Message platform for automated threat simulation, reporting, detection, and remediation
地域:
VA
VA Leesburg
摘要
Methods, network devices, and machine-readable media for an integrated environment and platform for automated processing of reports of suspicious messages, and further including automated threat simulation, reporting, detection, and remediation, including rapid quarantine and restore functions.
說明書
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
This application is a continuation of application Ser. No. 16/801,130, filed Feb. 25, 2020, now U.S. Pat. No. 11,159,545, which is a continuation-in-part of application Ser. No. 16/532,449, filed Aug. 5, 2019, now U.S. Pat. No. 11,146,575, which is a continuation of application Ser. No. 16/418,973, filed May 21, 2019, now U.S. Pat. No. 10,375,093, which is a continuation of application Ser. No. 15,905,784, filed Feb. 26, 2018, now U.S. Pat. No. 10,298,602, which is a continuation-in-part of application Ser. No. 15/584,002, filed May 1, 2017, now U.S. Pat. No. 9,906,554, which is a continuation of application Ser. No. 14/986,515, filed Dec. 31, 2015, now U.S. Pat. No. 9,906,539, which claims the benefit of U.S. Provisional Application No. 62/145,778, filed Apr. 10, 2015. This application is also a continuation-in-part of application Ser. No. 16/181,122, filed Nov. 5, 2018, which claims the benefit of U.S. Provisional Application No. 62/581,637, filed Nov. 3, 2017. This application also claims the benefit of U.S. Provisional Application No. 62/810,369, filed Feb. 25, 2019. The entire contents of each of the foregoing applications are incorporated herein by reference.
The present invention relates to methods, network devices, and machine-readable media for an integrated environment for receiving a report of a suspicious message having been received in a user account, identifying other accounts that have received similar messages, quarantining and unquarantining those messages, and generating simulated phishing messages based on the identified suspicious message.
權(quán)利要求
The invention claimed is:1. A computerized method for suspicious message processing and incident response, comprising:receiving a report at a threat detection platform of a potentially suspicious message delivered into a user account, the report being generated as a result of an action by the user indicating that the message has been identified by the user as a potential security threat, and wherein the report having been initiated by a user interface element in an email client, and wherein the report comprises a copy of the delivered message; electronically storing defined textual or binary patterns associated with at least one security threat; processing the received message according to the electronically stored patterns to determine if the body of the received message or an attachment of the received message contains the defined textual or binary patterns associated with the security threat;if the received message contains the defined textual or binary patterns associated with the security threat, then: transmitting a message identifier and associated account identifier for the received message to an email server in association with a command to move the received message from an inbox associated with the user account; based on the received message, generating a simulated phishing message; establishing a privileged account connection to an administrative account on the email server to access multiple user email accounts; and using the privileged account, inserting the simulated phishing message into one or more of the accessed multiple user email accounts. 2. The method of claim 1 , wherein the inserting of the simulated phishing message is performed only after a user activity action has been detected on the one or more multiple user email accounts. 3. The method of claim 1 , further comprising:transmitting a command to the email server to return one or more message identifiers and associated account identifiers for other messages having the defined textual or binary patterns associated with the security threat; receiving the message identifiers and account identifiers for the other messages having the defined textual or binary patterns associated with the security threat; transmitting the message identifiers and account identifiers to the email server in association with a command to move the messages from user account inboxes. 4. The method of claim 1 , further comprising:at the email server: receiving copies of incoming email messages; parsing the incoming email messages into Multipurpose Internet Mail Extension components; and storing the message components in a data store, each of the messages components being stored as a separate field in a database in the data store, each of the fields being stored in association with a unique message identifier for the message. 5. A computerized system for suspicious message processing and incident response, comprising:a processor at a threat detection platform configured with executable instructions for: receiving a report at a threat detection platform of a potentially suspicious message delivered into a user account, the report being generated as a result of an action by the user indicating that the message has been identified by the user as a potential security threat, and wherein the report having been initiated by a user interface element in an email client, and wherein the report comprises a copy of the delivered message; electronically storing defined textual or binary patterns associated with at least one security threat; processing the received message according to the electronically stored patterns to determine if the body of the received message or an attachment of the received message contains the defined textual or binary patterns associated with the security threat; if the received message contains the defined textual or binary patterns associated with the security threat, then: transmitting a message identifier and associated account identifier for the received message to an email server in association with a command to move the received message from an inbox associated with the user account; based on the received message, generating a simulated phishing message; establishing a privileged account connection to an administrative account on the email server to access multiple user email accounts; and using the privileged account, inserting the simulated phishing message into one or more of the accessed multiple user email accounts. 6. The system of claim 5 , wherein the inserting of the simulated phishing message is performed only after a user activity action has been detected on the one or more multiple user email accounts. 7. The system of claim 5 , further comprising instructions for:transmitting a command to the email server to return one or more message identifiers and associated account identifiers for other messages having the defined textual or binary patterns associated with the security threat; receiving the message identifiers and account identifiers for the other messages having the defined textual or binary patterns associated with the security threat; transmitting the message identifiers and account identifiers to the email server in association with a command to move the messages from user account inboxes. 8. The system of claim 5 , further comprising instructions for:at the email server: receiving copies of incoming email messages; parsing the incoming email messages into Multipurpose Internet Mail Extension components; and storing the message components in a data store, each of the messages components being stored as a separate field in a database in the data store, each of the fields being stored in association with a unique message identifier for the message.
意見反饋
使用該功能遇到問題