Phishing and threat detection and prevention

US 9,787,714 B2
Filed: 10/25/2016
Issued: 10/10/2017
Est. Priority Date: 08/21/2014
Status: Active Grant

First Claim

Patent Images

1. A database system for detecting and preventing phishing attacks, the database system comprising:

a hardware processor; and

one or more stored sequences of instructions which, when executed by the hardware processor, cause the hardware processor to perform operations comprising;

detecting a request from a user to open an electronic mail message (email) after the email has arrived and received in a user mailbox;

sending a link contained in the received email to a threat detection server in response to detecting the user request to open the received email from the user mailbox;

receiving a threat level indication for the link back from the threat detection server;

modifying a document object model (DOM) for the received email to include a message indicating the threat level of the link; and

opening the received email and using the modified DOM to display the included message based on a type of the threat level indication received from the threat detection server.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A threat detection system receives links from emails opened in web browsers. The received links are compared with a whitelist of trusted links and blacklisted links associated with security threats. The threat detection system sends trusted identifiers when the received links are identified in the whitelist and sends block identifiers back to the web browsers when the received links are identified in the blacklist. The trusted identifiers cause the web browsers to display a trusted message and the block identifiers cause the web browsers to remove the received link and display a warning message. The threat detection system may receive threat reports for suspected links from employees of a same enterprise and allow an enterprise security administrator to asynchronously update the blacklists and whitelists based on the threat reports received from the enterprise users.

190 Citations

20 Claims

1. A database system for detecting and preventing phishing attacks, the database system comprising:
- a hardware processor; and
  
  one or more stored sequences of instructions which, when executed by the hardware processor, cause the hardware processor to perform operations comprising;
  
  detecting a request from a user to open an electronic mail message (email) after the email has arrived and received in a user mailbox;
  
  sending a link contained in the received email to a threat detection server in response to detecting the user request to open the received email from the user mailbox;
  
  receiving a threat level indication for the link back from the threat detection server;
  
  modifying a document object model (DOM) for the received email to include a message indicating the threat level of the link; and
  
  opening the received email and using the modified DOM to display the included message based on a type of the threat level indication received from the threat detection server.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The database system of claim 1, wherein the instructions further cause the processor to perform operations comprising:
    - receiving a block indication in the threat level indication from the threat detection server;
      
      removing the link from the received email based on the block indication; and
      
      modifying the DOM to display a warning in the message indicating the link is associated with a phishing attack.
  - 3. The database system of claim 2, wherein the instructions further cause the processor to perform operations comprising replacing the link in the received email with a cross out image of the link.
  - 4. The database system of claim 1, wherein the instructions further cause the processor to perform operations comprising attaching a reporting link to the received email, the reporting link connecting to a web page on the threat detection server for reporting suspicious links.
  - 5. The database system of claim 1, wherein the instructions further cause the processor to perform operations comprising operating a security agent in a web browser, the security agent carrying out the steps of:
    - detecting the request to open the received email;
      
      identifying the link in the received email;
      
      sending the link to the threat detection server;
      
      receiving the threat level indication back from the threat detection server; and
      
      modifying the DOM for the received email to include the message indicating the threat level of the link.
  - 6. The database system of claim 5, wherein the instructions further cause the security agent to perform operations comprising:
    - removing the link from the received email when the threat level indication indicates the link as blacklisted; and
      
      opening the received email only after modifying the DOM and removing the link from the received email.
  - 7. The database system of claim 1, wherein the instructions further cause the processor to perform operations comprising:
    - receiving the threat level indication based on the threat detection server comparing the link with a blacklist; and
      
      opening the received email only after receiving the threat level indication and modifying the DOM.

8. A system for detecting a security threat in an electronic mail message (email), comprising:
- a hardware processor configured to operate a security agent in a web browser, wherein the security agent is configured to;
  
  detect a request from a user to open the email after the email has arrived and received in a user mailbox;
  
  identify a link in the received email in the user mailbox;
  
  send the link to a threat detection server in response to detecting the user request to open the received email;
  
  receive a threat level indication for the link back from the threat detection server;
  
  generate a message, included in the received email, identifying the threat level indication for the link; and
  
  open the received email and display the generated message based on a type of the threat level indication received from the threat detection server.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16)
- - 9. The system of claim 8, wherein the security agent is further to remove the link from the received email when the threat level identifies the link as blacklisted.
  - 10. The system of claim 9, wherein the security agent is further to display a warning notification in the message when the threat level indication identifies the link as blacklisted.
  - 11. The system of claim 8, wherein the security agent is further to display a trusted link notification in the message when the threat level indication identifies the link as whitelisted.
  - 12. The system of claim 8, wherein the security agent is further to display an ok notification in the message when the threat level indication indicates the link is not blacklisted or whitelisted.
  - 13. The system of claim 8, wherein the security agent is further to insert a reporting link in the message to connect to the threat detection server and report the link as suspicious.
  - 14. The system of claim 8, wherein the security agent is further to modify a document object model (DOM) for the received email to include the message.
  - 15. The system of claim 14, wherein the security agent is further to modify the DOM to remove the link from the received email and display a warning in the message when the threat level indication identifies the link as blacklisted.
  - 16. The system of claim 8, wherein the security agent is further to:
    - send the link to the threat detection server in response to the request to open the received email;
      
      receive the threat level indication back from the threat detection server after the link is compared with a blacklist and prior to opening the received email; and
      
      open the received email only after the threat level indication is received.

17. A threat detection server for detecting security threats in electronic mail messages (emails), comprising:
- one or more hardware processors configured to;
  
  receive links from an email system, the received links contained in the emails and received in response to user requests to open the emails after the emails have arrived and received in user mailboxes;
  
  generate, by the threat detection server, threat level indicators based on a comparison of the received links with a blacklist of links associated with the security threats;
  
  send the threat level indicators back to the email system, wherein the threat level indicators enable the email system to;
  
  generate messages, included in the received emails, indicating threat levels of the received links, andopen the received emails and display the included messages based on types of the threat level indicators sent by the threat detection server.
- View Dependent Claims (18, 19, 20)
- - 18. The threat detection server of claim 17, further comprising sending block threat levels indicators to the email system for the received links in the blacklist, the block indicators causing the email system to remove the received links prior to opening the emails.
  - 19. The threat detection server of claim 17, further comprising sending trusted threat level indicators to the email system for the received links in a whitelist of trusted links.
  - 20. The threat detection server of claim 17, further comprising:
    - receiving threat reports from the email system identifying suspected phishing links in the emails;
      
      count a number of the threat reports received for each of the suspected phishing links; and
      
      assign the suspected phishing links to the blacklist when the number of threat reports for the suspected phishing links exceeds a threshold.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Salesforce.com, Inc.
Original Assignee
Salesforce.com, Inc.
Inventors
Bach, Timothy
Primary Examiner(s)
Chai, Longbit

Application Number

US15/334,107
Publication Number

US 20170048273A1
Time in Patent Office

350 Days
Field of Search

726 23
US Class Current
CPC Class Codes

G06F 21/6218   to a system of files or obj...

G06F 2221/2119   Authenticating web pages, e...

H04L 51/18   Commands or executable codes

H04L 51/212   using filtering or selectiv...

H04L 63/101   Access control lists [ACL]

H04L 63/1483   service impersonation, e.g....

Phishing and threat detection and prevention

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

190 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Phishing and threat detection and prevention

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

190 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links