Electronic message threat protection system for authorized users

US 9,467,435 B1
Filed: 09/15/2015
Issued: 10/11/2016
Est. Priority Date: 09/15/2015
Status: Active Grant

First Claim

Patent Images

1. An electronic message threat protection system for authorized users comprising:

a message transformation subsystem comprisinga message input module that receives an electronic message comprisinga sender information;

a recipient information; and

,a resource or a reference to said resource, wherein said resource or said reference to said resource comprises one or more of a link to a web page and a message attachment that comprises an attached file;

a reference rewriting module that replaces said resource or said reference to said resource with a protected reference to said resource, to form a protected message;

wherein said protected reference comprises one or more ofan encoded link to said web page comprising the link to said web page with an encoded path, anda converted protected attachment comprising an encoded file reference; and

,a message output module that forwards said protected message to a recipient corresponding with said recipient information;

an authorization subsystem configured to determine whether a user is an authorized user who is permitted to use said protected reference to access said resource; and

,a secure resource access subsystem configured to provide said authorized user with secure access to said resource via a security mechanism that mitigates one or more potential threats from said resource;

wherein the message input module, the reference rewriting module and the security mechanism are executable on a client or server computer or set of client or server computers;

whereinsaid recipient of said electronic message creates a copy of said protected reference;

use of said protected reference or of said copy of said protected reference by said user to access said resource automatically causessaid authorization subsystem to determine whether said user is said authorized user; and

,when said user is said authorized user, said secure resource access subsystem to provide said authorized user with said secure access to said resource via said security mechanism; and

,when said user is not said authorized user, said secure resource access subsystem to block access to said resource for said user; and

,whereinsaid secure resource access subsystem comprises a sandbox environment configured to open a sandboxed file;

said protected reference comprisesa proxy server address of a proxy server;

said encoded file reference to said sandboxed file, wherein said sandboxed file is a copy of said attached file in said sandbox environment;

said proxy server comprises or communicates withsaid authorization subsystem;

said secure resource access subsystem; and

,said proxy server is configured todecode said encoded file reference to obtain a reference to said sandboxed file; and

,open said sandboxed file in said sandbox environment.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An electronic message threat protection system that incorporates user authorization to ensure that only authorized users receive the benefits of the system'"'"'s protection. The system protects against threats such as phishing attacks or malware embedded in attached files. References to resources in messages, such as links or attachments, are transformed into protected references that may for example insert a level of indirection between the user and the resource. Use of a protected reference triggers a user authorization check; if the user is an authorized user, the system provides access via a security mechanism that mitigates potential threats. Unauthorized users are denied access. A message recipient may deliberately or inadvertently distribute copies of the message or of the protected references; however, the authorization check ensures that recipients of the copies can only access resources via these copies if they are authorized users.

52 Citations

View as Search Results

18 Claims

1. An electronic message threat protection system for authorized users comprising:
- a message transformation subsystem comprisinga message input module that receives an electronic message comprisinga sender information;
  
  a recipient information; and
  
  ,a resource or a reference to said resource, wherein said resource or said reference to said resource comprises one or more of a link to a web page and a message attachment that comprises an attached file;
  
  a reference rewriting module that replaces said resource or said reference to said resource with a protected reference to said resource, to form a protected message;
  
  wherein said protected reference comprises one or more ofan encoded link to said web page comprising the link to said web page with an encoded path, anda converted protected attachment comprising an encoded file reference; and
  
  ,a message output module that forwards said protected message to a recipient corresponding with said recipient information;
  
  an authorization subsystem configured to determine whether a user is an authorized user who is permitted to use said protected reference to access said resource; and
  
  ,a secure resource access subsystem configured to provide said authorized user with secure access to said resource via a security mechanism that mitigates one or more potential threats from said resource;
  
  wherein the message input module, the reference rewriting module and the security mechanism are executable on a client or server computer or set of client or server computers;
  
  whereinsaid recipient of said electronic message creates a copy of said protected reference;
  
  use of said protected reference or of said copy of said protected reference by said user to access said resource automatically causessaid authorization subsystem to determine whether said user is said authorized user; and
  
  ,when said user is said authorized user, said secure resource access subsystem to provide said authorized user with said secure access to said resource via said security mechanism; and
  
  ,when said user is not said authorized user, said secure resource access subsystem to block access to said resource for said user; and
  
  ,whereinsaid secure resource access subsystem comprises a sandbox environment configured to open a sandboxed file;
  
  said protected reference comprisesa proxy server address of a proxy server;
  
  said encoded file reference to said sandboxed file, wherein said sandboxed file is a copy of said attached file in said sandbox environment;
  
  said proxy server comprises or communicates withsaid authorization subsystem;
  
  said secure resource access subsystem; and
  
  ,said proxy server is configured todecode said encoded file reference to obtain a reference to said sandboxed file; and
  
  ,open said sandboxed file in said sandbox environment.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The system of claim 1, further comprisinga proxy server that comprises or communicates withsaid authorization subsystem;
    - and,said secure resource access subsystem;
      
      whereinsaid web page has a web page identity;
      
      said protected reference further comprisessaid proxy server address of said proxy server; and
      
      ,said proxy server is configured to decode said encoded link to obtain said link to said web page.
  - 3. The system of claim 2, wherein said provide said authorized user with said secure access to said resource via a security mechanism comprisescheck said web page for potential threats;
    - when said check said web page indicates that said web page is a known or suspected malicious web page,block access to said web page;
      
      orwarn said authorized user about said web page;
      
      orboth block access to said web page and warn said authorized user about said web page; and
      
      ,when said check said web page does not indicate that said web page is a known or suspected malicious web page,provide said authorized user with access to said web page via said link to said web page.
  - 4. The system of claim 3, whereinsaid secure resource access subsystem comprisesa whitelist of identities of web pages presumed to be secure;
    - a blacklist of identities of web pages presumed to be malicious; and
      
      ,a policy for unknown web page identities comprising at least one ofblock unknown web pages;
      
      allow unknown web pages; and
      
      ,warn user of unknown web pages; and
      
      ,said provide said authorized user with secure access to said resource via a security mechanism comprisesprovide access to said web page when said web page identity is in said whitelist;
      
      block access to said web page when said web page identity is in said blacklist; and
      
      ,when said web page identity is not in said whitelist and is not in said blacklist, apply said policy for unknown web page identities.
  - 5. The system of claim 3, whereinsaid check said web page indicates that said web page is a known or suspected malicious web page comprisessaid web page identity is similar to but not identical to an identity of a known or presumed legitimate web page.
  - 6. The system of claim 1, whereinsaid authorization subsystem comprises a database comprisingregistered users;
    - andregistered user credentials for each of said registered users; and
      
      ,said determine whether a user is an authorized user comprisesobtain user credentials from said user; and
      
      ,determine that said user is an authorized user when and only when said user credentials match said registered user credentials for a registered user in said database.
  - 7. The system of claim 6, wherein said registered user credentials comprise one or more ofan Internet protocol (IP) address or IP address range;
    - a password;
      
      a PIN;
      
      a one-time PIN or one-time password sent to said user;
      
      a biometric credential;
      
      a security token;
      
      a security certificate;
      
      a response to a challenge question;
      
      single sign-on credentials from a single sign-on service; and
      
      ,cached valid credentials previously provided by said user and stored on a memory associated with said user.
  - 8. The system of claim 6, whereinsaid database further comprisesan access control list for said resource that describes which of said registered users may access said resource;
    - and,said determine whether a user is an authorized user further comprisesdetermine whether said user is authorized by said access control list to access said resource.
  - 9. The system of claim 8, wherein said access control list for said resource comprises only a sender corresponding with said sender information and a recipient corresponding with said recipient information.
  - 10. The system of claim 1, wherein said determine whether a user is an authorized user further compriseswhen said user is not said authorized user, create a log entry describing an unauthorized access attempt for said resource.
  - 11. The system of claim 10, wherein said log entry is sent automatically to one or more ofa system administrator,a sender corresponding with said sender information, ora recipient corresponding with said recipient information.
  - 12. The system of claim 8, wherein said determine whether a user is an authorized user further compriseswhen said user is not said authorized user, said user is requested to make a determination as to generating a request for access to said resource or not generating a request for access to said resource;
    - and,when said user determines to generate said request for access to said resource, forward said request for access to said resource to one or more ofa system administrator,a sender corresponding with said sender information, ora recipient corresponding with said recipient information.
  - 13. The system of claim 1, whereinsaid authorization subsystem comprisesa maximum access count for said resource;
    - and,a previous access count for said resource; and
      
      ,said determine whether a user is an authorized user compriseswhen said previous access count is less than said maximum access count,determine that said user is said authorized user, andincrement said previous access count by one; and
      
      ,when said previous access count is greater than or equal to than said maximum access count,determine that said user is not said authorized user.
  - 14. The system of claim 1, whereinsaid authorization subsystem comprisesa maximum users count for said resource;
    - and,an accessed-by list for said resource comprising a list of users that have successfully accessed said resource, wherein said accessed-by list is initially empty prior to any access attempts for said resource; and
      
      ,said determine whether a user is an authorized user compriseswhen said user is in said accessed-by list,determine that said user is said authorized user;
      
      when said user is not in said accessed-by list,when a number of users in said accessed-by list is less than said maximum users count,determine that said user is said authorized user, andadd said user to said accessed-by list for said resource; and
      
      ,when said number of users in said accessed-by list is greater than or equal to than said maximum users count,determine that said user is not said authorized user.
  - 15. The system of claim 1, wherein said sandbox environment comprises a managed cloud application.
  - 16. The system of claim 1, where said electronic message comprises one of said resource or one of said reference to said resource.

17. An electronic message threat protection system for authorized users comprisinga proxy server;
- a message transformation subsystem comprisinga message input module that receives an electronic message comprisinga sender information;
  
  a recipient information; and
  
  ,a reference to a resource comprising a link to a web page;
  
  wherein said web page has a web page identity;
  
  a reference rewriting module that replaces said reference to a resource with a protected reference to said resource, to form a protected message, wherein said protected reference to said resource comprisesa proxy server address of said proxy server; and
  
  ,an encoded link to said web page; and
  
  ,a message output module that forwards said protected message to a recipient corresponding with said recipient information;
  
  an authorization subsystem comprising a database comprisingregistered users; and
  
  registered user credentials for each of said registered users;
  
  wherein said registered user credentials comprise one or more ofan Internet protocol (IP) address or IP address range;
  
  a password;
  
  a PIN;
  
  a one-time PIN or one-time password sent to said user;
  
  a biometric credential;
  
  a security token;
  
  a security certificate;
  
  a response to a challenge questions;
  
  single sign-on credentials from a single sign-on service; and
  
  ,cached valid credentials previously provided by said user and stored on a memory associated with said user; and
  
  ,a secure resource access subsystem comprisinga whitelist of identities of web pages presumed to be secure;
  
  a blacklist of identities of web pages presumed to be malicious; and
  
  ,a policy for unknown web page identities comprising at least one ofblock unknown web pages;
  
  allow unknown web pages; and
  
  ,warn user of unknown web pages;
  
  wherein the message input module and the reference rewriting module are executable on a client or server computer or set of client or server computers;
  
  whereinsaid proxy server comprises or communicates withsaid authorization subsystem; and
  
  ,said secure resource access subsystem;
  
  said proxy server is configured to decode said encoded link to obtain said link to said web page;
  
  said recipient of said electronic message creates a copy of said protected reference;
  
  use of said protected reference or of said copy of said protected reference by said user to access said resource automatically causessaid authorization subsystem toobtain user credentials from said user; and
  
  ,determine that said user is an authorized user when and only when said user credentials match said registered user credentials for a registered user in said database;
  
  when said user is said authorized user, said secure resource access subsystem todecode said encoded link to obtain said link to said web page;
  
  provide access to said web page when said web page identity is in said whitelist;
  
  block access to said web page when said web page identity is in said blacklist; and
  
  ,when said web page identity is not in said whitelist and is not in said blacklist, apply said policy for unknown web page identities; and
  
  ,when said user is not said authorized user, said secure resource access subsystem to block access to said web page for said user; and
  
  ,whereinsaid secure resource access subsystem comprises a sandbox environment configured to open a sandboxed file;
  
  said protected reference comprisessaid encoded file reference to said sandboxed file, wherein said sandboxed file is a copy of said attached file in said sandbox environment;
  
  said proxy server comprises or communicates withsaid authorization subsystem;
  
  said secure resource access subsystem; and
  
  ,said proxy server is configured todecode said encoded file reference to obtain a reference to said sandboxed file; and
  
  ,open said sandboxed file in said sandbox environment.
- View Dependent Claims (18)
- - 18. The system of claim 17, where said electronic message comprises one of said resource or one of said reference to said resource.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Mimecast Services Limited (Mimecast Limited)
Original Assignee
Mimecast North America, Inc. (Mimecast Limited)
Inventors
Tyler, Simon, Malone, Steven, Maylor, Jackie, Van Ry, Wayne, Ribeiro, Francisco
Primary Examiner(s)
Schmidt, Kari
Assistant Examiner(s)
Baum, Ronald

Application Number

US14/855,200
Time in Patent Office

392 Days
Field of Search

713/153
US Class Current

1/1
CPC Class Codes

H04L 51/046   Interoperability with other...

H04L 51/063   Content adaptation, e.g. re...

H04L 51/212   using filtering or selectiv...

H04L 63/0254   Stateful filtering

H04L 63/0281   Proxies

H04L 63/08   for authentication of entit...

H04L 63/105   Multiple levels of security

H04L 63/1441   Countermeasures against mal...

Electronic message threat protection system for authorized users

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

52 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Electronic message threat protection system for authorized users

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

52 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links