Phishing and threat detection and prevention
First Claim
1. A database system for detecting and preventing phishing attacks, the database system comprising:
- a hardware processor; and
one or more stored sequences of instructions which, when executed by the hardware processor, cause the hardware processor to perform operations comprising;
detecting a request from a user to open an electronic mail message (email) after the email has arrived and received in a user mailbox;
sending a link contained in the received email to a threat detection server in response to detecting the user request to open the received email from the user mailbox;
receiving a threat level indication for the link back from the threat detection server;
modifying a document object model (DOM) for the received email to include a message indicating the threat level of the link; and
opening the received email and using the modified DOM to display the included message based on a type of the threat level indication received from the threat detection server.
1 Assignment
0 Petitions
Accused Products
Abstract
A threat detection system receives links from emails opened in web browsers. The received links are compared with a whitelist of trusted links and blacklisted links associated with security threats. The threat detection system sends trusted identifiers when the received links are identified in the whitelist and sends block identifiers back to the web browsers when the received links are identified in the blacklist. The trusted identifiers cause the web browsers to display a trusted message and the block identifiers cause the web browsers to remove the received link and display a warning message. The threat detection system may receive threat reports for suspected links from employees of a same enterprise and allow an enterprise security administrator to asynchronously update the blacklists and whitelists based on the threat reports received from the enterprise users.
190 Citations
20 Claims
-
1. A database system for detecting and preventing phishing attacks, the database system comprising:
-
a hardware processor; and one or more stored sequences of instructions which, when executed by the hardware processor, cause the hardware processor to perform operations comprising; detecting a request from a user to open an electronic mail message (email) after the email has arrived and received in a user mailbox; sending a link contained in the received email to a threat detection server in response to detecting the user request to open the received email from the user mailbox; receiving a threat level indication for the link back from the threat detection server; modifying a document object model (DOM) for the received email to include a message indicating the threat level of the link; and opening the received email and using the modified DOM to display the included message based on a type of the threat level indication received from the threat detection server. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A system for detecting a security threat in an electronic mail message (email), comprising:
-
a hardware processor configured to operate a security agent in a web browser, wherein the security agent is configured to; detect a request from a user to open the email after the email has arrived and received in a user mailbox; identify a link in the received email in the user mailbox; send the link to a threat detection server in response to detecting the user request to open the received email; receive a threat level indication for the link back from the threat detection server; generate a message, included in the received email, identifying the threat level indication for the link; and open the received email and display the generated message based on a type of the threat level indication received from the threat detection server. - View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. A threat detection server for detecting security threats in electronic mail messages (emails), comprising:
-
one or more hardware processors configured to; receive links from an email system, the received links contained in the emails and received in response to user requests to open the emails after the emails have arrived and received in user mailboxes; generate, by the threat detection server, threat level indicators based on a comparison of the received links with a blacklist of links associated with the security threats; send the threat level indicators back to the email system, wherein the threat level indicators enable the email system to; generate messages, included in the received emails, indicating threat levels of the received links, and open the received emails and display the included messages based on types of the threat level indicators sent by the threat detection server. - View Dependent Claims (18, 19, 20)
-
Specification