Wombat Security Technologies, Inc.

Proofpoint, Inc.

Stratum Security, Inc.

Trevor Tyler Hawthorn

Norman Sadeh-Koniecpol

Kurt Wescoe

John T Campbell

Alan Himler

Joseph A Ferrara

Nathan Miller

Jason I Hong

Jason Brubaker

Dustin D Brungart

Jeff Losapio

Patrick H Veverka

Jeffrey LoSapio

An electronic device will identify an electronic message received by a messaging client that is associated with a first recipient, and it will analyze the electronic message to determine whether the electronic message is a simulated malicious message. Upon determining that electronic message is a simulated malicious message, the device will identify an actuatable element in the electronic message. The actuatable element will include a service address. The device will modify the electronic message by appending a user identifier of the first recipient to the service address of the actuatable element. Then, when the actuatable element is actuated, the system may determine whether the first recipient actuated the actuatable element or an alternate recipient did so based on whether the user identifier of the first recipient is still appended (or is the only user identifier appended) to the actuatable element.

Determining authenticity of reported user action in cybersecurity risk assessment

Various embodiments assess security risks of users in computing networks. In some embodiments, an interaction item is sent to an end user electronic device. When the end user interacts with the interaction item, the system collects feedback data that includes information about the user's interaction with the interaction item, as well as technical information about the electronic device. The feedback is compared to a plurality of security risk scoring metrics. Based on this comparison, a security risk score for the user with respect to a computing network.

Assessing security risks of users in a computing network

An electronic device will identify an electronic message received by a messaging client that is associated with a first recipient, and it will analyze the electronic message to determine whether the electronic message is a simulated malicious message. Upon determining that electronic message is a simulated malicious message, the device will identify an actuatable element in the electronic message. The actuatable element will include a service address. The device will modify the electronic message by appending a user identifier of the first recipient to the service address of the actuatable element. Then, when the actutable element is actuated, the system may determine whether the first recipient actuated the actuatable element or an alternate recipient did so based on whether the user identifier of the first recipient is still appended (or is the only user identifier appended) to the actuatable element.

An electronic messaging system includes a messaging server that identifies a recipient for an electronic message. The messaging system sends the recipient an electronic message that includes instrumented content. A web server monitors activity and determines whether interaction occurred with the instrumented content. The web server determines whether a sandbox intercepted the message based on whether interaction occurred, or did not occur, with the instrumented content within a threshold time period or with one or more activity characteristics.

Automated message security scanner detection system

A system manages computer security risks associated with message file attachments. When a user of an electronic device with a messaging client attempts to open an attachment to a message that is in the client's inbox, the system will analyze the message to determine whether the message is a legitimate message or a potentially malicious message without the need to actually process or analyze the attachment itself. If the system determines that the received message is a legitimate message, the system will permit the attachment to actuate on the client computing device. If the system determines that the received message is not or may not be a legitimate message, the system will continue preventing the attachment from actuating on the client computing device.

Advanced processing of electronic messages with attachments in a cybersecurity system

A client electronic device of an electronic message analysis system receives a user activation action indicating that a user has reported a message received at the client device a potentially malicious. The client device then determines whether to forward the message to a remote service for analysis by assessing whether the received message originated from a trusted sender. If and only if the client device determines that the received message originated from a trusted sender, it will permit the client device to take other action on the received message and not report the received message to a remote service for further analysis. If the client device does not determine that the received message originated from a trusted sender, it will report the received message to a remote service for further analysis.

Method and system for reducing reporting of non-malicious electronic messages in a cybersecurity system

An electronic message analysis system of a cybersecurity network assesses whether a received message is a mock malicious message in response to, receiving a user activation action that indicates that the user has reported the received message as a potentially malicious message. The system does this by determining whether any header field of a header section of the message starts with a predetermined key. For any header field that starts with the predetermined key, the system determines whether a value that follows the predetermined key satisfies a trusted sender rule. If the value that follows the predetermined key satisfies the trusted sender rule, the system determines that the received message originated from a trusted sender. If the value that immediately follows the predetermined key does not satisfy the trusted sender rule, the system determines that the received message did not originate from a trusted sender.

In a cybersecurity network, a system identifies and classifies non-malicious messages by receiving a user notification indicating that the user has reported a received message as potentially malicious message, and determining whether the received message is legitimate or potentially malicious. When the system determines that the message is a legitimate, it further analyzes the message to assign a class that may include trusted internal sender, trusted external sender, or training a simulated phishing message. It will then cause the user's device to provide the user with information corresponding to the assigned class. The system may also quarantine a received message and release the message from the quarantine only after determining that the message is legitimate and receiving a user acknowledgment.

Method and system for assessing and classifying reported potentially malicious messages in a cybersecurity system

Novel systems and methods for testing network security are disclosed. In one example, at least one specified data message and at least one specified access credential to at least one third-party web-based service is stored on a monitoring system. At least one software agent configured with the specified data message and the specified access credential to the third-party web-based service is installed on at least on system to be tested. The software agent is executed on the testing system to send the specified data message to the third-party web-based service using the specified access credential. A monitoring system which is independent of the network, access the third-party web-based service with the access credential. The monitoring system compares, if data on the third-party web-based service is equivalent to the specified data message sent by the software agent. In another example, the software agent is configured with a custom start-logging command.

Growing community of inventors

Ashburn, VA, United States of America

Trevor Tyler Hawthorn