Phishing and threat detection and prevention
First Claim
1. A database system for detecting and preventing phishing attacks, the database system comprising:
- a hardware processor; and
one or more stored sequences of instructions which, when executed by the processor, cause the processor to carry out the steps of;
detecting a request to open an electronic mail message (email) after the email has arrived in a user mailbox;
prior to opening the email in the user mailbox, sending a link contained in the email to a threat detection server in response to detecting the request to open the email;
receiving a threat level identifier from the threat detection server associated with the link after being compared with blacklisted links; and
opening the email and displaying a message with the email and the threat level identifier associated with the link.
1 Assignment
0 Petitions
Accused Products
Abstract
A threat detection system receives links from emails opened in web browsers. The received links are compared with a whitelist of trusted links and blacklisted links associated with security threats. The threat detection system sends trusted identifiers when the received links are identified in the whitelist and sends block identifiers back to the web browsers when the received links are identified in the blacklist. The trusted identifiers cause the web browsers to display a trusted message and the block identifiers cause the web browsers to remove the received link and display a warning message. The threat detection system may receive threat reports for suspected links from employees of a same enterprise and allow an enterprise security administrator to asynchronously update the blacklists and whitelists based on the threat reports received from the enterprise users.
186 Citations
22 Claims
-
1. A database system for detecting and preventing phishing attacks, the database system comprising:
-
a hardware processor; and one or more stored sequences of instructions which, when executed by the processor, cause the processor to carry out the steps of; detecting a request to open an electronic mail message (email) after the email has arrived in a user mailbox; prior to opening the email in the user mailbox, sending a link contained in the email to a threat detection server in response to detecting the request to open the email; receiving a threat level identifier from the threat detection server associated with the link after being compared with blacklisted links; and opening the email and displaying a message with the email and the threat level identifier associated with the link. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A database system for detecting and preventing security threats, the database system comprising:
-
a hardware processor configured to; receive reports from user systems associated with an enterprise; identify suspected links in the reports as blacklisted links when the suspected links are associated with security threats; receive a link associated with an object of an email residing on one or more of the user systems and selected to be opened by one or more of the user systems after the email has arrived in a user mailbox and prior to opening the email from the user mailbox; compare the received link with the blacklisted links; and send a threat level identifier back to the one or more user systems based on the comparison of the received link with the blacklisted links to cause the object to be opened and the threat level identifier to be displayed with the opened object. - View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. A method for detecting security threats in a database system, comprising:
-
receiving, by a hardware processor of the database system, a link associated with an email residing in a user mailbox and selected in a web browser from the user mailbox after the email has arrived in the user mailbox and prior to opening the email from the user mailbox; comparing, by the database system, the received link with a whitelist of trusted links; sending, by the database system, a trusted identifier back to the web browser when the received link is identified in the whitelist, wherein the trusted identifier causes the web browser to display a level of the trusted identifier and a trusted message in conjunction with the received link in the email; comparing, by the database system, the received link with a blacklist of links associated with the security threats; and sending, by the database system, a block identifier back to the web browser when the received link is identified in the blacklist, wherein the block identifier causes the web browser to remove the received link from the email. - View Dependent Claims (18, 19, 20, 21, 22)
-
Specification