Suspicious message processing and incident response

US 9,906,539 B2
Filed: 12/31/2015
Issued: 02/27/2018
Est. Priority Date: 04/10/2015
Status: Active Grant

First Claim

Patent Images

1. A computerized method for message processing, comprising:

generating a simulated phishing message for use in a simulation platform, the message comprising an identifier in the message or in metadata of the message, wherein the simulated phishing message is a non-malicious message that resembles a phishing attack, and wherein the identifier is encrypted or encoded by the simulation platform such that the simulation platform generating the simulated phishing message is required to decrypt or decode the identifier to recognize the simulated phishing message as non-malicious;

receiving a notification triggered by a user action by an individual that a message delivered in an account associated with the individual has been identified by the individual as a possible phishing attack;

providing a plug-in for a messaging client at a remote computing device, the plug-in configurable for executing computer instructions for determining whether the delivered message is a known simulated phishing attack based on the encrypted or encoded identifier of the delivered message;

when the delivered message is determined not to be a known simulated phishing attack based on the encrypted or encoded identifier, then;

receiving the delivered message at the simulation platform;

processing the delivered message at the simulation platform according to a set of electronically stored rules to determine whether the delivered message or attachment data of the delivered message contains defined textual or binary patterns associated with a threat;

assigning a priority to the delivered message based on a likelihood of the delivered message being a real phishing attack;

associating the delivered message with a message cluster based on the processing according to the rules, the message cluster being defined as a group of messages having at least one characteristic in common with the delivered message; and

displaying a graphical representation of the message cluster, each of the group of messages displayed in the message cluster having been determined not to be a known simulated phishing attack.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention relates to methods, network devices, and machine-readable media for an integrated environment for automated processing of reports of suspicious messages, and furthermore, to a network for distributing information about detected phishing attacks.

251 Citations

30 Claims

1. A computerized method for message processing, comprising:
- generating a simulated phishing message for use in a simulation platform, the message comprising an identifier in the message or in metadata of the message, wherein the simulated phishing message is a non-malicious message that resembles a phishing attack, and wherein the identifier is encrypted or encoded by the simulation platform such that the simulation platform generating the simulated phishing message is required to decrypt or decode the identifier to recognize the simulated phishing message as non-malicious;
  
  receiving a notification triggered by a user action by an individual that a message delivered in an account associated with the individual has been identified by the individual as a possible phishing attack;
  
  providing a plug-in for a messaging client at a remote computing device, the plug-in configurable for executing computer instructions for determining whether the delivered message is a known simulated phishing attack based on the encrypted or encoded identifier of the delivered message;
  
  when the delivered message is determined not to be a known simulated phishing attack based on the encrypted or encoded identifier, then;
  
  receiving the delivered message at the simulation platform;
  
  processing the delivered message at the simulation platform according to a set of electronically stored rules to determine whether the delivered message or attachment data of the delivered message contains defined textual or binary patterns associated with a threat;
  
  assigning a priority to the delivered message based on a likelihood of the delivered message being a real phishing attack;
  
  associating the delivered message with a message cluster based on the processing according to the rules, the message cluster being defined as a group of messages having at least one characteristic in common with the delivered message; and
  
  displaying a graphical representation of the message cluster, each of the group of messages displayed in the message cluster having been determined not to be a known simulated phishing attack.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 2. The method of claim 1, further comprising displaying a grouping of delivered messages as a cluster, wherein the cluster comprises a plurality of messages having at least one common characteristic among the grouping of messages.
  - 3. The method of claim 1, wherein messages are grouped into clusters according to a sender credibility score associated with the messages or a reporter reputation score associated with the messages.
  - 4. The method of claim 1, further comprising displaying the message cluster of messages as a circle having a relative size based on a number of messages assigned to the message cluster.
  - 5. The method of claim 4, wherein a color is associated with a threat severity for the displayed message cluster and the message cluster is rendered in the associated color.
  - 6. The method of claim 1, further comprising displaying multiple message clusters, wherein each message cluster is displayed as a shape having a relative size indicating a number of messages in each message cluster and each message cluster is rendered in a color associated with a message cluster priority.
  - 7. The method of claim 6, wherein each message cluster is displayed as an active link which, when selected, displays additional information about the selected message cluster.
  - 8. The method of claim 1, further comprising performing an operation on one or more messages in the message cluster, wherein the operation comprises one of deleting the message from a user inbox, quarantining the message from a user inbox, classifying the message, and responding to the message.
  - 9. The method of claim 1, wherein the delivered message is classified as malicious if the delivered message is assigned to a message cluster having a threshold number of messages, each message being associated with a minimum reputation score.
  - 10. The method of claim 1, wherein the delivered message is classified as non-malicious based on a determination that the message cluster to which the delivered message is assigned is non-malicious.
  - 11. The method of claim 1, further comprising executing an integration, wherein the integration comprises one or more of opening a link contained in the delivered message data in a simulated environment, opening attachment data in a simulated environment, and scanning the delivered message for malicious content, and querying a database of known threat activity with data extracted from the delivered message.
  - 12. The method of claim 1, further comprising providing an interface for creating a rule from the message cluster, wherein the created rule is met by a threshold number of messages in the message cluster.
  - 13. The method of claim 1, further comprising providing an interface for creating a set of executable instructions based on at least one characteristic of at least one message from a corresponding message cluster.
  - 14. The method of claim 1, further comprising providing an interface for specifying one or more rules for automatically responding to a notification by a pre-configured response message.
  - 15. The method of claim 1, wherein if the delivered message is determined to be a known simulated phishing attack, providing feedback to the individual confirming that the delivered message was a simulated phishing attack.
  - 16. The method of claim 1, further comprising comparing the delivered message against stored rules for determining whether the delivered message or associated attachment data contains a pre-defined a textual or pre-defined binary pattern.
  - 17. The method of claim 1, further comprising enabling access to a message server for removing messages from messaging accounts associated with multiple users.
  - 18. The method of claim 17, wherein at least a portion of a message body of the delivered message or at least a portion of header information of the delivered message or at least a portion of metadata of the delivered message is communicated for threat processing.
  - 19. The method of claim 17, further comprising removing one or more messages from messaging accounts associated with multiple users based on a matching of at least a portion of header information of the delivered message or at least a portion of metadata of the delivered message with the one or more messages from the messaging accounts associated with the multiple users.
  - 20. The method of claim 16, further comprising executing a remedial action on a network device based on the comparison of the delivered message against stored rules for determining whether message or attachment data contains a pre-defined textual or a pre-defined binary pattern.
  - 21. The method of claim 1, further comprising processing the delivered message according to a pre-defined rule configured to process messages received at a network server that have been identified as suspicious by a user.
  - 22. The method of claim 21, further comprising processing the delivered message by pattern matching according to pattern matching rules to detect malicious messages based on local threat information.
  - 23. The method of claim 22, further comprising labeling as suspicious messages that are not cleared by initial rules pattern matching processing.
  - 24. The method of claim 23, further comprising grouping the messages labeled as suspicious in a cluster of suspicious messages.
  - 25. The method of claim 1, wherein if multiple users identify multiple copies of a message, the copies having an identical identifying characteristic, increasing a threat score for the messages having the identical identifying characteristic;
    - andprocessing the multiple copies of the message according to the threat score.
  - 26. The method of claim 1, further comprising:
    - creating a rule to match a legitimate message sent by an internal department of an organization; and
      
      suppressing display on a console of all messages matching the legitimate message rule.
  - 27. The method of claim 1, further comprising automatically responding to a user with a message indicating that the delivered message is legitimate, and removing the delivered message from display in a management console.
  - 28. The method of claim 1, further comprising configuring an inbound mail sever to generate a command to remove one or more messages to render the delivered message inaccessible to the user.
  - 29. The method of claim 28, further comprising generating a command to remove one or more messages from a user inbox based on a threshold score, sender credibility score, or threshold reporter reputation score.
  - 30. The method of claim 1, further comprising sharing a rule or executable instruction with another installation via a centralized rule or instruction review facility.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cofense, Inc.
Original Assignee
PhishMe Incorporated
Inventors
Higbee, Aaron, Belani, Rohyt, Greaux, Scott, Galway, William, Hagen, Douglas
Primary Examiner(s)
Shiferaw, Eleni A
Assistant Examiner(s)
Doan, Huan V

Application Number

US14/986,515
Publication Number

US 20160301705A1
Time in Patent Office

789 Days
Field of Search
US Class Current
CPC Class Codes

G06F 16/35   Clustering; Classification

H04L 51/212   using filtering or selectiv...

H04L 51/42   Mailbox-related aspects, e....

H04L 63/0428   wherein the data content is...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1433   Vulnerability analysis

H04L 63/1483   service impersonation, e.g....

H04L 63/1491   using deception as counterm...

H04L 63/20   for managing network securi...

Suspicious message processing and incident response

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

251 Citations

30 Claims

Specification

Use Cases

Quick Links

Others

Suspicious message processing and incident response

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

251 Citations

30 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others