email.
  • the email-security system 102 may monitor emails communicated between users of email platforms or services to detect fraudulent emails, phishing emails, and/or other malicious emails.
  • the reply -to analysis component (hereinafter referred to as the “RT component”) 212 may identify reply -to information of a scanned email 114.
  • the RT component 212 may identify the reply-to information using text recognition, NLP model(s), predetermined field analysis, and/or the like.
  • the RT component 212 may determine a reply-to domain. For example, the RT component 212 may be directed to a portion of the scanned email 114 detailing the reply-to domain associated with the scaimed email 114. In some other instances, the RT component 212 may use textual recognition and/or NLP model(s) to determine the domain of the reply-to field of the scanned email 114.
  • the RT component 212 may compare the determined from reply-to domain, at operation 330, to determine whether the reply-to domain address matches any free email service domains or not. For example, the RT component 212 may determine, at operation 330, that the from address domain is “from@realbrand.com.” The RT component 212 may, at operation 332, determine that the domain (i.e., “@realbrand.com”) does not match any free email service domains such as “@gmail.com,” “@yahoo.com,” “@hotmail.com,” and/or the like. As such, the method 300 may proceed to the next operation.
  • a determination that the from reply-to domain, determined at operation 344, does not match any free email service domains may cause the method 300 will proceed to operation 346.
  • the RT component 212 may determine any similarities between the reply-to address domain, found at operation 342, and the from-field address domain determined at operation 320. For example, if both the from-field address domain and the reply-to field address domain are similar, it may imply that the email is less likely fraudulent. Alternatively, in an instance where the from field address domain and the reply-to field address domain are dissimilar, this may indicate that the email is fraudulent.
  • FIG. 3C illustrates a flow diagram of an example method 300 for extracting any “URL” information and/or data of the screened email 114 of an email-security system that is further configured to detect an email, assign a probability score, and use the probability score classify the email as an authentic email or a fraudulent email.
  • the email-security system 102 may monitor emails communicated between users of email platforms or services to detect fraudulent emails, phishing emails, and/or other malicious emails.
  • the URL analysis component (hereinafter referred to as the “URL component”) 210 may identify any URL(s) contained within a scanned email 114.
  • the URL component 210 may identify any URL(s) using text recognition, NLP model(s), predetermined field analysis, and/or the like.
  • the URL component 210 may compare the identified URL(s) within the screened email 114 to the from-address domains determined at operation 320 and determine whether any match exists.
  • the URL component 210 may determine whether there is any unsubscribe action and/or language with an associated and/or integrated URL(s).
  • the URL component 210 may use text recognition, NLP model(s), and/or any other applicable process to identify and determine whether there is any unsubscribe action and/or language with an associated and/or integrated URL(s).
  • the URL component 210 may determine any matched URL(s) determine from operations 350 and/or 352. As such, at operation 354, the URL component 210 may determine the number of matched, unmatched, and/or total number of URL(s). hr some other instances, the URL component 210 may further determine the number of matched URL(s) which are image(s). Further, the URL component 210 may determine the matching using a comparison logic.
  • FIG. 3D illustrates a flow diagram of an example method 300 for an email-security system to detect an email, assign a probability score, and use the probability score classify the email as an authentic email or a fraudulent email.
  • the email-security system 102 may monitor emails communicated between users of email platforms or services to detect fraudulent emails, phishing emails, and/or other malicious emails.
  • the FF component 208 may determine a from-field probability score from the processes naturally flowing from operation 302. As such, determining a match between the organization names determined, at operations 310 and 330, at operation 332 (i.e., a “Yes” at operation 332) may yield a lower probability score indicative that the screened email 114 is not fraudulent. Alternatively, a determination that the from address domain matches a free email service (i.e., a “Yes” at operation 322) or a determination that the from address domain matches a marketing mail service (i.e., a “Yes” at operation 324) may yield higher probability scores indicative that the screened email 114 is fraudulent.
  • a free email service i.e., a “Yes” at operation 322
  • a marketing mail service i.e., a “Yes” at operation 324
  • a determination of domain name randomness at operation 338 where, for example, the threshold value is exceeded may yield a higher probability score indicative of fraud.
  • the FF component 208, at operation 358 may combine the interrelated processes stemming from operation 302 and flowing into operation 358 and arrive at an overall from field probability score.
  • the overall from-field probability score may include determining individual scores for the processes and finding a mean, a median, a mode, a weighted average, and/or the like.
  • the RT component 212 may determine a reply -to probability score indicating a likelihood that the screened email 114 is fraudulent concerning the processes of the method 300 naturally flowing from operation 340. For example, the determination of the reply -to probability score may ultimately depend upon operation 344. As such, a “Yes” determination at operation 344 may yield a higher probability score, at operation 358, as the reply -to address domain matches a free email service domain. In other words, a match to a free email service domain may indicate that the attacker is directing the victim to reply to the victim’s created, fraudulent email address and not an address associated with a legitimate brand. In some other instances, a “No” at operation 344 will lead to operation 346.
  • a reply -to address domain that is determined to be dissimilar to the from-field address domain may similarly indicate a likelihood that the screened email 114 is fraudulent and be assigned a higher probability score at operation 358.
  • RT component 212, at operation 358 may combine the interrelated processes stemming from operation 340 and flowing into operation 358 and arrive at an overall from field probability score.
  • the overall from-field probability score may include determining individual scores for the processes and finding a mean, a median, a mode, a weighted average, and/or the like.
  • the URL component 210 may determine a URL probability score from the processes naturally flowing from operation 348. As such, at operation 360, the URL component 210 may use the determination made at operation 354 to determine a URL probability score. For example, a determination of all URL(s) being matched, at operation 354, may be factored into the determination of a lower URL probability score at operation 360. In such instances, the URL probability score may be lower due to the matches indicating a higher likelihood that the screened email 114 is not fraudulent. Alternatively, in some further instances, a greater number of unmatched URL(s), as determined at operation 354, may result in the determination of a higher URL probability score at operation 360.
  • the URL component 210 may, from a “No” determination at operation 352, determine a higher probability score at operation 360. For example, emails from legitimate brands often contain unsubscribe language and an omittance of such language may be indicative of fraud. Further, URL component 210, at operation 360, may combine the interrelated processes stemming from operation 348 and flowing into operation 3 0 and arrive at an overall from field probability score. In some instances, the overall from-field probability score may include determining individual scores for the processes and finding a mean, a median, a mode, a weighted average, and/or the like.
  • the foregoing operations 358, 360, and/or 362 may be determined independently and/or within a single smart probability calculation function. Accordingly or alternatively, the forgoing operations 356, 358, and/or 360 may be performed in any suitable way and/or method made apparent to one skilled in the art.
  • the final probability & classification component 218 may determine a final probability and classification from the method 300.
  • the FP&C component 218, at operation 362 may combine the three interrelated processes stemming from method 300 and arrive at an overall from final probability score and classification for the screened email 114.
  • the final probability score may be determined by taking the individual probability scores determined at operations 356, 358, and/or 360 and finding a mean, a median, a mode, a weighted average, and/or the like. Additionally, the FF&C component 218 may use the final probability score to classify the screened email 114 as fraudulent or not.
  • classification as fraudulent may result where the final probability score exceeds a predetermined threshold value.
  • a predetermined threshold value may be 0.75 where any final probability score exceeding the threshold value may case the FF&C component 218 to classify the screened email 114 as fraudulent.
  • the FP&C component 218 may further determine a legitimate brand name targeted and/or a possible spoof of the legitimate brand name targeted. For instance, the FP&C component 218 may determine that legitimate brand “RealBrand” was intended while the possible spoof “RealBrand” was attempted and/or including a determination that a homoglypth (described in more detail in FIG. 5) was used.
  • the method 300 may include additional and/or different processes. For example, a certificate probability score may be determined associated with certificates. In such instances, the method 300 may begin by identifying a first domain name, at operation 320, and a second domain name, at operation 342. As such, the method 300 may continue by identifying, using the first domain name and the second domain name, an associated certificate. Additionally, using the associated certificate, the method 300 may determine an owner. The method 300 may then identify a brand associated with the owner and compare the brand to a displayed brand name and/or display name from the screened email 114.
  • the method 300 may determine, based at least upon the comparison, whether the displayed brand name and/or display name of the screened email 114 match and/or correspond to the name of the brand associated with the owner and determine the certificate probability score based at least in part on a degree to which a similarity and/or correspondence is determined.
  • the method 300 may determine a WHOIS probability score associated with WHOIS information. For example, the method 300 may identify a first domain name and a second domain name associated with any URL(s) found in the screened email 114. Additionally, the method 300 may, using the first domain name and the second domain name, identify a one or more associated, registered domains and determine an owner from the one or more associated, registered domains. The method 300 may then identify a brand associated with the owner and compare the brand to a displayed brand name and/or display name from the screened email 114.
  • the method 300 may determine, based at least upon the comparison, whether the displayed brand name and/or display name of the screened email 114 match and/or correspond to the name of the brand associated with the owner and determine the WHOIS probability score based at least in part on a degree to which a similarity and/or correspondence is determined.
  • FIG. 4 illustrates an example probability determination sequence 400 associated with the impersonated email probability 228 used by an email-security system to detect fraudulent emails.
  • the example probability determination may begin by loading JSON.
  • JSON is an open standard file format and data interchange format that uses human-readable text to store and transmit data objects consisting of attribute -value pairs and arrays.
  • the impersonated email probability 228 may utilize other formatting protocols including, but not limited to, YAML, Protobuf, Avro, MongoDB, OData, JavaScript, Python, and the like.
  • the impersonated email probability 228 may begin calculating the probability score relating to the data collected in the “From-Field” of the screened email 114.
  • the impersonated email probability 228 may indicate the collected information relating to a from name portion of the screened email 114.
  • the illustration depicts the from name to read “Phishlabs IT Support.”
  • the impersonated email probability 228 may indicate the collected information relating to a from domain of the screened email 114.
  • the illustration depicts the from domain as “fakebrand.com.”
  • the impersonated email probability 228 may indicate the collected information relating to a domain name of the screened email 114.
  • the illustration depicts the domain name to be “fakebrandtest.”
  • the impersonated email probability 228 may indicate the collected information relating to a person name of the screened email 114.
  • the illustration depicts no information relating to the person name and leaves that field blank.
  • the impersonated email probability 228 may indicated the collected information relating to an organization name of the screened email 114. For example, the illustration depicts the organization name collected to be “phishlabs.” [0127] At 416, the impersonated email probability 228 may calculate the probability score associated with the collected “From-Field” information. For example, the illustration depicts that the “From-Field” probability score is “0.80.”
  • the impersonated email probability 228 may begin calculating the probability score relating to “URL” data collected from the screened email 114.
  • the impersonated email probability 228 may indicate the collected information relating to the number of total URL(s) found within the screened email 114. For example, the illustration depicts that “2” URLs were found.
  • the impersonated email probability 228 may indicate a determination of how many domain URL(s) match. For example, the illustration depicts that “0” domain URLs match out of the “2” that were found.
  • the impersonated email probability 228 may indicate a determination of how many domain URL(s) are unmatched. For example, the illustration depicts that there are “2” unmatched domain URLs.
  • the impersonated email probability 228 may indicate a determination of how many domain URL(s) are matched which are image files. For example, the illustration depicts that there are “0” matched domain URLs that are image files
  • the impersonated email probability 228 may indicate the collected information relating to the number of unsubscribe URL(s) found within the screened email 114. For example, the illustration depicts that “0” unsubscribe URLs were found.
  • the impersonated email probability 228 may calculate the probability score associated with the collected URL data. For example, the illustration depicts that the “URL” information probability score is “1.0.”
  • the impersonated email probability 228 may begin calculating the probability score relating to “Reply -To Field” data collected from the screened email 114.
  • the impersonated email probability 228 may indicate the collected information relating to the reply - to field data.
  • the illustration depicts that the reply -to domain is “fraud.reply.com.”
  • the impersonated email probability 228 may calculate the probability score associated with the collected “Reply-To Field” data. For example, the illustration depicts that the “Reply -To Field” probability score is “0.80.”
  • the impersonated email probability 228 may indicate the beginning of a final probability calculation from the previously calculated probability scores.
  • the impersonated email probability 228 may indicate that the previous step, at 438, has been completed with an accompanying time duration that the calculation spanned. For example, the illustration depicts that the final probability score was calculation in “0.893” seconds.
  • the impersonated email probability 228 may display the final probability score.
  • the illustration depicts and averaged probability score, of the previous three probability scores, that the screened email 114 has a probability score of “0.867” indicating that the screened email 114 is fraudulent.
  • FIG. 5 illustrates an example 500 of a fraudulent email 502 that is detected by the email-security system 102.
  • the screened email 114 illustrated is a payment request fraudulent email where an attacker is pretending to be someone that the viclim/target owes a payment to.
  • the email 114 includes a request for payment.
  • Scammers may employ a number of look-alike domain name techniques 502 to deceive their victim/target.
  • the look-alike domain name technique 502 used will appear, to the victim/target, to be a legitimate brand.
  • the look-alike domain name technique 502 being employed, at “1,” is known as a top-level domain (TLD) swap.
  • TLD top-level domain
  • the attacker includes the name of the legitimate brand (i.e., phishlabs) followed by the insertion of the TLD swap (i.e., .tech) in an attempt to mislead the victim/target into believing the domain to be legitimate and/or associated with a legitimate brand.
  • attackers may, at “2,” employ the use of subdomains.
  • the attacker may attempt to mislead the victim/target by using legitimate domains, but separating it, and creating a fraudulent domain, with the insertion of dots.
  • the attacker inserts a dot between “phish” and “labs” which makes “labs” a subdomain.
  • the victim/target may view the domain and determine that it is legitimate and/or associated with a legitimate brand because the domain contains the elements of a legitimate domain. It should be appreciated that the insertion of dots, creating subdomains, breaks the legitimacy of the domain although not necessarily readily, visually apparent to the victim/target.
  • attackers may, at “3,” employ the use of typosquatting. In such instances, the attacker attempts to deceive the victim by deliberately misspelling the name of a legitimate organization’s (e.g., brand’s) domain. For example, at “3,” the attacker deliberately changes the letter “b” to “v” so that the legitimate brand’s domain reads as “phislavs.tech” and not “phishlabs. tech.” As such, the victim may not readily observe the misspelling and mistake the domain to be legitimate and/or associated with a legitimate brand.
  • a legitimate organization e.g., brand’s
  • attackers may, at “4,” employ the use of hyphenation. In such instances, the attacker attempts to deceive the victim by hyphenating an otherwise legitimate domain. For example, at “4,” the attacker inserts a hyphen between “phish” and “labs.” While the domain may appear, to the victim, to be legitimate, the insertion of the hyphen renders the domain fraudulent.
  • attackers may, at “5,” employ the use of repetition. In such instances, the attacker attempts to deceive die victim by repeating a letter and, without close inspection, may cause the victim to overlook the repetition and believe the domain to be legitimate and/or associated with a legitimate brand. For example, at “5,” the attack repeats the letter “1.” As such, the fraudulent domain contains two “Is” that may be easy to overlook by the victim. The addition of the additional letter renders the domain fraudulent.
  • attackers may, at “6,” employ the use of replacement.
  • the attacker attempts to deceive the victim by replacing a letter, typically with a letter, number, and/or symbol closely resembling the replaced letter.
  • the attacker replaces the letter “i” with the number “1.”
  • the victim may not readily notice the replacement and believe the domain to be legitimate and/or associated with a legitimate brand.
  • attackers may, at “7,” employ the use of omission. In such instances, the attacker attempts to deceive the victim by omitting an element of the legitimate domain. For example, at “7,” the attacker attempts to deceive the victim by removing the letter “i” from the domain. As such, the new, fraudulent domain is “phshlabs.tech” and not “phishlabs. tech” where the discrepancy may, to the victim, go unnoticed.
  • attackers may, at “8,” employ the use of transposition. In such instances, the attacker attempts to deceive the victim by transposing elements of the legitimate brand domain.
  • attackers may, at “9,” employ the use of insertion. In such instances, the attacker attempts to deceive the victim by the insertion of an additional element into the legitimate domain. For example, at “9,” the attacker inserts the letter “x” into the middle of the legitimate domain. As such, the fraudulent domain reads as “phishxlabs.tech” which may cause the victim to believe it to be legitimate and/or associated with a legitimate brand.
  • attackers may, at “10,” employ the use of homoglyph.
  • the attacker attempts to deceive the victim by using homoglyphs or homographs in which the attacker abuses the similarities of character scripts to create fraudulent domains of legitimate brands to trick victims into clicking.
  • the attacker replaces the letter “h” with the letters “1” and “n” which, taken together (e.g., “In”), bear a resemblance to the letter “h.”
  • the victim may not recognize the subtle difference between the legitimate brand domain and the homoglyph attack.
  • attackers may, at “ 11,” employ the use of vowel-swapping. In such instances, the attacker attempts to deceive the victim by swapping vowels to exploit victims’ typos or inattention to the domain’s construction. For example, at “11,” the attacker replaces the letter “a” with the letter “e.” As such, this may be a common typo made by victims due to the close proximity of these letters on standard keyboards and/or may play on the inattention of the victim in recognizing the variation from the legitimate domain construction.
  • attackers may, at “12,” employ the use of addition.
  • the attacker attempts to deceive the victim by adding characters to the legitimate domain construction.
  • the attacker adds an additional letter “s” to the otherwise legitimate domain construction.
  • the element addition may go unnoticed by the victim and/or a quick pass over the fraudulent domain may appear to contain no issues.
  • the victim may believe die fraudulent domain to be legitimate and/or associated with a legitimate brand.
  • look-alike domain name techniques 502 are merely exemplary and should not be construed as limiting. Additionally, the examples described and alluded to, with respect to look-alike domain name techniques 502, are similarly exemplary and it should be appreciated that additional techniques and/or variations may be contemplated and/or apparent to one skilled in the art.
  • FIG. 6 illustrates a flow diagram of an example method 600 that illustrates aspects of the functions performed at least partly by the devices in the computing infrastructures as described in FIGS. 1-5.
  • the logical operations described herein with respect to FIG. 6 may be implemented (1) as a sequence of computer-implemented acts or program modules running on a computing system and/or (2) as interconnected machine logic circuits or circuit modules within the computing system.
  • FIG. 6 illustrates a flow diagram of an example method for an email-security system to screen emails, analyze their contents, and assign a probability score and classification indicative of a probability that the screened email 114 is fraudulent or not.
  • the techniques may be applied by a system comprising one or more processors, and one or more non-transitory computer-readable media storing computer-executable instructions that, when executed by the one or more processors, cause the one or more processors to perform operations of method 600.
  • an email-security system 102 may receive an email sent from a sending email address and to a targeted email address. For instance, the email-security system 102 may monitor emails communicated by an email service platform and obtain the email.
  • the email-security system 102 may classify the email as a screened email 114.
  • the processor(s) 202 may classify incoming emails as screened and initiate a process of analyzing them for fraud.
  • the email-security system 102 may extract information from the screened email 114.
  • the from-field analysis component 208, URL-analysis component 210, reply-to analysis component, and/or the like may extract data from the screened email 114 to determine that the screened email 114 is a fraudulent email directed at the target user.
  • the email-security system 102 may process the extracted information. For example, the various components may analyze extract data from the screened email 114 to determine that the screened email 114 is a fraudulent email directed at the target user. In such instances, the various components of the email-security system 102 may determine similarities, matches, presence of legitimate brand names, domains, etc. to be used in determining a probability score indicative of fraud.
  • the email-security system 102 may determine, based at least in part on the processed, extracted information, a probability score indicative of fraud for the screened email 114. For instance, the email-security system 102 may determine that there are discrepancies between from-field domain addresses and reply-to domain addresses. As such, these discrepancies may be indicative of the attacker attempting to deceive the victim into responding to a fraudulent reply-to domain address. In such instances, the email-security system 102 may determine a probability score indicative that the screened email 114 is fraudulent, based at least in part on the processed and extracted information.
  • the email-security system 102 may classify, based at least in party on the probability score, the screened email 114 as fraudulent or not. For instance, a predetermined threshold value (i.e., score) may be contained within the impersonated email probabilities 228. As such, a determined probability score in excess of the predetermined threshold value may be indicative of a fraudulent email.
  • a predetermined threshold value i.e., score
  • the email-security system 102 may determine, at operation 610, a probability score for the screened email 114 of “0.9.” Furthermore, a predetermined threshold score may be “0.75.” As such, the probability score of the screened email 114 would exceed the threshold score and the email-security system 102 may classify, based at least in part on the probability score, that the screened email 114 is fraudulent.
  • the email-security system 102 may allow, based at least in part on a non-fraudulent classification, the screened email 114 to pass the email-security system 102 as an allowed email 110.
  • the allowed email 110 may be allowed to pass between the sending device(s) 104 and the receiving device(s) 106, along the network(s) 108, freely.
  • FIG. 7 shows an example computer architecture for a computer 700 capable of executing program components for implementing the functionality described above.
  • the computer architecture shown in FIG. 7 illustrates a conventional server computer, workstation, desktop computer, laptop, tablet, network appliance, e-reader, smartphone, or other computing device, and can be utilized to execute any of the software components presented herein.
  • the computer 700 may, in some examples, correspond to a physical server that is included in the email security -system 102 described herein, and may comprise networked devices such as servers, switches, routers, hubs, bridges, gateways, modems, repeaters, access points, etc.
  • the computer 700 includes a baseboard 702, or “motherboard,” which is a printed circuit board to which a multitude of components or devices can be connected by way of a system bus or other electrical communication paths.
  • a baseboard 702 or “motherboard”
  • the CPUs 704 can be standard programmable processors that perform arithmetic and logical operations necessary for the operation of the computer 700.
  • the CPUs 704 perform operations by transitioning from one discrete, physical state to the next through the manipulation of switching elements that differentiate between and change these states.
  • Switching elements generally include electronic circuits that maintain one of two binary states, such as flip-flops, and electronic circuits that provide an output state based on the logical combination of the states of one or more other switching elements, such as logic gates. These basic switching elements can be combined to create more complex logic circuits, including registers, adders -subtractors, arithmetic logic units, floating-point units, and the like.
  • the chipset 706 provides an interface between the CPUs 704 and the remainder of the components and devices on the baseboard 702.
  • the chipset 706 can provide an interface to a RAM 708, used as the main memory in the computer 700.
  • the chipset 706 can further provide an interface to a computer-readable storage medium such as a read-only memory (“ROM”) 710 or non-volatile RAM (“NVRAM”) for storing basic routines that help to startup the computer 700 and to transfer information between the various components and devices.
  • ROM 710 or NVRAM can also store other software components necessary for the operation of the computer 700 in accordance with the configurations described herein.
  • the computer 700 can operate in a networked environment using logical connections to remote computing devices and computer systems through a network, such as the network 708.
  • the chipset 706 can include functionality for providing network connectivity through a NIC 712, such as a gigabit Ethernet adapter.
  • the NIC 712 is capable of connecting the computer 700 to other computing devices over the network 708. It should be appreciated that multiple NICs 712 can be present in the computer 700, connecting the computer to other types of networks and remote computer systems.
  • the computer 700 can be connected to a storage device 718 that provides non-volatile storage for the computer.
  • the storage device 718 can store an operating system 720, programs 722, and data, which have been described in greater detail herein.
  • the storage device 718 can be connected to die computer 700 through a storage controller 714 connected to the chipset 706.
  • the storage device 718 can consist of one or more physical storage units.
  • the storage controller 714 can interface with the physical storage units through a serial attached SCSI (“SAS”) interface, a serial advanced technology attachment (“ SATA”) interface, a fiber channel (“FC”) interface, or other type of interface for physically connecting and transferring data betw een computers and physical storage units.
  • SAS serial attached SCSI
  • SATA serial advanced technology attachment
  • FC fiber channel
  • the computer 700 can store data on the storage device 718 by transforming the physical state of the physical storage units to reflect the information being stored.
  • the specific transformation of physical state can depend on various factors, in different embodiments of this description. Examples of such factors can include, but are not limited to, the technology used to implement the physical storage units, whether the storage device 718 is characterized as primary or secondary storage, and the like.
  • the computer 700 can store information to the storage device 718 by issuing instructions through the storage controller 714 to alter the magnetic characteristics of a particular location within a magnetic disk drive unit, the reflective or refractive characteristics of a particular location in an optical storage unit, or the electrical characteristics of a particular capacitor, transistor, or other discrete component in a solid-state storage unit.
  • Other transformations of physical media are possible without departing from the scope and spirit of the present description, with the foregoing examples provided only to facilitate this description.
  • the computer 700 can further read information from the storage device 718 by detecting the physical states or characteristics of one or more locations within the physical storage units.
  • the computer 700 can have access to other computer -readable storage media to store and retrieve information, such as program modules, data structures, or other data.
  • computer -readable storage media is any available media that provides for the non-transitory storage of data and that can be accessed by the computer 700.
  • the operations performed by devices in a distributed application architecture, and or any components included therein may be supported by one or more devices similar to computer 700. Stated otherwise, at least a portion of the operations perfonned by the email-security system 102, and or any components included therein, may be performed by one or more computer devices 700 operating in any system or arrangement.
  • Computer-readable storage media can include volatile and nonvolatile, removable and non-removable media implemented in any method or technology.
  • Computer-readable storage media includes, but is not limited to, RAM, ROM, erasable programmable ROM (“EPROM”), electrically -erasable programmable ROM (“EEPROM”), flash memory or other solid-state memory technology, compact disc ROM (“CD- ROM”), digital versatile disk (“DVD”), high definition DVD (“HD-DVD”), BLU-RAY, or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium that can be used to store the desired information in a non-transitory fashion.
  • the storage device 718 can store an operating system 720 utilized to control the operation of the computer 700.
  • the operating system comprises the LINUX operating system.
  • the operating system comprises the WINDOWS® SERVER operating system from MICROSOFT Corporation of Redmond, Washington.
  • tire operating system can comprise the UNIX operating system or one of its variants. It should be appreciated that other operating systems can also be utilized.
  • the storage device 718 can store other system or application programs and data utilized by the computer 700.
  • the storage device 718 or other computer-readable storage media is encoded with computerexecutable instructions which, when loaded into the computer 700, transform the computer from a general-purpose computing system into a special-purpose computer capable of implementing the embodiments described herein. These computer-executable instructions transform the computer 700 by specifying how the CPUs 704 transition between states, as described above.
  • the computer 700 has access to computer-readable storage media storing computer-executable instructions which, when executed by the computer 700, perform the various processes described above with regard to FIGS. 1-6.
  • the computer 700 can also include computer-readable storage media having instructions stored thereupon for performing any of the other computer-implemented operations described herein.
  • the computer 700 can also include one or more input/output controllers 716 for receiving and processing input from a number of input devices, such as a keyboard, a mouse, a touchpad, a touch screen, an electronic stylus, or other type of input device. Similarly, an input/output controller 716 can provide output to a display, such as a computer monitor, a flat-panel display, a digital projector, a printer, or other type of output device. It will be appreciated that the computer 700 might not include all of the components shown in FIG. 7, can include other components that are not explicitly shown in FIG. 7, or might utilize an architecture completely different than that shown in FIG. 7.
  • an email-security system to screen emails, extract information from the emails, analyze the information, assign probability scores to the emails, and classify the emails as likely fraudulent or not.
  • the system may analyze emails for users and identify fraudulent emails by analyzing the contents of the emails.
  • the system may evaluate the contents of the emails to determine probability score(s) which may further determine an overall probability score.
  • the system may then classify the email as fraudulent, or not, and may perform actions including blocking the email, allowing the email, flagging the email, etc.
  • the screened emails may include legitimate brand domain addresses, names, images, URL(s), and the like. However, the screened emails may contain a reply -to domain address that matches a free email service provider domain. In such instances, the email-security system may assign a probability score indicative that the screened email is fraudulent.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Information Transfer Between Computers (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

Techniques pour un système de sécurité de courrier électronique servant à examiner des courriers électroniques, à extraire des informations des courriers électroniques, à analyser les informations, à attribuer des scores de probabilité aux courriers électroniques, et à classer les courriers électroniques comme étant probablement frauduleux ou non. Le système peut analyser des courriers électroniques pour des utilisateurs et identifier des courriers électroniques frauduleux par analyse du contenu des courriers électroniques. Le système peut évaluer le contenu des courriers électroniques pour déterminer un ou plusieurs scores de probabilité qui peuvent en outre déterminer un score de probabilité global. Le système peut ensuite classer le courrier électronique comme étant frauduleux ou non, et peut effectuer des actions comprenant le blocage du courrier électronique, l'autorisation du courrier électronique, le marquage du courrier électronique, etc. Dans certains cas, les courriers électroniques examinés peuvent comprendre des adresses de domaine de marque légitimes, des noms légitimes, des images légitimes, une ou plusieurs URL légitimes, et analogues. Cependant, les courriers électroniques examinés peuvent contenir une adresse de domaine de réponse qui correspond à un domaine de fournisseur de services de courrier électronique libre. Dans de tels cas, le système de sécurité de courrier électronique peut attribuer un score de probabilité indiquant que le courrier électronique examiné est frauduleux.
PCT/US2023/017530 2022-04-07 2023-04-05 Algorithme destiné à détecter des courriers électroniques malveillants usurpant des marques WO2023196376A1 (fr)

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
IN202241020887 2022-04-07
IN202241020887 2022-04-07
US17/867,464 2022-07-18
US17/867,464 US20230328034A1 (en) 2022-04-07 2022-07-18 Algorithm to detect malicious emails impersonating brands

Publications (1)

Publication Number Publication Date
WO2023196376A1 true WO2023196376A1 (fr) 2023-10-12

Family

ID=86099833

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2023/017530 WO2023196376A1 (fr) 2022-04-07 2023-04-05 Algorithme destiné à détecter des courriers électroniques malveillants usurpant des marques

Country Status (1)

Country Link
WO (1) WO2023196376A1 (fr)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1863240A2 (fr) * 2006-05-30 2007-12-05 Xerox Corporation Procédé et système de détection d'hameçonnage
US20180012184A1 (en) * 2004-05-02 2018-01-11 Camelot Uk Bidco Limited Online fraud solution
US20190319905A1 (en) * 2018-04-13 2019-10-17 Inky Technology Corporation Mail protection system
US20200279225A1 (en) * 2019-03-01 2020-09-03 Microsoft Technology Licensing, Llc Email security analysis

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180012184A1 (en) * 2004-05-02 2018-01-11 Camelot Uk Bidco Limited Online fraud solution
EP1863240A2 (fr) * 2006-05-30 2007-12-05 Xerox Corporation Procédé et système de détection d'hameçonnage
US20190319905A1 (en) * 2018-04-13 2019-10-17 Inky Technology Corporation Mail protection system
US20200279225A1 (en) * 2019-03-01 2020-09-03 Microsoft Technology Licensing, Llc Email security analysis

Similar Documents

Publication Publication Date Title
US11595336B2 (en) Detecting of business email compromise
US11102244B1 (en) Automated intelligence gathering
US10609073B2 (en) Detecting phishing attempts
Ho et al. Detecting and characterizing lateral phishing at scale
US11470029B2 (en) Analysis and reporting of suspicious email
Egele et al. Towards detecting compromised accounts on social networks
US20190319905A1 (en) Mail protection system
Ding et al. A keyword-based combination approach for detecting phishing webpages
US20200279050A1 (en) Generating and monitoring fictitious data entries to detect breaches
Antonakakis et al. Building a dynamic reputation system for {DNS}
US8661545B2 (en) Classifying a message based on fraud indicators
US20200067861A1 (en) Scam evaluation system
US11461458B2 (en) Measuring data-breach propensity
US8291024B1 (en) Statistical spamming behavior analysis on mail clusters
US11700234B2 (en) Email security based on display name and address
US20220210188A1 (en) Message phishing detection using machine learning characterization
Ndumiyana et al. Spam detection using a neural network classifier
WO2023102105A1 (fr) Détection et atténuation de menaces par courrier électronique en plusieurs étapes
Vijayasekaran et al. Spam and email detection in big data platform using naives bayesian classifier
US20230328034A1 (en) Algorithm to detect malicious emails impersonating brands
US20220394060A1 (en) Lookalike domain identification
Maleki A behavioral based detection approach for business email compromises
US20220182347A1 (en) Methods for managing spam communication and devices thereof
Morovati et al. Detection of Phishing Emails with Email Forensic Analysis and Machine Learning Techniques.
WO2023196376A1 (fr) Algorithme destiné à détecter des courriers électroniques malveillants usurpant des marques

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 23718940

Country of ref document: EP

Kind code of ref document: A1