This application claims priority to U.S. Provisional Patent Application No. 62/647,528 entitled DETECTION OF ASSOCIATED ACCOUNTS filed Mar. 23, 2018 which is incorporated herein by reference for all purposes.
This application is a continuation-in-part of co-pending U.S. patent application Ser. No. 15/992,752 entitled AUTOMATED INTELLIGENCE GATHERING filed May 30, 2018, which claims priority to U.S. Provisional Patent Application No. 62/543,801 entitled GENERATION OF FLASH SIGNATURES FOR DEFENSE AGAINST TARGETED ATTACKS filed Aug. 10, 2017 and claims priority to U.S. Provisional Patent Application No. 62/516,535 entitled AUTOMATED INTELLIGENCE GATHERING filed Jun. 7, 2017, all of which are incorporated herein by reference for all purposes.
Traditional security controls are not well suited to address targeted threats. For example, traditional anti-virus solutions are based on generating blacklists—whether associated with content or behavior; similarly, spam filters identify keywords and phrases indicative of abuse. Approaches such as these address very large-volume attacks reasonably well, but are vulnerable to targeted threats as the threat instance is typically unique, or mimicking accepted business practices.
Various embodiments of the invention are disclosed in the following detailed description and the accompanying drawings.
FIG. 1 is a diagram illustrating an embodiment of a system environment for analyzing a message.
FIG. 2A is a flowchart illustrating an embodiment of a process for determining whether to investigate a sender of a message.
FIG. 2B is a flowchart illustrating an embodiment of a process for investigating a sender of a malicious message.
FIG. 2C is a flowchart illustrating an embodiment of a process for providing security protection status information.
FIG. 2D is a flowchart illustrating an embodiment of a process for generating and using honey-tokens.
FIG. 2E is a flowchart illustrating an embodiment of a process for analyzing a received message for security risks.
FIG. 3 is a flowchart illustrating an embodiment of a process for analyzing a received message for security risks.
FIG. 4 is a flowchart illustrating an embodiment of a process for analyzing individual aspects of a message for security threats.
FIG. 5 is a flowchart illustrating an embodiment of a process for analyzing aspects of a received message based on whether the message is from an independently controlled account of a sender.
FIG. 6 is a flowchart illustrating an embodiment of a process for wrapping encrypted content of the message.
FIG. 7 is a flowchart illustrating an embodiment of a process for tracking trusted contacts.
FIG. 8 is a flowchart illustrating an embodiment of a process for determining information about a message sender to be utilized to assess a risk of a message.
FIG. 9 is a flowchart illustrating an embodiment of a process for determining a total risk measure of a contact.
FIG. 10 is a flowchart illustrating an embodiment of a process for assessing a received message for filtering.
FIG. 11A is a flowchart illustrating an embodiment of a process for modifying a display name of a sender of the message.
FIG. 11B is a flowchart illustrating an embodiment of a process for modifying a reply address of a sender of the message.
FIG. 12 is a flowchart illustrating an embodiment of a process for securing a message.
FIG. 13A is a flowchart illustrating an embodiment of a process for detecting misrecognition of a sender of a message by a recipient of the message.
FIG. 13B shows an example of a modified message requesting manual classification of the sender of the message.
FIG. 14A is a flowchart illustrating an embodiment of a process for requiring a sender of a message to verify an identity of the sender.
FIG. 14B shows an example of an automatic reply message requesting verification of an identity of the sender of the message.
FIG. 15 is a flowchart illustrating an embodiment of a process for determining a change in historical reputation of a sender of a message.
FIG. 16 shows an example malicious email.
FIG. 17 shows example headers of the example malicious email.
FIG. 18 is a flowchart illustrating an embodiment of a process for generating a signature.
FIG. 19 is a diagram illustrating an embodiment of components of a system.
FIG. 20 is a block diagram illustrating an example of a message that includes a potentially executable or otherwise risky attachment.
The invention can be implemented in numerous ways, including as a process; an apparatus; a system; a composition of matter; a computer program product embodied on a computer readable storage medium; and/or a processor, such as a processor configured to execute instructions stored on and/or provided by a memory coupled to the processor. In this specification, these implementations, or any other form that the invention may take, may be referred to as techniques. In general, the order of the steps of disclosed processes may be altered within the scope of the invention. Unless stated otherwise, a component such as a processor or a memory described as being configured to perform a task may be implemented as a general component that is temporarily configured to perform the task at a given time or a specific component that is manufactured to perform the task. As used herein, the term ‘processor’ refers to one or more devices, circuits, and/or processing cores configured to process data, such as computer program instructions.
A detailed description of one or more embodiments of the invention is provided below along with accompanying figures that illustrate the principles of the invention. The invention is described in connection with such embodiments, but the invention is not limited to any embodiment. The scope of the invention is limited only by the claims and the invention encompasses numerous alternatives, modifications and equivalents. Numerous specific details are set forth in the following description in order to provide a thorough understanding of the invention. These details are provided for the purpose of example and the invention may be practiced according to the claims without some or all of these specific details. For the purpose of clarity, technical material that is known in the technical fields related to the invention has not been described in detail so that the invention is not unnecessarily obscured.
In some contexts, such as when analyzing a potentially malicious email, it is important to know that the email, in fact, corresponds to a criminal attempt and is not a false positive. However, manually reviewing every potentially malicious email would be burdensome and often infeasible. It would be beneficial to outsource the decision of criminal intent to the party we are about to interact with. In other words, a test in which a criminal “admits” to be a criminal, while an honest person asserts that he is honest.
In some embodiments, verification of malicious intent of an attacker is achieved by taking advantage of the initial attack attempt of the attacker. When a message sent from an attacker to a recipient is received, a security risk associated with the message is determined. If there is sufficient risk detected to determine that the message is likely a malicious message, a responsive message is sent in response to the message from the attacker. An interaction with the responsive message is automatically analyzed. For example, the responsive message includes a reference (e.g., URL) to a content likely desired to be accessed by the attacker to entice the attacker to open the message and access the content via the reference. The number of times and locations (e.g., IP addresses) where the content is accessed via the reference may be tracked and analyzed. Based on a result of the analysis of the interaction with the responsive message, a security risk associated with the sender of the message is determined. For example, a threat classification associated with the sender is determined and utilized in performing a security action.
In some embodiments, when the attacker requests the content of the reference, access to a message repository of the attacker is requested as a condition of obtaining the content of the reference. Because the attacker is likely eager to obtain the content of the reference, the attacker likely will allow access to the message repository of the attacker. Then, with access to the attacker's message repository, information about the attacker can be investigated and gathered. Using this information, the attacker can be penalized (e.g., reported to law enforcement authorities).
An email honeypot is a construction that collects unwanted and malicious emails. Traditional honeypots are passive constructions that do not interact with attackers. In some embodiments, vital account information is collected from attackers and used for purposes of takedown. In some embodiments, attackers and potential attackers are notified that a potential target is protected by a system that will attempt to collect vital account information from attackers and used for purposes of takedown. Such notifications are useful to dissuade would-be attackers from launching attacks. A desirable way to defend an organization and their users is to (1) cause a notable cost to the attacker and (2) notify the attacker of the cost to the attacker, to make sure that the attacker understands the connection between attacking the organization and suffering from the consequences. By penalizing attackers and making the link between attack and penalty clear, a security system improves the security provided beyond just filtering dangerous messages.
FIG. 1 is a diagram illustrating an embodiment of a system environment for analyzing a message. Examples of the message include an electronic mail (i.e., email), an instant message, a text message, a Short Message Service (SMS) message, a text message, a Multimedia Messaging Service (MMS) message, and any other forms of electronic messages. Analysis server 102 is connected to recipient message server 106 via network 108. In some embodiments, analysis server 102 is directly embedded or implemented in recipient message server 106. Sending message server 104 sends a message to recipient message server 106 for delivery to a recipient associated with recipient message server 106. In some embodiments, recipient message server 106 is a local message server. Gateway 110 receives the message prior to delivery to recipient message server 106. Gateway 110 may process incoming email messages for one or more recipient users of an organization (e.g., for users with a common domain email address). In various embodiments, recipient message server 106 may be any type of server that receives a message for delivery to a recipient user. Sending message server 104 is the last server that handled a message prior to delivery to recipient message server 106 via network 108. For example, sending message server 104 is an outgoing email server of a sender of the message. In various embodiments, sending message server 104 may be any type of server able to send a message to recipient message server 106.
Analysis server 102 processes a received message and filters it for potentially harmful or undesired messages. For example, incoming messages are filtered and analyzed for spam, viruses, spoofing, impersonation, ATOed sender, and any other harmful or undesired content to detect, prevent, or minimize such messages from reaching a message recipient served by the recipient message server. In some embodiments, analysis server 102 determines and/or maintains a list of trusted contacts for one or more users (e.g., user accounts) of recipient message server 106. For example, by obtaining an address book from a user and/or observing message traffic to and from server 106 of the user, server 102 determines and/or maintains a list for each user.
In some embodiments, a message sent from sending message server 104 is first received at analysis server 102 prior to being received at gateway 110 and recipient message server 106. In some embodiments, a message sent from sending message server 104 is first received at gateway 110 that sends the message to analysis server 102. In some embodiments, a message sent from sending message server 104 is received at gateway 110 that sends the message to recipient message server 106 and recipient message server 106 send the message to analysis server 102. In an alternative embodiment, analysis server 102 is included in gateway 110. In an alternative embodiment, analysis server 102 is included in message server 106.
In addition to analyzing the message, analysis server 102 may block and/or modify the message or instruct another server (e.g., instruct server 106) to block and/or modify the message in the event a potential threat is detected. In some embodiments, analysis server 102 initiates a user inquiry regarding a sender of the message in the event a potential threat is detected. In some embodiments, analysis server 102 receives information about one or more messages sent by a user of message server 106 (e.g., receives the message or a portion of the message, a recipient identifier included in the message, etc.). This information may be utilized by analysis server 102 to identify message behavior and/or message contacts of the user.
In some embodiments, recipient message server 106 performs a risk analysis for an incoming message at least in part by performing an authenticity and/or reputation analysis to determine an overall measure of risk (e.g., risk score). Performing authenticity analysis may include determining a measure of confidence that a sender identified in the message (e.g., domain of sender) is the actual sender of the message. Performing reputation analysis may include determining a measure that an identified sender of the email (e.g., domain of sender) is likely to send a message that is of value to a recipient (e.g., likelihood of sending message that a recipient would want/desire to receive).
In some embodiments, a risk analysis performed by recipient message server 106 results in a risk value of a message. The risk value may be utilized at least in part to flag/label the message, modify the message (e.g., add warning), and/or to determine whether to allow the message to be delivered to an intended recipient of the message.
In some embodiments, based on a risk analysis performed by analysis server 102, gateway 110, message server 106, and/or any other server (not shown in FIG. 1) connected to network 108 for a received message, one or more responsive messages are automatically generated to further analyze and determine a security risk associated with a sender of an initially received message. For example, by analyzing an interaction with content of the responsive message, a malicious intent of the sender initially received message is determined. In some embodiments, an attempt is made to gain access to a message repository of the sender of the message. For example, if it is determined with sufficient certainty that a received message to be delivered to an intended recipient is a malicious message that meets one or more criteria (e.g., the message is identified with sufficient certainty to be a phishing attempt, a known scam, etc.), access to a message account of the sender/attacker is achieved by taking advantage of the initial attack attempt message of the sender. A responsive message is sent in response to the message from the attacker. The message may be at least in part automatically generated and sent by analysis server 102, gateway 110, message server 106, and/or any other security server. The generated message includes a reference (e.g., URL) to a content likely desired to be accessed by the attacker, enticing the attacker to open the message and access the content via the reference. For example, a link identified as leading to monetary transfer confirmation, payment redemption instruction, password information, etc. is included in the message. The reference may actually lead to a web content (e.g., webpage made to appear as a landing page that will eventually provide access to desired content) provided by analysis server 102, gateway 110, recipient message server 106, and/or any other server or security service. When the attacker requests the content of the reference, access to a message repository of the attacker is requested as a condition of obtaining the content of the reference. For example, an OAuth request to access a message repository of the attacker is presented to the attacker. Because the attacker is likely eager to obtain the content of the reference, the attacker likely will allow access to the message repository of the attacker. Then, with access to the attacker's message repository, information about the attacker can be investigated and gathered. Using this information, the attacker can be penalized (e.g., report generated and provided to law enforcement authorities).
Examples of network 108 include one or more of the following: a direct or indirect physical communication connection, a mobile communication network, Internet, intranet, Local Area Network, Wide Area Network, Storage Area Network, and any other form of connecting two or more systems, components, or storage devices together. Other communication paths may exist and the example of FIG. 1 has been simplified to illustrate the example clearly. Although single instances of many of the components shown in FIG. 1 have been shown to simplify the diagram, additional instances of any of the components shown in FIG. 1 may exist. For example, a plurality of recipient message servers are connected and/or managed by analysis server 102. Multiple analysis servers may exist. Multiple recipient message servers may serve the same recipient entity/domain. Components not shown in FIG. 1 may also exist. Any of the components shown in FIG. 1 may be a logical, physical, or virtual component.
It is desirable to be able to track the spread of malicious messages and identify those users that have been affected by the malicious content included or linked by the malicious messages. A sender of a message is able to configure a URL or an attachment of the message to be tracked when a user visits the URL or opens the attachment. For example, advertisers, as a sender of a marketing email, are able to track when a user visits a URL link in the marketing email by using a special URL link that references its trackers. However, this only allows a sender of the message to track visits to the URL. However, rather than the sender of the message, a recipient organization that desires to protect its members may desire access to information about recipient interactions with linked or attached content.
In some embodiments, at a recipient system (e.g., mail server of a recipient), information of an electronic message to be delivered to an intended recipient is received. For example, the electronic message has been sent via a network by a message sender prior to being received at the mail server of an organization of the intended recipient. For an original resource identifier included in the electronic message, a corresponding alternative resource identifier that can be at least in part used to obtain the original resource identifier is generated. The alternative resource identifier is generated specifically for the intended recipient of the electronic message. The original resource identifier included in the electronic message is replaced with the alternative resource identifier to generate a modified electronic message. The modified electronic message with the alternative resource identifier is allowed to be delivered to the intended recipient instead of the electronic message with the original resource identifier. An interaction associated with the original resource identifier is tracked using the alternative resource identifier.
Additionally, when a user browses webpages on the Internet, the user typically browses from one webpage to another webpage using hyperlinks on the webpages. When requesting a website using a hyperlink, there is a portion of data passed in the request, called the REFERER, which conveys from where the user came, e.g., what site referring a user to the site he or she visits. The REFERER information is commonly helpful to make security decisions. When a user enters a URL by typing input, there is no REFERER information in the request for the URL. However, when a user clicks on a hyperlink in an email, there is also no REFERER in the request from content of the link. If there were, then this could be used to aid in performing a security assessment. For example, a hyperlink contained in a message from a known malicious sender likely points to malicious content. A security assessment can then also distinguish between website visits that resulted from a user typing a URL and from a user clicking on a link of a message.
For these and related reasons, it is critical to develop security technologies that address the problem of phishing, and other related types of attacks in which an email, an SMS, or another type of message contains a malicious resource identifier that traditional security technologies may fail to identify as malicious, and to address the shortcoming that there is no contextual information for website visits resulting from users clicking on hyperlinks in messages.
In some embodiments, information of a message to be delivered to an intended recipient is received. For example, message context information such as information about the sender, the recipient, message metadata, message content, and/or any other relevant information associated with the message is received at a message gateway to perform an initial security analysis prior to allowing the message to be delivered. For an original resource identifier (e.g., URL) included in the message, an alternative resource identifier (e.g., alternative URL) is generated. The original resource identifier included in the message is replaced with the alternative resource identifier to generate a modified message. The alternative resource identifier can be used to obtain the original resource identifier included in the message and context information associated with the message. The modified message with the alternative resource identifier is allowed to be delivered to the intended recipient instead of the message with the original resource identifier. When a recipient of the message makes a request using the alternative resource identifier in the modified message, the request may trigger a security action associated with the original resource identifier and based on the context information. In effect, the alternative resource identifier may serve as a proxy identifier of the original resource identifier that allows effective requests for the content referenced by the original resource identifier (made using the alternative resource identifier) to be intercepted for security analysis prior to allowing or not allowing access to the referenced content.
For example, an alternative resource identifier points to a secure proxy webpage that can use at least a portion of the alternative resource identifier to obtain the original resource identifier and the context information associated with the message. A security risk assessment can be then made dynamically based on the content referenced by the original resource identifier and the context information to make a security assessment. If it is determined that there is a low security risk, the proxy website can provide content referenced by the original resource identifier and/or redirect the request to the original resource identifier. If it is determined that there is a high security risk, the user may be provided a warning, prevented from obtaining the content referenced by the original resource identifier, and/or provided a modified version of the content referenced by the original resource identifier. A result of the security risk assessment may also be logged to allow an administrator to review risks and/or for use in future security analysis.
In an example, a URL hyperlink in an email is identified, and the URL hyperlink in the email is modified to reference an alternative URL prior to delivery. The alternative URL can be used to obtain the original URL hyperlink as well as contextual information associated with the email. When the alternative URL is visited by a message recipient, a determination is made on the security associated with the original URL and/or the associated email and/or the associated sender, utilizing the contextual information and the URL assessment. Here, the assessment of the URL can be done by performing one of rendering, partially rendering, automatically interacting with the associated site, making an assessment of the associated site behavior, including spawning of processes or other webpage rendering requests, and making an assessment of the domain and subdomain of the URL, including reputation, age, and contextual use. This decision can be done as soon as possible after the URL is identified, in batch mode, as a result of the user clicking on the modified URL in the delivered email, or as a result of an external event, such as notification of a risk or attack potentially affecting the recipient. Context relating to the email is used, including text in the email, logos and other graphics in the email, the recipient of the email and whether this user normally receives emails with URLs of a similar type according to a security classification, and based on the sender, whether the sender is a trusted party, and if the sender is not considered a trusted part, whether there is any potential likeness between the identity (e.g., including display name, email address, domain, and identity conveyed by or associated with content of the email) and that of entities that are trusted by the recipients, or trusted by many users like the recipient.
In addition to rendering the website, actions commonly associated with undesirable behavior can be identified, including but not limited to anomalous use of forwarding or redirection, such as using HTTP 301 or HTTP 401 requests; anomalous use of obfuscation including JavaScript that unpacks itself, and anomalous attempts to engage tracking beacons. Furthermore, the system identifies when websites use common commercial templates that are associated with service providers other than those associated with a scrutinized website. This is commonly indicative of the scrutinized website having been constructed by cloning or partially cloning a legitimate website, which is a common tactic employed by phishers.
There are several example benefits associated with the disclosed technology. These may include but are not limited to: (1) enable as context-aware analysis of documents, including webpages; (2) permits immediate delivery of emails while maximizing security by performing delayed scrutiny across applications; (3) identifies the origin of URL clicks for URLs without a REFERER; (4) permits internal tracking of messages, documents, and resources; (5) avoids duplicating the effort of scrutinizing messages and their contents; (6) secures email and other messaging methods against advanced threats; (7) optimizes storage of contextual information useful for managing analysis of risks, leveraging models on sender and recipient behavior and associated trust relationships; and (8) improves anti-virus filtering based on contextual information and threat information relating to the threat vector used for message delivery.
In some embodiments, a mail gateway, a cloud service unit with access to the inboxes of email recipients, or another entity in the email flow or with access to it automatically reviews an email and determines at least one piece of contextual information of the email; then modifies at least one artifact associated with the email to incorporate either the contextual information or a reference to a database record comprising the contextual information, and then causes the modified email to be delivered to the user mailbox. In some embodiments, the disclosed technology demonstrates how contextual information can be used both to draw positive and negative inferences. For example, assume that an email is sent by a trusted party, and that the system has verified that the email was not spoofed. The system has further verified that the email is not likely to be sent by a person who has corrupted the sending account; this can be detected by comparing the message user agent (MUA) of the email with previous emails from the same sender, and determining whether there is an MUA discrepancy. In this example, there is not. However, the email in this example contains a URL that leads to a site that requests credentials. It is not known to be a phishing site, and the site does not have any text or logos indicative of deception. For the particular recipient, the system configuration may be to not allow a site with this type of password entry, since this could be a high-risk site such as a phishing site. However, given that the contextual information indicates that the email was from a trusted party, that the party was not spoofed, and that the party is unlikely to have been compromised, the system makes the determination, after having scrutinized the site corresponding to the URL, that it is permissive for the recipient to visit this site.
In a second example, the same email message, with the same URL, is sent by a trusted party, but it cannot be verified whether the user was spoofed or not. The system, in this example, after having scrutinized the site, determines that the email recipient is allowed to visit the site, but that the site needs to be marked up with a warning. One way to do that is to display a warning instead of the website, as the user clicks on the link, requiring the user to perform an action (such as clicking on a link, solving a captcha, answering a quiz, etc.) before the user is redirected to the real website. It is understood by a person skilled in the art how a mail server or gateway can act as a proxy between a user and the Internet, thereby performing such replacements of content. In a third example, an email with a similar content is sent by a sender with whom the recipient does not have a trusted relationship; this may correspond to the two not having exchanged a sufficient number of emails, such as five emails from each to the other; or the two not having exchanged emails for a duration of time exceeding a threshold amount of time, such as two weeks. The system examines the website and, based on the lack of established trust between recipient and sender, makes a determination not to allow the user access to the website. Using an alternative configuration, the recipient is allowed to access the website, but only after it has been scrutinized by an admin. A request for an admin to review the site is requested by the recipient, on the warning website, after the recipient has been shown a screenshot of the site or seen a rendering of the site which has been made inactive, e.g., in which user input has been disabled. If the admin gives permission to access the site, the recipient will be notified, e.g., in an email or SMS message, after which the recipient, clicking on the hyperlink, will be taken directly to the actual and fully functional site without first being sent to the warning site.
A further benefit of some embodiments is a method to automatically identify account take-overs, also referred to as corrupted accounts, with a high probability. This works by building a profile for each sender, where this profile comprises the mail user agent (MUA) of the sender; the IP ranges and originating servers used by the sender; the signature file(s) used by the sender; the length distribution of message texts associated with the sender; the logo and image use associated with the sender; the type of attachments associated with the sender, including the headers associated with these attachments; the URLs and classifications of the associated websites included in messages sent by the sender; and the semantic classification of texts sent by the sender. For example, the MUA identifies with a high degree of accuracy what type of computer or other device was used to send the message, including aspects such as the charset, the mail client version, the operating system, and more. The IP ranges and originating servers depend on what network the sender uses, and will, for example, be different for a user who is on the AT&T network from one who is on the Comcast network, and yet different from a user relying on a corporate network to send messages. The signature files are often different for different devices of the same user, but can be directly associated with the corresponding MUA, and as such can act as an “extension” of the MUA in terms of identification. Different users have different communication and message design patterns, including the typical use of logos and images, the semantic style, including the length of words, the extent to which spelling is correct, and the type of greetings the user uses. The disclosed security system builds profiles of sender characteristics by observing a series of messages from the sender. The system associates a certainty with a prediction of what constitutes “correct” characteristics based on the variance observed, the extent to which there is entropy for the characteristics, the commonality of change, along with external considerations such as the role of the sender, if known. When a new message is received, its characteristics are compared to previously recorded characteristics and any discrepancy scored by performing a prediction of the likelihood of this prediction being correct, given the past observations of the characteristics of the user in question, and based on the likelihood of potential change of characteristics based on similar changes observed for other users. A conditional probability is thereby computed, where this corresponds to the probability of the observation, given past observations for the sender, and given the general likelihood of changes observed over a larger population of senders. When this conditional probability is lower than a first threshold, which can be a parameter set by the message recipient or a representative thereof, then a first security action is taken; an example security action is to block the message. The threshold can also be a system parameter or depend on past communications and threats associated with the recipient. When the conditional probability is lower than a second threshold, then a conditional action is taken based on the context of the message, the content of the message, URLs and attachments associated with the message, and a policy associated with at least one of the sender, the recipient, or the system. Example methods to perform this conditional action, including the determination of whether to take the action are described in this disclosure, but will be understood by a person skilled in the art to also comprise similar methods and approaches.
Some examples of contextual information include: a trust value associated with the sender, where the trust value can be specific to the recipient; a deception risk value associated with the sender, recipient, and the email; a sender risk value that could be indicative of risk of spoofing, risk of account take-over, or risk of other malicious behavior; an indicator of the type of sender, such as a contact of the recipient, an internal colleague of the recipient, a first marketing team or a second marketing team, and a classification of the sender or email content in terms of its value to the enterprise, such as ‘likely malicious,’ ‘likely wasteful of employee time,’ ‘likely personal use of computer resources,’ ‘likely rude language,’ ‘likely high-priority email,’ ‘contains mobile-friendly content,’ ‘sent by an apparent stranger,’ and more; or a combination of such types of contextual information. The goal of obtaining metrics may be to evaluate and identify potential threats; evaluate and compare efficacy of benevolent actions such as actions by two competing marketing teams; and to measure and pinpoint sources of time wasting and other resources. Similarly, the contextual information stored or incorporated in the artifact may indicate the type of originating source, such as “a message transmitted by or associated with Facebook, with LinkedIn, with Slack” and more. The contextual information may also indicate when the message was received; or simply index a database of emails that are processed by the system, thereby simplifying a simple lookup of the entire context associated with the email and its associated artifacts. Example artifacts are URLs, attachments, hyperlinks causing phone calls to be placed, and more. To modify a URL, the system can either replace the domain in the URL with a domain or IP address associated with a proxy, which may be either internal or external to the user organization, and which can either be managed by the organization operating or providing the security system, or an organization collaborating with the organization operating or providing the security system. The disclosed technology enhances such technologies by not just introducing an intermediary (e.g., the proxy) but by also providing contextual information to this proxy. To modify an attachment, a security system may perform ‘wrapping’ of the attachment, where the wrapper is an executable or a reference to an executable, such that when this executable is engaged as a result of the recipient clicking or otherwise interacting on the modified attachment, then the executable receives as input the contextual information associated with the message, and the attachment; and processes the attachment in accordance with a set of rules and the contextual information. This could mean performing a security scan of the attachment and conditionally opening it, giving the user access to the contents; logging the access to the attachment; and using it to augment the user-facing functionality associated with the attachment, such as enabling or disabling features or functionality based on the contextual information. Similarly, phone numbers can be proxied, allowing security scanning of calls and SMS interactions; auditing of turn-around time from the reading of the message to the end-user action; auditing of what messages different users are most likely to interact with; auditing of what senders or content types are most likely to engage users; and more. The actions described herein may apply to all the communication media in various embodiments, and many more actions of similar types are possible.
In various embodiments, a message is scanned by a gateway, a cloud service with access to an email account, an app on a device such as a phone, or by another entity in the message flow or with access to it. This entity is referred to as the “security service” for simplicity of denotation, but should be understood that the functionality it enables extends beyond security functionality, as will be evident from the disclosed functionality. The security device identifies artifacts such as URLs, attachments, and hyperlinks with associated actions such as placing phone calls, sending SMS, making payments; and modifies the information associated with the artifact to incorporate contextual information or a reference to contextual information. As a user interacts with the modified artifact at a later time, a second system associated with the security service determines the context, whether from the artifact or by looking it up from a database associated with the security service. We refer to this second system as the reactive system, as it reacts to the modified artifact based on the user interaction and the contextual information associated with the artifact.
In some embodiments, the reactive system performs an action that is a security action; example actions are to scan the artifact and associated information, and based on the data observed in the scan and the contextual information, determine what portions are considered suitable and which ones are not suitable, after which suitable portions are presented to the user and unsuitable portions are suppressed. For example, if the contextual information indicates that the artifact was sent to a user from a party the user does not know or have any relationship with, and the data observed in the scan comprises some executable elements and some non-executable elements, then the reactive system determines that the executable elements are not suitable whereas the non-executable elements are suitable. The reactive system then allows the user to see, interact with, open, or otherwise engage with the suitable elements, but makes elements considered unsuitable at least one of not visible, not possible to open, not possible to execute, or only possible to execute in a secured environment such as a sandbox. The artifact in this example may be a URL, and the data on the associated website, where an executable element may be a JavaScript component, and a non-executable element may be a CCS-formatted HTML document. The artifact in this example may also be an attachment of the format of a zip file, the executable element of a zipped word document with a macro, and the non-executable element of a PDF file that does not have any macro or active component associated with it. Instead of limiting access, the reactive system may also modify elements classified as non-suitable, e.g., change a word file to disable the macro; rewrite a pdf with a potential active component so that it is in a standard form that is known not to pose a security risk; and similar. Following the same example, if the contextual information associated with the message indicates that the sender is a trusted party, and there is not an observed indication that the trusted party has been compromised, such as in a phishing attack or by malware, then the reactive component may determine that all elements associated with the modified artifact are suitable, or that all elements associated with the modified artifact are suitable except for those that are identified as being on a blacklist or associated with a known negative situation. An example of such an element would be a file that does not pass an anti-virus scan.
In some embodiments, the disclosed technology has benefits beyond enabling blocking of risk. Whereas one of the primary benefits is associated with identifying risk associated with an email, and use that identified risk to limit access to web resources and other actionable material, such as attachments, macros, and phone links, another example type of benefit is that the technology can be used to audit risk. There is great need for organizations to identify the level of risk they are exposed to, and to determine changes over time. It is also important for organizations to determine what users—internal and external, associated with the organization or not—pose a risk by sending dangerous emails, receiving dangerous emails, visiting dangerous sites, performing dangerous actions, and more. To enable tracking and auditing of such behavior, it may be necessary to determine what events on one layer (such as the receiving of an email from a stranger) lead to actions on another layer (such as placing a phone call or clicking on a link.) A person skilled in the art will recognize that these are benefits that are enabled by the disclosed technology. One way to implement an auditing mechanism uses the stored records, including information of the context, sender and recipient, along with the actions (or lack thereof) identified as taken by the end user, which is detected as the recipient interacts with the modified resource identifier, and to store this information. This is later used to compile statistics of risky behavior.
In another embodiment, the reactive system performs an auditing operation that is not necessarily a security action. For example, the auditing action may be to associate the modified artifact, its sender, and its receiver with the time it took from the delivery of the message until the user engagement with the modified artifact. This way, the reactive system can determine, whether per sender, per receiver, or per message type (all of which would be part of the contextual information) what the user reaction time is, where one aspect of the reaction time is the time from delivery of the message to the time of the user engagement with the modified artifact, and another aspect of the reaction time is the time from the recipient user opening the message to the time of the user engagement with the modified artifact. The system can also track the percentage of the time that a particular user engages with the modified artifact, whether based on the sender identity or group membership, the content of the message, the content type, or based on previous actions of the recipient user. This is a very powerful productivity tool for organizations as it allows the automated identification of effective communicators, messages that are convincing, workflows that lead to high productivity, senders that derail the focus of recipients by sending recreational content that stops productivity, and similar. An example use is to determine what services generate the most click-through, where the compared service may comprise: a commercial service or come from colleagues or other contacts referencing documents associated with such services.
The disclosed technology is not limited to identifying and evaluating URLs based on their context in an email or other messaging form, but can also be used for other marked-up data, such as mailto links, click-to-call links, instant messages, SMS messages, notification messages, transcribed voicemail, messages processed by proprietary applications, and other material that a recipient can interact with. For example, a mailto link can be temporarily modified to convey the context in which it was embedded; this context can later be used by an automated method that screens the content of an outgoing email and looks for sensitive data that should not be leaked outside the trusted perimeter. Thus, if the mailto link was contained in an email that came from a non-trusted party, this contextual information would be used to censor the message, block the message from being transmitted, cause an alert to the sender, cause an alert to an IT admin, cause the message to be temporarily quarantined before it is delivered, or another action. For example, a regular mailto link may specify an email address on the format “name@organization.com,” which can be marked up by changing the email to “name@organization.alert.37662772,” where “alert” is a tag to indicate that the email should not be delivered as-is, and 37662772 is a code that either indicates the context or is a pointer into a database with contextual information. Thus, when a mail server, gateway, cloud service provider, or other entity processes this information, the email is scrutinized in the context associated with the contextual information indicated in the augmented email address. This entity could be configured to scrutinize all email transmissions to non-trusted entities if they do not have a contextual extension, to avoid that a malicious sender tricks a recipient to remove the context information. All incoming emails from non-trusted entities could also be augmented by adding a reply-to address that corresponds to the address to which a reply would otherwise go to, with an added extension providing contextual information. The contextual information can contain information about the identity of the sender; the trust level of the sender; and/or the extent to which the sender identity is similar to that of a trusted entity. As the mail server or other entity concludes the scrutiny, a security action may be taken or the email simply delivered with the content unchanged, but with the email address first modified to make the email deliverable with respect to the intended recipient. This means to remove any mark-up of the address. It is beneficial to add x-headers indicating to the recipient system how the message was processed, including if any part of it was redacted, modified or blocked, and potentially a description of the reasons, which may include the contextual information used for the decision. Parts or all of this added information may be encrypted in a manner that only trusted received systems can access the information.
Similarly to how URLs, mailto, and reply-to can be augmented to convey contextual information, call-to-numbers can also be augmented, thereby passing contextual information to an app that is used to place a phone call, initiate an SMS, or similar. This permits a screening of content; or an application of a policy (e.g., such as who pays for the call, or whether the call is allowed during office hours, whether the call is made from a particular geographic location, and similar).
Furthermore, attachments, such as spreadsheets and word documents, can be replaced by icons or texts identifying their existence, where these icons or texts are clickable, wherein a hyperlink is activated as a user clicks on an icon or text. The hyperlink can be associated with a record created in a database, where this record is populated with information relating to the context of the message, the context relating to the sender and receiver, and additional information useful to assess the risk level of the document. As a user requests access to a document, a determination can be made whether this is safe, unsafe, or has a risk in between; and whether a security action should be taken. Such security actions include removing or disabling macros, rewriting the content on a normalized form, requiring a user action, and more. Therefore, it should be understood that this disclosure is relative to resource identifiers in general, as opposed to limited to particular types of resource identifiers such as URLs, mail-to, and other identifiers that a user can interact with.
It should also be understood that the disclosed technology of some embodiments enables functionality not necessarily related to identifying or reducing risk. It is, for example, possible to use the modification of resource identifiers to change the user experience. For example, if an organization wishes for all internally placed phone calls to use a proprietary calling application and not the regular phone application, then the modification of the phone link is used to modify the action taken by the system when the user clicks on the modified resource identifier. This can also be used to augment the functionality. For example, an organization that requires that certain phone calls be recorded automatically may signal the selection of what phone calls should be recorded in an identifier included in the modified resource identifier, causing recording to take place automatically by passing a parameter to the associated application or otherwise starting a recording functionality.
A beneficial aspect of the above embodiment is a visualization component that identifies using a GUI, outliers, senders, receivers, or message classifications. One such message classification is associated with a first important project and a second message classification is associated with a second and less important project; alternatively, the first classification is associated with a direct messaging style in which clear requests are made whereas a second classification is associated with a less direct communication style. The classification can be performed at the time the artifact is modified by the security system, at the time the reactive system is evaluating the modified artifact as a result of the recipient user engaging the modified artifact, or at a later time, such as when an outlier is identified. The classification can also be performed a priori, e.g., internal senders are associated with one classification, external webmail accounts are associated with a second classification, strangers with a third classification, and external colleagues with a fourth. An artifact can be classified as belonging to or not belonging to each one of one or more classes. These alternatives are only illustrative, and other times are also possible for the classification.
In some embodiments, it is automatically determined that an internal user in an organization is sending a number of messages containing URLs or attachments of a type that is automatically classified as not being relevant to work, where this number exceeds a threshold, whether since the beginning of the measurements or during a time interval. It is also determined that the recipients of these messages click on the URLs or attachments, based on the tracking information associated with the disclosed technology. As a result, the sender behavior is compared to a policy, where this policy in one example specifies that the sender should receive a first notification in response to the threshold being exceeded; and after a time period such as one week, if a second threshold is also exceeded, then a second notification is sent to the sender; and after another time period such as another three days, if a third threshold is also exceeded, then a manager or admin associated with the sender is sent a notification. All these notifications may be automated and generated in response to measurements and policies, where the policies can be stated for an entire organization, a group, or an individual, and each policy is associated with a priority and if multiple policies match a user then the policy with the highest priority gets precedence. In another example embodiment, a similar tracking is performed of recipients instead of senders of material matching a classification. If a recipient is interacting with undesirable material, whether risky material such as a phishing webpage, a simulated phishing webpage, or a potentially dangerous attachment sent by an untrusted sender, or material that is not considered risky but also not desirable for the enterprise, then the recipient receives one or more automated alerts, as well as an admin or manager of the recipient, where the transmission of such an alert is triggered by a policy and a measurement related to the interaction or interaction attempt by the recipient user, and wherein multiple policies preferably are used, with different policies corresponding to different types of unwanted material. Furthermore, in a third example embodiment, an external sender of emails sends messages with undesirable URLs or attachments to one or more internal users, where the determination that these artifacts are undesirable may take place at the time of transmission, as a result of in-depth scrutiny of the message taking place after delivery, as a result of a user action such as a complaint, as a result of detonating the artifact, as a result of decrypting or unzipping the artifact, and similar. This is based on the sender being identified as undesirable based on the classification of one or more artifacts such as URLs, attachments, call-hyperlinks, and more, and where a rule is created for senders that are considered undesirable. An example rule may cause emails not to be delivered, to be stripped of any artifacts, to be given extra scrutiny, to be quarantined, to be modified to include a warning, and more, as described in this disclosure.
In some embodiments, a wrapping technology is utilized in the context of encrypted zip files. These constitute a risk to systems as risks associated with these are poorly detected, and commonly both attackers and benevolent users send encrypted zip files. As the files are opened and decrypted by the user, the mail security software is no longer in control. To address this, encrypted zip files are detected when they are sent as attachments to emails and other messaging systems, such as Skype, and then replaced with what is referred to as “wrapped” versions. A wrapped version of an encrypted zip file is a file that, when opened, causes execution, whether of the file wrapper itself or of an associated application that the message recipient needs to download, and as the file wrapper is executed, it performs three tasks: (1) it requests a PIN or password from the user, and receives this; (2) it uses the PIN or password to decrypt the wrapped zip file (this is done by executing the unzip program associated with the zip file, or a compatible version to this, providing the unzip program with the PIN or password provided by the user); and (3) automatically accessing the contents of the unzipped file, and determining for its contents whether any of these files are risky. This can be done in a multiplicity of well-known ways, including detonating each file, determining whether any of the files match an AV signature, determining whether any of the files has executable code segments in it, and more. The detonation of a file is a technique that involves interacting with the file by executing or opening it, performing this in an environment that is secured, such as a sandbox or a virtual machine, and to observe the actions initiated or requested as a result of this. Detonation could involve emulating a user interacting with a file, emulating a network of machines or another regular execution environment, and exposing the file to data that is commonly wanted by attackers to determine whether a malicious-looking action is taken in response to this. Such actions involve unexpected connection attempts to external resources, requests to modify system resources, and more. The same approach also works for messages with attachments that are encrypted pdfs, or any other encrypted file type; in such cases, the execution of the wrapper file causes the decryption of the encrypted file, which is then scanned for risky elements, including executable code. If a file, independently of type, passes the verification, then the decrypted file is made available to the recipient, whether this corresponds to the decrypted zip file or its contents, a decrypted pdf, or other file. After the verification passes, the wrapped file would preferably be opened for the user to see. Thus, the user experience associated with the opening of wrapped files would be the same as that of unwrapped files, except for a delay that in most cases would be too short to detect, and but for the effects of opening a malicious file, which of course is the goal of the novel approach to address. If an encrypted file is found to be malicious after having been decrypted, then a signature is preferably created for the encrypted file and the emails it was associated with. Such a signature may, for example, identify the file type (e.g., “encrypted zip file”), the size (e.g., 18007 bytes), and the creation date (e.g., “Jan. 6, 2017”). Based on this signature, other malicious messages containing a payload matching the signature can be detected. This may be done not only for emails to be received by the system after the signature is created, but also retroactively, by accessing the inboxes of users, or by accessing a database proactively built as the messages arrived, describing the features of emails that are high-risk according to some measure, such as having an encrypted zip attachment and being from a non-trusted party. Such records would indicate what users received these attachments, and identify the emails. As soon as the system has identified candidate messages to be compared with the new signature, a match is made, and if the new signature triggers, then a retroactively applied filtering action is taken.
In some embodiments, the security system includes contextual information in the wrapper. This can be done by adding parameters to the headers of the modified attachment, for example, where these parameters convey the contextual information or provide an index into a database that contains at least one of the contextual information or a repository of messages. In one use case, the security system identifies a potentially executable file, or a file that potentially has executable components such as a macro, and determines that the sender of the message containing the file is at least one of a stranger relative to the recipient; a party that the recipient has not had substantial interaction with; a party that has interacted with the recipient in the past but uses a substantially different display name or other identity marker than the current message does; or a party that is identified as trusted relative to the recipient, e.g., based on having communicated more than a threshold number of messages with the recipient in the past, having never been reported as a spammer by the recipient, or having been part of an LDAP database associated with the recipient. This trusted party is normally associated with a substantially different mail user agent (MUA) and is therefore determined to be at a heightened risk of having been corrupted. This information is part of the context, and is associated with the modified attachment, where the modified attachment may comprise a wrapper, as described above. Later on, the recipient user clicks on the attachment and thereby causes the code associated with the wrapper to execute on the associated content, which comprises the original attachment and the context associated with the message. This is performed, enabled, or initiated by the reactive component. In one example, the reactive system, executing the wrapper or interacting with the wrapper using an interface, determines that the risk associated with the context and the associated attachment is high, and therefore performs a detailed analysis of the associated attachment using for example sandboxing methods, code detection methods that identify executable components in files, or traditional anti-virus methods, or some combination of these tools, and obtains a response indicative of a very high risk of malware. The reactive component preferably reports this information to the security system, and one of the two units determines what the security action should be. In one example, the email was sent by a trusted party, and this trusted party is then determined to be corrupted with malware with a very high probability. This determination causes a notification to an admin associated with this user and/or a notification to the user in question, whether to the sending account or another address or channel associated with contact information belonging to the sender whose computer is believed to be corrupted. In addition, the security system may isolate any other emails or messages sent from this sender that are determined to be corrupted until an indication is received that the user is no longer affected by the likely corruption, or never was. This indication could be the result of a scan performed on the suspected system by the user or an admin, or a notification that such a scan or other remedy has been performed. Alternatively, any email or other message from the user suspected of being compromised can be automatically modified to eliminate or contain any component associated with high risk. In the case where the sender is not a trusted party, this party may be isolated from the system, meaning that emails or other messages this user has or will send will be quarantined, blocked, or automatically modified to make them secure.
In another embodiment, the system detects and blocks an attempt to perform a so-called pharming attack on a victim, which can be carried out by surreptitiously setting an HTTP 301 redirect from a trusted site to a non-trusted site, causing the victim's browser or mail reader to cache the redirect and therefore resolve a URL in the wrong way. Other redirects can also be initiated by an attacker; this includes 302 redirects, use of intermediaries such as domain name shorteners, or sites that perform REFER-based redirects to guide victim traffic and spidering traffic to different sires. For example, say that an attacker poisons the victim's cache by placing an HTTP 301 redirect from www.goodbank.com/login to www.evil.com/goodbank.com/login. The attacker then waits for GoodBank to send an email to the victim, in which there is a URL such as www.goodbank.com/login. If the victim clicks on this hyperlink, then it will cause for him or her to visit www.evil.com/goodbank.com/login. In another version of this attack, the attacker replaces the URI or URL associated with a GET or PUT request that he expects a victim user clicking on a good webpage to make, thereby having information fetched to the browser or mail reader to be fetched from the wrong location, or information (such as a password) submitted from the browser or mail reader to be submitted to the wrong location. The disclosed system addresses this by scanning all emails going to its subscribers and performing a security action that blocks the attack. In some embodiments, the system replaces every http address with the corresponding https address, which stops the attack on such URLs. However, this does not address URLs for which there is no https version, and does not allow the system to track abuse attempts. In another embodiment, the system replaces a URL such as www.goodbank.com/login with a proxy address such as https://www.agari.com/www.goodbank.com/login, where Agari.com is a security service with a proxy, and where any click by the intended victim causes the modified URL to be called, where the proxy does not have a 301 redirect cache or where it only allows selective use of a 301 redirect cache, and where it initiates a request for the page www.goodbank.com/login after receiving the request https://www.agari.com/www.goodbank.com/login. The security service, represented by the proxy associated with agari.com, logs any requests to web material as above and blocks any attempts to performing 301 redirects by the attacker on the proxy. This can be done by not allowing any 301 redirects to be stored by the proxy, or by only selectively allowing them, where one example rule for allowing a redirect is to allow it only to a domain that is the same as the domain from which the redirect is performed, or which is registered to the same owner. The proxy can identify where the requests come from by determining the IP range from which they come. It can also optionally determine when a user is under attack by monitoring when a redirect is placed. This can be determined by collaboration with a gateway server associated with the potential victim by redirecting the requested resource https:/.www.agari.com/www.goodbank.com/login to the original resource www.goodbank.com/login and notifying the gateway. The notification preferably includes IP information associated with the potential victim and machine descriptors such as user agents. If the gateway observes a request to the original resource www.goodbank.com/login from the identified user, then this is a benevolent request, whereas if the gateway observes another request from the identified user, then this is very likely to be an attack, and is preferably evaluated by a separate system that determines what is hosted on the webpage requested by the identified user. Alternatively, the security system replaces URLs in incoming emails to the user, replacing www.goodbank.com/login with http:/.www.agari.com/www.goodbank.com/login?253gd63, wherein 253gd63 is an identifier associated with at least one of the user receiving the email, the email, the trust score associated with the email, information about the sender of the email, and more. As the proxy receives a request for http:/www.agari.com/www.goodbank.com/login?253gd63 it makes a request for www.goodbank.com/login and forwards the result to the requesting user. In this context, the proxy needs to make sure that it is not attacked by an attacker that places a redirection in its cache. An alternative is therefore for the server processing the email not to replace the original URL with http:/www.agari.com/www.goodbank.com/login?253gd63 but with https:/www.agari.com/www.goodbank.com/login?253gd63. This avoids the risk of the redirect attack being performed on the server, but still allows the proxy server represented by agari.com to determine, based on the “extension” 253gd63, whether the resource www.goodbank.com/login is trustworthy or not. For example, if the URL www.goodbank.com/login was sent by a stranger to the recipient deceptive display name, then the proxy may not permit the access, and may instead redirect the user requesting the material to a webpage with a warning. Other variations on these techniques are possible.
The disclosed technology enables multiple security determinations. As a message is first processed by the security system, a first determination is made, and based on this determination, a security action is taken. Some messages may be modified, where one such modification is described above, and includes the modification of an artifact associated with the message. Another modification involves modifying display names, as described in a co-pending application. The security system also modifies the content portion of the message conditional on the first security determination. Other actions comprise blocking the message, quarantining the message, automatically sending a message to one of an account associated with the apparent sender or the recipient, notifying an admin, or escalating the security review by performing a computational in-depth analysis, or having a human reviewer scrutinize and classify the message. Additional actions are taken based on the response from human users, or the absence of such responses.
The message is then delivered to the recipient, conditional on the first determination, potentially having been modified as described above. The system then determines whether the user action, or lack of action, is indicative of a security posture associated with the message. For example, consider a message sent to multiple users, where some place the message in the spam folder, others open the message but do not engage with it, and yet others do not open it. This message is considered unwanted, and the lack of supporting actions from recipients may trigger a second security determination, such as having the message sent for review to one or more human reviewers.
Consider a second message containing an encrypted file, such as an encrypted pdf or an encrypted zip file. Encrypted files are commonly used by attackers as a way of hiding threats, such as malware. One possible operation applied to this type of artifact as a result of the first security determination is to wrap the attachment, as described above. When a user selects to engage with the wrapped attachment, he or she will provide a PIN or a password to the reactive unit, which will then decrypt the associated file and scrutinize the contents. Assume that the file is considered to be malicious, based on having malware or other high-risk contents. This causes the security system to classify the sender of the message as dangerous. A resulting security action is for the system to scan all recipients it monitors whether any of these have received messages from the same message sender. If any of them did, then those associated messages are sent for a security scrutiny, which could be a manual review, automated analysis by a sandbox, or other types of scrutiny. Alternatively, no additional scrutiny is performed. Then, a security action is performed, which may be to remove one or more of the messages associated with the dangerous sender. Multiple rounds of security review and associated conditional filtering actions can be performed, such as redacting, removing, modifying, or otherwise securing messages. This involves retroactively accessing, reading, writing, modifying and deleting messages, or any portion of such operations. Messages can also be moved between the inbox and the spam folder as a result of such scrutiny, or from the spam filter to the inbox, if considered safe after a more careful scrutiny of a message initially considered more risky. One benefit of the disclosed technology is that the retroactive security actions enable an important change of the economy of attacks. In the past, an attacker would send n different attack messages to one or more organizations, for some integer value n such as n=100, hoping that one organization would fall victim. By increasing n, say to n=200, the attacker would typically increase his probability of success, and typically approximately double this probability. However, the retroactive security actions mean that as long as at least one of the messages is found to be malicious, the system will retroactively perform a filtering action to all the other n−1 associated messages. Therefore, as n grows, the probabilities increase that at least one of the messages will be correctly identified as malicious, and therefore, a security action taken on all the n messages. This is made possible by the retroactive filtering and is also benefitting from an anomaly-based risk system wherein high-risk and therefore anomalous messages are identified. One such high-risk situation is the use of deceptive display names, which are display names matching the name of a trusted sender in the context of a recipient.
In some embodiments, an estimate of the age of accounts is determined (e.g., such as the email accounts of email senders that are not recognized as secure by the system). An account may be recognized as secure if it has interacted with protected users for at least a threshold amount of time without any security concerns, where one such concern corresponds to a message that triggers one or more high-risk filters. Protected accounts and their contacts are also preferably considered as secure. Other accounts are higher risk. Attackers commonly register accounts and then use them for a short time, until the accounts are either blocked or taken down due to complaints or abuse detection. To get an estimate of the age of an email address, the security system consults public or proprietary breach databases, such as haveibeenpwned.com and similar, preferably using an API or by purchasing or maintaining such databases. Normally, it is seen as a security risk to be in such a database; however, in the absence of a recent corruption of an account, it is considered a security benefit to be in this database in the context of this evaluation. This is because if there is a breach record that is a year old, that means that the account that is associated with the breach record is at least one year old. Whereas it is possible that the account has been used by an attacker, which is a risk, the security benefit with knowing that the account is not very young is typically greater. Thus, for an account that is the sender of an email, and where this account is not known to be trusted by the recipient or the system, knowledge that the account has been breached in the not-so-recent past means that the account is not very young is a definitive security benefit. Thus, knowledge of a breach—as well as any other knowledge of an old account activity—is an indication that it is not a fly-by-night account. The converse is also true: the absence of such information for an untrusted or unknown account is seen as a further risk indicator, and can be used to trigger filtering or additional security scrutiny.
In one example scenario, Alice has a history of interaction with Bob Boss <bob@bosscompany.com>, but has never interacted with Bob Boss <impostorbob@gmail.com>, and receives an email from the latter. The email has a subject line “Urgent! Respond by EOD” and contains a brief message “Hi Alice. Please review and respond by EOD. Bob” and an attachment with name data.pdf. The security system receives the message and determines whether the sender domain has a DMARC policy, which in this example case it does. The security system then verifies that the email has a legitimate DKIM signature and a valid SPF record, which in this example case, it does. Thus, the message does not fail DMARC. The security system then determines whether the sender is known by the system. It does that by accessing a system-wide blacklist to determine whether it is a known bad sender; in this case it is not. It also does this by accessing a recipient-specific whitelist to determine if the sender is trusted by the recipient. Since Alice has never interacted with this sender and the sender is not in an LDAP database associated with Alice, it is determined by the security system that the sender is not known to be trusted by the recipient. The system also determines whether this is a known-old email address; it does this by consulting a service or a database for breach data to determine whether the sender is associated with a past event of sufficient age, such as at least two months ago. In this case, there is no such indication, which is commonly the case for approximately half of all senders. This is not an indication that the sender is malicious, but is correlated with possible risk. It is then determined whether the sender is potentially deceptive. Some of these tests are conditional on others. These tests can be performed in other order in various different embodiments. Other tests can be performed in other embodiments. The above described tests are simply illustrative of one possible embodiment and situation.
The security system computes a risk score based on the tests performed. The risk score is represented by a value R that is initially set to 0; then decreased by 10 due to the fact that the sender is associated with a DMARC record and the DMARC verification passes. A sender domain not associated with a DMARC record would have caused the score to not be modified, and a sender domain with a DMARC record and an invalid SPF record but valid DKIM signature would have caused the score to be increased by 10. A sender domain with a DMARC record and a valid SPF record but invalid DKIM signature would have caused the score to be increased by 25; and a sender domain with a DMARC record and an invalid SPF record and an invalid DKIM signature would have caused the score to be increased by 100. The score R is then reduced by 5 since the email sender is not on a blacklist, whereas if it had been on the blacklist, the score would have been increased by a value associated with the entry in the blacklist, where a time-distant spam report would have a value 10 associated with the entry; a recent spam report would have a value 20; a time-distant fraud report would have a value 25 associated with it and a recent fraud report would have a value 50 associated with it, wherein “time-distant” in this example is anything older than three months and “recent” is anything that is three months or younger. It is determined that the sender is not on a recipient-specific whitelist, and therefore the score R is increased by 10. If the sender had been on such a whitelist, it would have been determined whether there are indications of account compromise of the sender account, such as a new MUA. If so, 50 would have been added to the score R, otherwise 100 would be deducted from the score R. This verification only would be performed for messages passing the DMARC verification, and messages associated with sender domains that do not have a DMARC policy. The system then determines, conditional on the sender not being a trusted sender that has no signs of being corrupted, whether the sender identity is deceptive. This corresponds to comparing the display name of the sender to the display names of parties that are trusted to the recipient, and comparing the display name of the sender to a list of common brand names, such as well-known financial institutions. This comparison is preferably performed using a string-comparison method such as Jaro-Winkler. In this example situation, the comparison results in a match since the display name of the sender is the same as that of the trusted contact Bob Boss <bob@bosscompany.com>. Thus, this sender identity is potentially deceptive to the recipient, Alice. The security system modifies the display name to “Warning” and adds the value 65 to the risk score R. As a result, the risk score now is −10−5+10+65=60, which is compared to a threshold T1=50. As a result of the score R exceeding T1, the already-modified message is sent to a unit that “scrubs” it. If the score R had exceeded a second threshold T2=72, then the email would not have been delivered, and if the score were below T3=−15, then the email would be delivered verbatim but with a smiley emoji added to the subject line, whereas if the score was greater than or equal to T3, any emoji in the subject line is removed before the message is delivered. This example message has no emoji in its subject line. The scrubbing action involves determining that the email has an attachment, and that attachment is of a type that potentially could be executable. As a result of this determination, the attachment is replaced with a wrapped version of the same attachment, where the wrapper contains a reference to the email and its context, and the context specifies that the email had a correct DMARC signature, was not on a system-wide blacklist, was not on a recipient-specific whitelist, was not found to be older than the threshold time, had a deceptive display name, and did not have an emoji in the subject line. Having a smiley emoji would be of importance for a message with a high risk score R, since this is indicative of an adversarial attempt to convey security to the recipient.
Since the score R was greater than another threshold T5=15, the email is recorded in a list of potentially risky emails, and a post-deliver analysis is performed. In this example case, the security system performing this analysis is determining whether the same sender has been observed to send multiple emails to users protected by the system. If more than three such emails are identified in the list of potentially risky emails, which is preferably sorted by or indexed by the sender email address, the email is sent for manual review, and if the expert reviewer determines that it is risky, then he or she indicates a remedial action to be taken for all the emails from the sender; where example remedial actions are to place the risky email messages in quarantine, remove them from the inbox and not place them in any other mailbox of the recipient, replace the messages with messages that include warnings, and more. In this example case, the sender had not sent any additional emails, so this is not performed. A second security action taken by the system is to send it to a sandbox for detonation. This is done since the risk score is greater than T5 and the email has an attachment that could potentially be executed. Examples of such files are pdfs, excel spreadsheets with macros, and files whose types indicate that they are intended to be executed. If the sandbox determines malware risk, then the email is removed from Alice's inbox, or if the sender is trusted to Alice, then the attachment is replaced with a notification of the attachment having been removed. In the latter case, a notification is also sent to an admin associated with the sender. That is not performed in this case since the sender is not trusted to the recipient. In this example, the expert reviewer did not have time to review the message before Alice reads it, and the sandbox did not identify a threat.
If Alice clicks on the wrapped attachment, the reactive system associated with the security system is engaged and it is determined, based on the context associated with the wrapper and the content of the wrapped attachment, whether to take a remedial action to the wrapped attachment, where example remedial actions include removing some files in zipped directories, rewriting files in a normal form that avoids high-risk obfuscated executables, and adding alerts to contents. Conditional on the contents, additional security actions are also to be taken. For example, the example attachment is a pdf document containing the word “invoice,” which makes it a high-risk document. As a result, the document is partially redacted to remove or white out any apparent account information, and a warning is added. The unmodified pdf document is also sent to an admin along with context information. The admin then preferably evaluates the risk based on the contents of the document and causes a notification to be sent to the recipient, Alice.
A further benefit of the disclosed technology is a method to address invitations from social networks, where these invitations potentially pose a risk. In “real life,” Alice knows Bob Boss, but they are not connected to each other on LinkedIn. One day, Alice is sent a LinkedIn invitation from a user with the name Bob Boss. Whereas it is likely to be her colleague, the system cannot tell, since the email is not sent from Bob Boss' email account, but from an account with the address invitations@linkedin.com, and with an associated display name of “Bob Boss.” This poses risk since this account may have been created by Eve Evildoer, using the username “Bob Boss.” Eve might even have copied portions of Bob's actual LinkedIn profile and populated her newly created profile with this information. This problem is not limited to LinkedIn, but is also associated with other social networks and other services that allow user-generated accounts. The security system detects a risk associated with this email, based on detecting a potentially deceptive display name, as previously described. The system then performs a security action that causes two actions: (1) the email is not delivered to Alice, or a modified version of the email is delivered, wherein hyperlinks are removed and an explanation is inserted, such as “This email is currently going through a security check. If it passes, the hyperlinks will be activated. In the meantime, we recommend that you do not accept this invitation. The security check will soon conclude,” and (2) an email is automatically generated by the security system and sent to an email account associated with the apparent initiator of the email, which is Bob Boss. The system has one email address associated with this display name and also associated with Alice, and that address is <bob@bosscompany.com>. The system sends a message to <bob@bosscompany.com> with the content “Did you just send a LinkedIn invitation to ‘Alice <alice@bosscompany.com>?’ Please click yes or no.” Here, the “yes” and “no” are hyperlinked and are associated with two distinct web addresses, which are both unique to this email instance and which have sufficient entropy that the addresses cannot be anticipated by a third party. For example, the yes-link may be www.agari.com/Dgdg36g8j36.html and the no-link may be www.agari.com/Dgdg33773yy6. Here, <alice@bosscompany.com> is Alice's email address, and is associated with past communications with <bob@bosscompany.com>, which was the basis for the security system's determination that “Bob Boss <bob@bosscompany.com>” is a trusted contact of <alice@bosscompany.com>. Further, agari.com is the security service. If the security system received a GET request for www.agari.com/Dgdg36g8j36.html, then it determines that the user of <bob@bosscompany.com> initiated the LinkedIn request with Alice, and in response to this delivers the original LinkedIn invite from Bob to Alice, or replaces the previously delivered invitation with the warning with the original LinkedIn invite or with a version of this in which a clarifying statement is made that this has passed the security check. The inclusion of this clarifying statement is preferably made if the system determines that Alice has read the previously modified LinkedIn message, which is possible since it has access to Alice's inbox and can determine the read-status. If a GET request associated with www.agari.com/Dgdg33773yy6 is observed by the system, this is indicative that the initial LinkedIn invite to Alice was malicious. The modified message previously delivered to Alice is now preferably removed or replaced with a message that informs Alice of the attack. In addition, a notification is sent to an admin, and security statistics are updated to include the malicious email. If no response is received, i.e., neither www.agari.com/Dgdg36g8j36.html nor www.agari.com/Dgdg33773yy6 is clicked, then the system optionally performs an action after a time-out period has passed, where this time-out period may be one week. The action may remove the message from Alice's inbox, modify the delivered message to suggest to Alice that she can ask Bob to find the automated notification message and click on one of the links, or send an automated reminder request to <bob@bosscompany.com>. Other examples of where this approach is beneficial relate to document sharing systems (e.g., Google Docs™, Dropbox™, Box™), eSignature systems (e.g., Docusign™), scheduling/coordination systems (e.g., OpenTable™), and other workflow systems (e.g., JIRA™).
A further aspect of the disclosed technology is a practical architecture for detecting display name deception, wherein the novel aspects comprise the data structure used to minimize the time and storage requirements. The embodiment makes use of a probabilistic data storage method such as a Bloom filter. The system generates a collection of pairs of Bloom filters. In each pair, a first Bloom filter is used to store information relating to display names and the second to store the associated email addresses. The Bloom filters are trained by obtaining pairs of (display name, email address) to be stored and normalizing these before storing them. One way of normalizing the display name is to replace any character that is not a letter with a space, e.g., processing an example display name “John F. Johansen-Garcia” to obtain “John F Johansen Garcia”; then to optionally remove any letter substring shorter than 3 letters, e.g., processing “John F Johansen Garcia” to produce “John Johansen Garcia”; then alphabetically sort these component words, generating “Garcia Johansen John”; then for each apparent reference to a user, generate all subsets of words of size two, where for an apparent reference to a company such as “PayPal Customer Service” to generate all subsets of size one and two, where a display name is determined to be a person name if any word matches a known name from a list of names. Each subset such as “Garcia Johansen John,” “Garcia Johansen,” “Garcia John,” and “Johansen John” is stored in the Bloom filter. In some embodiments, all letters are changed to lower case before storing the subsets, and in another, any confusable letter such as a Cyrillic letter looking like a Latin A is replaced with a Latin letter A, conditional on the other letters in the name being Latin letters, or some threshold number of them being Latin letters. These are example methods for normalization of the input strings, and are just for illustrative purposes. In addition to storing the display name and its subsets, after being normalized, in the first Bloom filter or similar probabilistic structure, the email address of the sender is also normalized and stored in the second Bloom filter or similar structure. The normalization for email addresses is preferably different than that of display names. One step is for all the letters to be turned into a consistent case, such as either all lower case or all upper case. Additionally, for email addresses for which there is a user-specified variable component, as for Google Gmail addresses, this component is preferably removed before storing the address in the second Bloom filter. This also applies to other variable-component senders, such as some enterprises that use the variable-sender method to track the efficacy of advertising campaigns. The system preferably stores and maintains a list of such domains, and uses a detection method to determine if an email is sent from a sender address that matches the format of a variable-component sender for the associated domain. Examples of such heuristic methods include the length of the sender address exceeding a threshold, containing a character such as a ‘+’, and more. The above describes the training phase of the Bloom filters. As described, there is preferably a collection of pairs of Bloom filters, where a first pair corresponds to commonly recognized brand names, where such a list can either be manually identified or determined based on databases or services such as Alexa, and would preferably also comprise senders associated with the law firm of a protected enterprise, senders associated with a PR agency used by the protected enterprise, senders associated with the CPA of a protected enterprise, etc. Such senders can also be part of a second category. The second category preferably comprises names and email addresses of highly visible users within an organization, such as members of the C-suite. Whereas not all employees communicate with these members, it is likely that they are familiar with their names, and therefore, these names have a name recognition aspect to potential recipients who are employees of the organization. This second category corresponding to a second pair of Bloom filters preferably also comprises names and email addresses of well-recognized external users. The configuration of this second category is preferably done by manual selection of users by an admin, or using automated methods relying on public records or LDAP databases for employees with C-suite employees automatically selected. The first and second categories correspond to brands and users that are likely recognized by typical employees of the protected enterprise. A third category corresponds to senders that individual employees are familiar with, but not necessarily all employees. This preferably corresponds to the display names and email addresses of users with whom these individual users correspond with; and the selection of the names and addresses is preferably automatic using the contact or address list associated with individual employees of the organization or based on emails observed to have been sent by these users or received by these users. The latter corresponds to the notion of a “trusted” sender, as described in co-pending applications. The Bloom filters associated with this third category are specific to the individual recipients of emails, i.e., to individual employees within the protected organization, whereas the Bloom filters corresponding to the two first categories are shared for all employees. This description is only for illustrative purposes, and additional categories with associated Bloom filters can be created and maintained. For example, one division or group within a company can be associated with one category, where the associated Bloom filters are configured to store information relating to parties that members of this division or group are likely to associate with. This can be determined manually and be configured by uploading information associated with a database or list, or it can rely on traffic analysis. Categories can also be created for roles within an organization. For example, the CISO would have a category associated with him or her as an individual, and also one associated with his or her role as a CISO. When a new CISO is hired, this person preferably would inherit the role-dependent category and associated Bloom filters from the previous CISO. The determination of whether a party should be associated with the person or the role of an employee is preferably based on determining in an automated manner whether the email contents are personal or role-based, whether the sending organization is primarily associated with personal use or role-based use, and more. One benefit with the use of role-based categories is that this enables swift configuration of a system as people move from one role to another. Preferably, as a user makes such a move within an organization, the personal category would be preserved from before the move whereas the role-based would be inherited by one or more predecessors in that or related roles.
After the Bloom filters have been configured, the system scans incoming emails to determine whether they match a display name stored in at least one of the Bloom filters associated with the organization, group, role, or personal profile of a recipient, but not an email address stored in the corresponding email-storing Bloom filters. These determinations are made after the display name and email address of the sender are normalized in a manner corresponding to the normalization in the training phase. Since the system will not know a priori what category a display name corresponds to, if any, it will perform normalization on it as if it were a name of a brand and then test the corresponding subset(s), and also perform normalization on it as if it were an individual user and test the corresponding subset(s). The testing also is performed on the sender email address. If the display name of the sender of an incoming email matches the display name associated with one of the common-category display name Bloom filters or one of the display names associated with the Bloom filter of one of the selected-user (e.g., personal, role, division, group, etc) categories, but the email address does not match an email address associated with the Bloom filter of the corresponding category, then this is a potentially deceptive display name. In some embodiments, the accuracy of this assessment is very high, based on using large Bloom filters, whereas in another embodiment, the accuracy is much lower based on using short Bloom filters. In the latter case, a secondary verification can be performed by accessing a second set of Bloom filters that are larger, or by accessing a database that stores the same information as stored in the Bloom filters, but in a non-probabilistic manner. This allows a practical tradeoff between storage and computation.
The disclosed technology is also helpful to store information relating to Mail User Agent (MUA) signatures associated with messages. This is preferably done by encoding a set of MUA elements, such as the content descriptor; the S/MIME version; the time zone; and additional components of the headers. A known sender is observed and its associated MUA elements are recorded. This is preferably done by storing, in a Bloom filter or a similar structure, an identifier associated with the user and one or more of the MUA headers. For example, the system takes the email address of the user, which is an identifier, and combines this with at least one MUA element such as the S/MIME version, where the concatenation can simply be a concatenation of the two data elements. The resulting value is then stored in the Bloom filter. Then, the system takes the same identifier and another MUA element, combines these, and stores them in the Bloom filter. One or more such combinations are stored. The more MUA elements that are recorded in combination with the identifier, the more accurate the later security assessment will be. Some of the MUA elements will be used verbatim, such as “Content-Transfer-Encoding: quoted-printable.” Other MUA elements can be broken down in components, where each component is stored after combining it with the identifier; for example, the header “Content-Type: text/plain; charset=‘Windows-1252’” is preferably broken down into two components, namely “Content-Type: text/plain” and “charset=‘Windows-1252’.” Yet another option is to partially extract data from MUA elements, for example, the MUA string “--Apple-Mail=_0E26CDE1-A5B8-4EEC-A671-AA585684B354” contains one component “Apple-Mail” of identifying capabilities, and one component (“_0E26CDE1-A5B8-4EEC-A671-AA585684B354”) that is unlikely to be useful in identifying the device used by this user later on, as it is not likely to repeat. Various MUA elements belong to these various types.
At a later time, an email from an account is observed. The system extracts the identifier, such as the email address, and one or more MUA header elements, and combines these in the same manner as described above, after which the system determines whether that MUA element was previously associated with the identifier. Depending on the number of matches found, a score is generated. For legitimate traffic that truly comes from the user associated with the email account, this number is likely to be high, such as 7 matches, whereas for illegitimate traffic associated with a malicious user having access to the account, the number is likely to be low, such as 2 matches. In some embodiments, it is determined what the typical number of matches for the account is, such as “at least 5,” and this information is stored. This can either be stored in a database keyed by the identifiers of the user accounts, or it can be stored in the same Bloom filter storage structure used to store the MUA information. In the latter case, the count is combined with the associated identifier and the resulting string stored in the Bloom filter. This stored count acts as a threshold, or is used to select a threshold, where any count of matches exceeding the threshold results in one security assessment and any count of matches below the threshold results in another security assessment. The first security assessment would be that it is the legitimate user, whereas the second security assessment is that there is a high risk that the account associated with the observed email has been compromised. If it is determined that there is a high risk of compromise, a security action is taken, where this action may be to insert a warning in the email, block the email, quarantine the email, perform additional scrutiny of the email, temporarily quarantine the email while verifying out of band in a different communication channel with the supposed sender whether the email was sent, followed by an additional action depending on the response or absence of response, or more potential security actions, some of which may involve a human reviewer such as an admin, who is given at least a portion of the email and who is asked to make a security determination about the email. In addition, techniques relating to open quarantine can be applied. The system can let some of the potential actions be performed only if the match count is below a first threshold, such as “block the email if the match count is zero” while another action is taken for another threshold, such as “perform open quarantine if the match count is below the stored normal match count, which for this user is 4.”
In another embodiment, emails that are considered safe, i.e., have a trust value exceeding a threshold, are displayed as usual in the mail reader, whereas emails whose trust values fall below this threshold (e.g., due to being high risk of being sent from a corrupted account or being high risk of being deceptive) are displayed in another way, to indicate the risk to recipients. One such way is to remove display names. Another is to show the display name, email address, and email content, or some portion of this, in a color that is not otherwise used, e.g., light grey instead of black, making the material hardly readable unless the recipient takes an action such as clicking on a button stating “display high-risk material,” where this button can be placed in the chrome of the email reader, in or associated with the high-risk email, or in a menu that the recipient has to navigate to.
In another embodiment, clickable buttons are integrated into some or all messages by the security service. Examples of buttons are:
-
- “Unsubscribe.” This button would cause an automated attempt to unsubscribe the user from emails, without the need for the user to find an unsubscribe link, which is commonly hard to find, and without having to answer lots of questions. In addition to attempting to automatically unsubscribe the user, the system may also automatically block any email that still comes from the sender to the user.
- “Report phishing.” This button automates the reporting of the email to an admin, and may be used to automatically initiate a blocking of content of the same type, training of filters, and more.
- “Remind me later.” Clicking this button will add a calendar notification for the user, at a time selected by the user or pre-configured by the user, and containing information from the email and a clickable link to the email.
FIG. 2A is a flowchart illustrating an embodiment of a process for determining whether to investigate a sender of a message. At least a portion of the process of FIG. 2A may be at least in part implemented on analysis server 102 of FIG. 1, gateway 110 of FIG. 1, recipient message server 106 of FIG. 1, and/or any other server.
At 202, information about a received message (e.g., message to be delivered to an intended recipient) is received. In some embodiments, the information is received at analysis server 102 of FIG. 1. The information may include information included in or related to the message. For example, the information includes email address header information including an email address and a display name of the sender of the message. In some embodiments, the information about the message includes contents of the message (e.g., a copy of the message). Examples of the message include an electronic mail (i.e., email), an instant message, a chat message, and any other forms of electronic messages. The information may be received as a part of a computer security analysis and filtering to identify and neutralize security threats prior to delivering the message and allowing an intended recipient of the message to access the message. In some embodiments, each message received for delivery to its intended recipient associated with the system performing analysis of the message is to be analyzed and information about each of the messages is received for analysis.
At 204, a security risk associated with the received message is determined. For example, using the received message information, one or more security risk scores are calculated and/or one or more security risk rules/criteria are evaluated. Each different component of a security risk may be associated with a determined score or a range of scores, and a combination score be computed from one or more risk scores.
In some embodiments, determining the security risk includes determining whether the received message is a deceptive message, where a message is considered potentially deceptive if it comes from a party that is not trusted by the system, but which uses a display name or other identifying information that matches the identifying information of a party that is trusted by the system. Trust may be established in an automated manner by processing historical message traffic to and from the organization to be protected, historical documents processed by the organization to be protected, organizational charts for the organization to be protected, and contact lists of users in the organization to be protected. However, an alternative is for an administrator or external entity to provide a whitelist containing identifying information of entities to be trusted. Such identifying information may comprise display names, email addresses, and known aliases, where an alias is another display name or email address associated with or used by the entity. Security risks may also be identified by detecting attempts to spoof a user or organization. For example, this can be determined using Domain-based Message Authentication, Reporting and Conformance (DMARC), Sender Policy Framework (SPF), or DomainKeys Identified Mail (DKIM) or by methods that log historical server and IP information associated with a user or organization, and that detect discrepancies.
In some embodiments, determining the security risk includes automatically analyzing domain names to detect likely look-alike domains. This may involve computing the edit distance between a suspect domain and a target domain, and identifying whether the suspect domain is recently registered, associated with an unknown entity, or associated with a registrar other than what the target domain would have used. That, in combination with display name information, as described, can be used to establish a higher than normal risk. Additionally, automated scrutiny of message contents can be used to establish risk. For example, if an email contains terms associated with risk, such as “W-2,” “invoice,” or “acquisition,” this is an indicator of risk. In some embodiments, combinations of risk indicators may be used. For example, by identifying risky content coming from a newly registered domain with a high-risk display name, a very high certainty of risk can be established.
When a trusted user accidentally sends an email from the wrong account, he or she still—with an almost certainty—uses the right device—whether phone, ipad or laptop. An attacker who attempts to mimic the trusted user by sending an email from a webmail account with a deceptive display name sends an email from a “wrong” account—but more importantly, also from the wrong device.
In some embodiments, characterizing information relating to the device identity, very conveniently, can be read out from the “mail user agent” (MUA), which is part of the headers of an email. The MUA identifies the mail reader utilized; its version; the type of character sets the mail reader supports; the name of a carrier; and more. By building a model of the MUAs associated with trusted users, a security control can determine whether a potentially deceptive email has an MUA that matches that of the “corresponding” trusted user or not. If the potentially deceptive email was sent by an attacker, the MUA most likely will not match; but if it was sent from a personal account of the trusted user, then it almost certainly will.
However, it is not desirable for attackers to infer the expected MUAs of the users they wish to impersonate—and then masterfully mimic these users by setting the MUA that the security control expects. In some embodiments, when an email is flagged as potentially deceptive, but is found to have the “right” MUA, then the security system can perform additional verifications. One example is by sending an automated response to the sending account, and asking the user to respond to the email—from the “right” account. If the sender was benevolent, the security system will get a response—which will allow it to associate the personal account with the trusted user. But the attacker will not be able to respond from the trusted account.
The comparison of a stored MUA and an observed MUA does not have to be identical to be considered a match. For example, a user may have upgraded from one version of a software package to another, resulting in another MUA; similarly, a user may switch from one wireless service provider to another. There are many other examples of common and reasonable changes. Some changes, however, are very uncommon. For example, downgrading to a previous version of a software package is uncommon; also, the change from one type of operating system (such as iOS) to another (such as Android) at the same time as a dramatic change in IP address or locality is another uncommon change. The security system may store one or more sets of MUAs for each observed account, where any account sending email to a protected organization would potentially be observed. However, in some contexts, only frequent senders are observed, or only senders that satisfy some criteria, such as belonging to a law firm, vendor, financial institution, or the protected organization itself are observed. Alternatively, any party that satisfies a closeness criteria is observed, where this can be the transmission (to or from) of a minimum number of messages, being in the address book of a protected recipient, and more. The reason multiple MUA sets are preferably stored for each observed account is that most users have multiple devices. A user that just started to be observed may not yet have a profile of MUAs associated with it, or the stored collection has not yet stabilized. During such a period, the system may not take any action on emails that are received, unless they are considered potentially deceptive. That means that a user that is not considered deceptive—e.g., its display name does not match any trusted sender of the recipient—but which does not have any MUAs recorded would not be considered a threat. The system would simply record the MUAs as they are observed. MUAs observed coming from confirmed secure identities, such as accounts of controlled parties who use DMARC with p=reject, would immediately be added to the list of MUAs of the associated sender account. Here, a party is considered controlled if it has strict controls relating to how accounts are generated. For example, a typical enterprise would have strict controls over account creation, and only employees are able to get accounts with them; on the other hand, webmail providers such as Google Gmail do not have strict controls, and allow mostly anybody to get email accounts with them.
In some embodiments, a second consideration as a potentially deceptive email that is received is whether it is sent from a sender associated with strict account creation controls. If the email appears deceptive, e.g., has a display name matching a trusted sender but is not from an email account known to belong to this sender, but the email comes from a domain that has strict account creation controls, and which uses DMARC, then the security system determines that the email is not intended to deceive, but may simply correspond to a naming coincidence. In some embodiments, the security system does not take any action when this is observed; in another embodiment, it adds a simple warning “This may not be whom you believe it is,” and then delivers the message; and in yet another embodiment, it only performs a security action, including issuing a challenge, if a security screening fails, where this corresponds to the email having potentially risky attachments such as attachments that are executable, or the email matches another risk rule, such as having other content that is associated with increased risk. In contrast, if the email comes from a domain that does not have strict account creation controls, or from an organization that can be spoofed, then the security service takes a security action, as previously described.
In some embodiments, if it is determined that the received message is considered to be likely deceptive, it is determined whether the sender is associated with a strict account creation control. This can be done using a variety of heuristics, and by consulting databases created to list domains and services that are known or believed to either have or not to have strict account control. For example, if the sender is not determined to be associated with strict account control, then it is determined to investigate the sender in 206, otherwise, it is determined whether the sending domain can be spoofed. This can be determined by looking up the DMARC status, if available, of the sending domain. In this example, if the sending domain can be spoofed, it is determined to investigate the sender in 206, and otherwise it is determined to not investigate the sender in 206.
At 206, it is determined whether the determined security risk associated with the received message meets one or more criteria to investigate a sender of the message. In some embodiments, if a security risk score (e.g., total security risk score or a selected component score) exceeds a first threshold, then the received message is considered sufficiently risky and a defensive action is taken by investigating the sender of the message. In some embodiments, if the risk score exceeds a second threshold that is lower than the first threshold, then a defensive action may be taken conditional on some other verification of risk (e.g., a component score meeting a threshold, one or more other criteria met, etc.).
In some embodiments, it is determined that the determined security risk associated with the received message meets one or more criteria to investigate the sender of the message if one or more specified risks have been identified. For example, if it is determined that the received message is from a sender not trusted by the system and uses a display name or other identifying information that matches the identifying information of a party that is trusted by the system, it is determined to investigate the sender of the received message. In another example, if a domain of the sender is detected as a look-alike domain, it is determined to investigate the sender of the received message. In another example, if the message includes one or more identified malicious content, it is determined to investigate the sender of the received message. If none of the one or more criteria is met, it is determined to not investigate the sender of the message. Thus in various embodiments, the one or more criteria used to determine whether to investigate the sender of the message may be based on any of the security risk analyses and detection techniques described herein. For example, once the received message is identified with sufficient certainty as a malicious attack, it is determined to investigate the attacker (e.g., sender of the received message).
If at 206, it is determined that the determined security risk associated with the received message does not meet the one or more criteria to investigate the sender of the message, the process proceeds to 212.
If at 206, it is determined that the determined security risk associated with the received message does meet the one or more criteria to investigate the sender of the received message, at 208, one or more responsive messages that are responsive to the received message are automatically generated and sent to the sender of the received message. For example, the responsive message has been at least in part automatically generated to include content responsive to content included in the initially received message from the sender and is automatically sent to the sender.
In some embodiments, a reply message is expected in response to the automatically generated responsive message. In some embodiments, the automatically generated responsive message includes an unpredictable string, such as what can be generated by a pseudo-random generator, true random generator, or another type of generator producing largely unpredictable outputs. The absence of this string in the reply message to the responsive message may indicate abuse, as is the absence of a response. The inserted string is different for each time the string is generated, and is stored by the security system for at least a set time period in order to later be able to verify that the correct string was included in the reply to the responsive message. However, in an embodiment, the string is an encoding of a user identity such as the identity of the trusted user, or of a record associated with the potentially deceptive email, allowing a security system to identify whether a response is valid, and to what instance or account it belongs. In some embodiments, a security system determines whether the reply to the responsive message has indications of being spoofed, e.g., using DMARC, SPF or DKIM, or by determining whether the name of the sending server matches a server known to be associated with the trusted account. If there are such signs of spoofing, then this too is seen as an indication of abuse. If a valid reply message is received in response to the responsive message, where this corresponds to a message sent by the proper account without signs of spoofing, and the reply message includes at least a large portion of the string that was inserted into the automatically generated responsive message, then the originally potentially deceptive message identified in 204 and its associated sender are determined to be secure, since they are likely to have been sent by a user corresponding to a trusted account. In some embodiments, the reply to the automatically generated responsive message is to be received within a threshold time period, such as one hour, for the reply message to be considered valid. This time limitation is beneficial to avoid system abuse arising from account breaches, and similar vulnerabilities.
In some embodiments, different accounts are associated with different trust scores, and the previously described mechanisms are used to create a trust score inheritance wherein a less trusted account inherits at least some of the security properties or trust score associated with a trusted account.
In some embodiments, instead of soliciting a reply message to the automatically generated responsive message, the recipient is requested to select an embedded hyperlink that encodes the unpredictable string. If the security system receives a valid response in the form of a GET request associated with the unpredictable string, then this is seen as a valid response. It is beneficial for the security system to also consider additional data, such as the IP address from which such a GET request comes, and use that to score a response. A response that is anomalous, e.g., which comes from an IP address indicating an anomalous location for the associated user, can be used to indicate a higher than normal risk.
In some embodiments, the responsive message is not sent to the account that sent the initial message considered potentially deceptive in 204, but instead, a challenge email is sent to the account corresponding to the trusted user whose display name matches the email that is considered potentially deceptive. The automatically generated responsive message can request a response—whether directly from the trusted account or from the account sending the potentially deceptive email, or the clicking of a hyperlink. One hyperlink can correspond to “yes that was me” and another to “I did not send that email,” wherein the first hyperlink would encode the string and a positive indication, and the second hyperlink would encode the string and a negative indication.
In some contexts, such as when taking a feed of potentially abusive emails as input to a security control intended to identify criminal strategies and trends, it is important to know that the message, in fact, corresponds to a criminal attempt and is not a false positive. It would be beneficial to outsource the decision of criminal intent to the party we are about to interact with. In other words, a test in which a criminal “admits” to being a criminal, while an honest person asserts that the person is honest, could be used.
The responsive message may include content that allows an analysis system to track interactions with the tracked content by a recipient of the responsive message. Then based on the tracked interaction, a security risk associated with the recipient of the responsive message (e.g., security risk classification) can be determined. The responsive message is generated in a way that it results in the classification of an entity to be highly suspicious for a large portion of criminals while resulting in the highly suspicious classification for only a negligible portion of honest users. Additionally, the responsive message should not cause consternation among honest users, and preferably be largely indistinguishable, to an honest user, from “regular spam” or an email that was sent by mistake.
An example of a responsive message includes two emails, E1 and E2 below, sent to the potential offender in rapid sequence, such as two minutes apart. The responsive message may be from the recipient of the received message in 202 or an unknown sender that is not associated with the recipient of the message from the potential offender.
Example responsive message E1 includes the following content:
-
- Hi <first name of potential ofender>,
- Here comes the W-2 report you asked for. Please let me know if you need anything else for now.
- Regards,
- Molly
- <attachment: a document, “W-2_February2018.doc” that has one page with fake W-2 data and then a large number of garbled pages—and a tracker>
Furthermore, example responsive message E2 includes the following content:
-
- I am so sorry to trouble you! You do not know me, but just got an email from me.
- I am terribly sorry! I do not know how this happened, but the email I sent you just a short while ago is by mistake. It was not intended for you, and I must ask you to please delete the email. I am very sorry for the trouble!
- Again, please delete the previous email. Thank you so much for your understanding
- Molly
These are only example responsive messages and other responsive messages are utilized in other embodiments. For example, the responsive message may include a clickable URL, and an associated text indicating that the annual report is ready to be reviewed, but where the website associated with the URL requires login. If the recipient of the responsive message requests the password, then the potential offender is classified as highly suspicious.
In some embodiments, there exists a repository of templates of responsive messages and generating the responsive message includes selecting a template from the repository. The selection may be based on one or more of the following: an identifier (e.g., name, address, domain, title, role, etc.) associated with the intended recipient of the responsive message or an organization associated with the intended recipient of the responsive message, an identifier (e.g., name, address, domain, title, role, etc.) associated with a sender of the responsive message or an organization associated with a sender of the responsive message, a previous responsive message sent to the intended recipient of the responsive message, an identifier (e.g., name, address, domain, title, role, etc.) associated with a recipient of the received message in 202 or an organization associated with a recipient of the received message in 202, a randomization factor (e.g., selected randomly among a narrowed subset of templates), etc. Then, once a template is selected, parts of the template may be filled in with automatically generated content in generating the responsive message. In some embodiments, the responsive message template to be utilized is selected based on a workflow specified by a user. For example, an administrator specifies rules, conditions, and process flows that identify which specific template to be utilized in which specific circ*mstances.
In some embodiments, the responsive message includes content that allows tracking of interaction with the responsive message. For example, the responsive message includes an attachment or embedded content that reports back interaction (e.g., reports back when attachment is opened, when content is loaded, when message is opened, etc.). In some embodiments, the responsive message includes a content reference (e.g., URL) identified as referring to a content for the recipient of the responsive message. For example, the responsive message includes a content reference that is identified as referencing a content that is likely desired to be accessed by the attacker to entice the attacker to open the message and access the content via the reference. The content reference may be included in the body of the responsive message with associated descriptive text identifying an apparent target content or included as an attachment that utilizes the content reference. In various embodiments, the content reference may be identified as referring to a content for the recipient of the responsive message via a descriptive text, an anchor text, message content text, and/or by virtue of being included in the responsive message to the recipient. In some embodiments, the responsive message invites the recipient to write back a reply message, and interaction with the responsive message is tracked by receiving and analyzing the reply message.
In some embodiments, the responsive message appears to be from the intended victim/recipient of the initial received message and/or another sender related to the intended victim. A message account/address from which to send the responsive message in response to the received message is selected. In some embodiments, the sender message account/address is the recipient of the initial received message. The responsive message can be sent in a manner that does not require the involvement of the user or recipient of the received message (e.g., the attacked account), and any email on the same message thread may be automatically responded to by the system, without involving the user of the attacked account. In one embodiment, the emails on this thread would not be visible to the user of the attacked account, but would either be placed in a quarantine, in a folder corresponding to automated traffic, or not stored at all in a manner that is accessible to a user. For example, the messages of the thread could be stored in a repository only accessible by the security system or an administrator (e.g., to avoid confusing the owner of the attacked account of the initial received message).
In some embodiments, the responsive message refers the sender of the initial received message (i.e., recipient of the responsive message) to a third party, who may be fictional but appears real to the sender of the initial received message, and where any messages sent to this third party would be associated with the attack, stored by the system, and automatically responded to by the system. The third party account may be a honeypot account that is attended by the system, and messages responded to automatically. Two different attackers can be referred to two different honeypot accounts to simplify tracking, or the system can determine what message belongs to what conversation based on at least one of the thread, a signature element or other conversation-specific content of the message, or by separating conversations based on the account identity of the attacker.
In another embodiment, a honeypot account is generated or configured based on the identity of the attacked party (e.g., recipient of initial received message), and a message is sent to the attacker (e.g., sender of the initial received message) from this honeypot account, potentially referring to the initial message sent by the attacker to the intended victim. For example, the initial message from the honeypot account could use the same thread as the initial message from the attacker to the intended victim, the same or similar subject line, or incorporate at least portions of the content in the message from the attacker to the intended victim. In the latter case, this incorporation may appear as a user response to an email, e.g., using indentation of the cited portions. Alternatively, the initial message from the honeypot account to the attacker could simply contain information that is likely to encourage the attacker to continue the conversation, such as a request for additional information or a request for clarification. The identity information of the honeypot account may be configured to match the identity information of the intended victim to some extent, e.g., by using the same or similar display names. The domain of the honeypot account may be a domain selected from a plurality of domains used specifically by the system for honeypot accounts, and may be similar to the domain of the attacked user. In one embodiment, the display name and the domain name of the honeypot account both match the display and domain name of the intended victim (e.g., recipient of the initial received message), but the user name of the account is different. Alternatively, the domain may be that of a web email service provider, such as Yahoo mail, Hotmail, or Google Gmail. The account may be one from a large collection of honeypot accounts used by the system, and may simply be configured by setting the display name to match the intended victim. Alternatively, it may be a different display name altogether, but the subject line or thread information is the same as that in the initial attack email (e.g., initial received message).
In some embodiments, once the responsive message has been automatically generated and sent to the sender of the initial received message (e.g., the attacker), a response from the attacker is expected. Once a subsequent message (e.g., in response to the responsive message) or action is detected/received from the attacker, the action/message is analyzed to extract useful contextual information and used to select or generate further responses to the attacker. For example, a system would identify and extract vital account information sent by the attacker. The selection or generation of automated responses can be done using artificial intelligence (e.g., conversational AI agents). The responses may be stateful and take prior messages into consideration. In some embodiments, responses matching keywords in the messages sent by the attackers are generated/selected.
For example, if an attacker asks for help to complete a task, the response could be to ask for more information about what the attacker would like to achieve. If the attacker asks for W-2 information, the system would generate or select a file with correctly formatted data that would appear like credible W-2 data to an attacker. Such files could also contain tracking beacons. If the attacker asks for an invoice to be paid, but does not attach a document, an automated system could ask the attacker to send the invoice again. Multiple rounds of interaction can be performed. The system may continue to interact until the attacker stops responding, a counter-attack is performed, or sufficient data is extracted to perform a security action.
In some embodiments, each response generated by the system contains at least one tracking beacon, which could be a zero-sized pixel, a logo, or other image with a unique name, or attachments or URLs that permit tracking using macros, cookies, or other such technology. In some embodiments, mail user agent (i.e., MUA) information is recorded for each message received by attackers, and stores all the obtained tracking information in a profile associated with the attacker, and with the attack. Additional tracking information may comprise IP information, server name information, DKIM signature information, and other information associated with the sending devices used by the attacker. This allows a system to identify when two attacks are likely to correspond to the same attacker or not, and whether there is likely to be multiple users associated with one attacker account. This can be determined by identifying multiple MUAs of a similar type (e.g., all being phones) or multiple IP addresses or service providers/carriers used to transmit the messages from the attacker, or access web resources used for the tracking of the attacker.
The message interaction with the attacker can follow human-written scripts, where a system may scan for keywords in incoming messages from the attacker, evaluate these using a scoring algorithm that uses keyword matching, and automatically select the scripted response with the best fit with respect to the scores and keywords matched. This script-selection approach can be combined with techniques that modify the script by substituting words with synonyms, perform minor modifications of grammar or style to these, or otherwise add signatures or attachments that are generated by an algorithm that uses randomization to generate new elements, such as addresses, phone numbers, names, social security numbers, and similar. In various embodiments, techniques utilized to engage in communications with attackers may vary depending on detected type of security risk/attack. For example, in the case of a BEC vs. romance scam, the response to attackers may vary. By dynamically adjusting responses based on a detected type of risk/attack, engagement with the attackers is tailored to better adapt to different scenarios.
In some embodiments, in order to reduce the risk of the attacker identifying that he or she is interacting with an automated system, the responsive message is generated and/or sent in a manner that introduces a variable factor. In some embodiments, different delays are utilized between receipt of an email by the system and the automated response by the system. The responses may take place during regular office hours only, with a random distribution resembling regular responses by users. For example, the system may generate a response within approximately five minutes of receipt with a 10% probability, within an hour with a 50% probability, and within a day with a 90% probability. Thus, the response time can be selected according to a time distribution, according to the regular hours of the business under attack. Furthermore, the probability of detection by the attacker is reduced by making sure that the automated responses do not always look the same, or even look the same given the same or similar input from the attacker, but that the responses would depend on a random component. For example, words in the response can be replaced by synonym words according to a probability distribution matching the use of these words in English language, where this probability distribution can be obtained from an N-gram database or inferred from tabulating a large number of email messages processed by the system. Similarly, as will be understood by a person skilled in the art, multiple response formats can be used, wherein the format used is selected based on a random input. Moreover, the responses can be generated in multiple different ways. In one embodiment, the response to the attacker is one of a spoofed email, a message sent from a personal webmail account with a display name set to match the attacked person's account name, and from the attacked person's actual email account—although submitted by the automated conversation engine of the disclosed security system. A system may vary the manner of response in response to different attacks, but may maintain the same response manner for a multiplicity of responses, in response to one attack. However, as described, it may be desirable to convey to an attacker that he has attacked a defensed entity by notifying the attacker of this. This notification may be performed after vital account information has been collected by the system and a take-down process initiated. In some cases, this notification is not instantaneous. For example, after the system has received one bank account identifier from an attacker, it may generate a response to the effect that this bank account has a problem, requesting an alternative bank account from the attacker. This can be done at the same time as a take-down effort is initiated. If the attacker responds with a second bank account, the same thing may be done again, and the cycle repeated until the attacker does not respond, after which a notification is generated to the attacker, clarifying that he has attacked a protected entity.
In some embodiments, when the attacker requests the content of the reference, access to a message repository of the attacker is requested as a condition of obtaining the identified content of the reference. Because the attacker is likely eager to obtain the content of the reference, the attacker likely will allow access to the message repository of the attacker. Then, with access to the attacker's message repository, information about the attacker can be investigated and gathered.
In some embodiments, access to the apparent target content of the content reference is allowed. For example, automatically generated dummy content that appears to be the final content desired to be accessed by an attacker via the content reference is provided. By providing the dummy content, the attacker is less likely to be suspicious of the content reference and continue to allow access to the message account/repository of the attacker while an investigation is performed. This also encouraged the attacker to interact with similar future content references. The dummy content may appear to be legitimate content (e.g., appears to be a real fund transfer receipt due to formatting and overall look matching a legitimate example) and be personalized/customized for the parties involved (e.g., includes personal information of the message parties) but in fact may include false information (e.g., false account number) to prevent harm as a result of the dummy message.
At 210, one or more interactions with the responsive message are tracked and analyzed to determine a security risk associated with the sender of the initially received message. In various embodiments, tracking the interaction includes tracking one or more of the following: whether and/or the number of times content of the responsive message was viewed/opened (e.g., number of times tracker activated), type of device utilized in the interaction, IP address associated with the interaction, location associated with the interaction, amount of time associated with the interaction, number of different devices, locations, and/or IP addresses associated with the interactions, amount/type of content attempted to be accessed during the interaction, one or more reply messages provided in response to the responsive message, content included in reply messages provided in response to the responsive message, keywords included in reply messages provided in response to the responsive message, etc. In various embodiments, the tracking may be performed by: collecting information provided by a tracker program/code embedded in an attachment or content of the responsive message that gets executed when the attachment/content is opened/viewed; collecting information from requests made for content referenced by content of the responsive message (e.g., URL/http requests to a server that tracks the requests); and/or collecting any reply message (e.g., reply email) received in response to the responsive message.
In various embodiments, analyzing the one or more interactions includes analyzing the tracked data. For example, it is determined whether one or metric thresholds have been met and/or one or more scores are determined based on the tracked data. Each security risk classification may correspond to a different range/degree of scores and/or criteria, and based on the tracked data, the security risk classification corresponding to the sender of the initially received message is determined. For example, security risk classifications are based on the number of times and by whom a tracker of the responsive message has been activated within a period of time. In one example: if the tracker of the responsive message is not activated within a specified period of time, the sender of the initially received message is classified as a low security risk; if the tracker of the responsive message is activated once within the specified period of time, the sender of the initially received message is classified as an unsure security risk; if the tracker of the responsive message is activated at least twice within the specified period of time, the sender of the initially received message is classified as a likely security risk; and if the tracker of the responsive message is activated at least twice within the specified period of time from multiple different IP addresses or devices or from an IP address within a range known to be associated with fraudulent activity, the sender of the initially received message is classified as a high security risk. In another example, the content of a reply message to the responsive message is analyzed and if one or more keywords, phrases, or content associated with a particular security risk level is detected, the sender of the initially received message is classified as the particular security risk.
In some embodiments, the one or more responsive messages are sent in an attempt to gain access to a message account of the attacker (e.g., sender of initially received message). This can be done in a variety of ways. One way is to send from the honeypot account to the attacker account an email that contains a URL that leads to a page that requests the attacker to grant OAuth access to his or her email account, or other messaging account. If the attacker grants access to the webpage controlled by the security system, then the system is able to read all incoming and outgoing emails from and to the attacker's messaging account. The security system then identifies peers of the attacker with whom the attacker interacts.
The security system may further attempt to coerce the peer account holder to give the system OAuth access to his or her account, after which the security system scrutinizes the contents of that email account and identifies peers of that account. These can then be automatically interacted with. The security system can also scan the email messages sent to or from the account of the attacker, looking for apparent passwords, and automatically verifying whether these are valid. The security system can further use methods relating to phishing to gain credentials from the attackers and his or her peers. Once access to the message account of the recipient of the responsive message is obtained, vital account information can be obtained. Take-down requests then can be automatically generated for one or more of these vital accounts.
The security system can further scan the messages sent to and from accounts of criminals that have allowed the security system access to his or her messages, identifying messages with malware attachments. Such malware instances can be replaced with flawed versions, with versions with backdoors, with versions that call home to the security system, and with versions that corrupt stolen information, in a way that may not be immediately detectable to the attacker. This way, the security system can reduce the yield of the attacker, track his or her illegitimate activities, protect end users, introduce tracking information, and more.
In some embodiments, each identified security risk and/or attack instance is classified according to an attack classification describing the nature of the attack according to a threat taxonomy. In addition, tracking of the attack may be performed to identify the location and computer technology of the attacker for each attack, and uses cookies, cache cookies, a user agent, flash cookies, and other identifiers to determine what attacks are performed by what attackers. Likely influences between groups can be identified based on proximity of location, similarity of techniques, and similar trends in behavior. This helps determine what groups or subgroups are influencers, which helps prioritize countermeasures against these groups. The threat can be classified in terms of the attack techniques, for example, by determining whether the attacker uses spoofing, as indicated by discrepancies in the SPF records, IP addresses, or server names; whether the attacker uses display name deception; whether the attacker uses look-alike attacks; and to whom the domain used was registered to, whether it was done using a stolen credit card, etc. The threat is further classified in terms of whether it contains a URL, and if so, what kind (phishing, malware, advertisem*nt, etc.); what the domain is; whether the domain is an impersonating domain, such as payypal.com; whom the domain is registered to; etc. Furthermore, the threat is classified in terms of whether it has an attachment, and if so, what kind (e.g., zip file, pdf, word document), and whether it has malware, payment instructions, etc. The threat is further classified in terms of the language of the text, whether the message uses a cascading style sheet template of a legitimate company; whether it contains spelling errors; whether the grammar is incorrect; whether the text appears to be translated from another language, e.g., using Google Translate; and whether the text bears strong resemblance to other previously observed texts. This resemblance is one of a string distance measure, a measure of overlap of uncommon words according to TF-IDF or similar measures, whether the texts both contain an unusual phrase, and similar. Based on these and related measures, the attacks are classified and clustered. Different subsequent attacks associated with the same attacker or suspected group can be investigated as a function of time as it relates to the change of methods or absence thereof, potential influences, including likely collaboration or copycat attacks; and other similarities or differences. These are also used to tie-break clustering efforts aimed at determining what attacks should be attributed to what groups, and what groups are the most prominent threats.
The disclosed technology is also compatible with clustering methods. The classifications and clusterings are used for the purposes of determining whom to send take-down requests and law enforcement requests to, how to prioritize these requests, etc. They can also be used to identify what groups or attackers to infiltrate or otherwise corrupt to reduce the impact of the attacker's efforts.
A further benefit of the disclosed technology is that it enables the detection of attacker patterns, including temporal patterns, victim selection patterns, and methods and tricks used by various attackers and groups of attackers. This enables a predictive analysis of likely future attacks that, in turn, helps prioritize take-down efforts, the deployment or prioritization of other security measures and their roll-outs, and which helps determine the assessed financial benefit associated with blocking the activities of each attacker or group of attackers, based on their estimated reach, attack volume, likely success based on the type of attack tools used, and other measurements, thereby helping organizations and law enforcements to determine the size of the threat and whether it increases or decreases. Furthermore, by classifying the threat in terms of the functional goals of the attackers helps cluster and prioritize countermeasures. Examples of such functional goals include but are not limited to advance fee attacks, romance scams, business email compromise attacks, ransomware attacks, and more. These can be classified based on identification of terms indicative of each type of attack, e.g., “Western Union” (commonly associated with advance fee attacks), scripted love letters with great similarity between multiple instances (commonly associated with “romance scams”), and so on. They can also be classified based on the apparent target of the attack and the context of the attack; for example, a business email compromise attack typically involves the impersonation of one c-level executive to another c-level executive. They can also be classified based on potential payload (e.g., ransomware attacks commonly are associated with an executable attachment or an encrypted zipfile containing an executable file).
In various embodiments, attacks can be classified based on a taxonomy of abuse, such as the following example taxonomy:
The type of identity deception used:
-
- a. Legitimate user—no identity deception. (This could still be a malicious email, or spam—but it is not using identity deception.)
- b. Spoofing
- c. Look-alike domain
- i. Type 1: Looks a lot like the impersonated domain (such as paypal.com)
- ii. Type 2: Generic, to be used with subdomain (such as paypal.secure-pay.com)
- iii. Type 3: Generic, to be used without subdomain (such as office-of-ceo.com)
- d. Display name deception
- e. ATO
- i. The compromise was based on the password of the launchpad user being stolen
- ii. The compromise was based on OAuth opt-in of the launchpad user
- iii. The compromise is of the computer of the launchpad user
- iv. The compromise is of a computer managing email for the launchpad user
The technical classification of the payload.
-
- a. The payload comprises a URL
- i. The URL goes to a phishing website
- ii. The URL goes to a malware-installing website
- iii. The URL goes to an advertising site
- b. The payload comprises an attachment
- i. The attachment is executable
- 1. A traditional executable
- 2. A macro
- ii. The attachment is a zip file
- 1. The zip file is encrypted
- iii. The attachment is a document with user instructions (e.g., payment instructions or modified invoices)
- i. The attachment is executable
- c. The payload comprises user instructions (e.g., BEC attack)
- a. The payload comprises a URL
At 212, a security action is performed based on the determined security risk, if applicable. In some embodiments, in 204 and/or 210, one or more security risk scores are determined and based on these score(s), a security action is selected among different security action options. For example, the security action to be performed is selected based on the security risk associated with the sender of the initially received message. The selected security action is performed. For example, a security risk score may indicate that the message is of very low risk (e.g., risk score is below a first threshold) and the message is fully allowed to be accessed by the intended recipient (e.g., allow the message to a message inbox of the intended recipient). If not, the security risk score may indicate that the message is of medium risk (e.g., risk score is above the first threshold but below a second threshold) and the message is modified to include a warning prior to being allowed to be accessed by the intended recipient (e.g., allow the modified message to a message inbox of the intended recipient). Otherwise, the security risk score may indicate that the message is of high risk (e.g., risk score is above the second threshold) and the message is not allowed to be accessed by the intended recipient (e.g., send the message to an administrator for further analysis). If there exists a different security risk score for different types of security risks, each different type of score may be analyzed separately and/or analyzed in combination to determine which level, if any, of security action is to be performed.
In some embodiments, it may be desirable for high-risk emails to be quarantined or rewritten/delivered as the emails come in. Around the same time, a system sends out at least one challenge in the form of the responsive message, and if a valid response to this challenge is later received, then at least one action is taken. Examples of these tentative actions include:
-
- 1. Extracting the initial email from the quarantine and sending it to its recipient.
- 2. Removing an already transmitted email from the inbox of the recipient, where this already transmitted email is a modification of the original email, and may replace the modified email with the original email. Here, the modified email may be the same as the original email but for the inclusion of a warning, the replacement of a user identifier—such as the display name or a logo—with a generic user identifier such as “unknown sender” or the absence of the identifier. As the modified email is replaced with the original email, the user identifier would again be present, and the warning absent. In addition, clarifications can be added, such as “Note: this sender is associated with <name and email address of trusted sender>”, in a displayed portion that cannot be modified or controlled by the sender.
- 3. Updating the reputation, risk score, or security property associated with at least one sender of emails.
Likewise, if an invalid response is received, or a response indicating another type of abuse is received, or no response is received, then the system may take other actions, such as increasing a risk score associated with the sender, causing the sender to be placed on a blacklist, and more.
Examples of the security action (e.g., selected from the list based on a risk score and/or specific type of threat or information detected in the message) include the following: sending a message to the sender to determine whether it automatically forwards responses; generating a security challenge sent to the sender (e.g., if this is not responded to, it is indicative of higher risk and if it is responded to in an anomalous manner, that is also indicative of higher risk); generating a challenge sent to an alternative account of the sender (e.g., another email address associated with the sender); sending an SMS message to a phone number associated with the sender; placing an automated call to a phone number associated with the sender (e.g., requesting a confirmation or a response from the user associated with the account the security challenge is sent to); performing additional automated scrutiny of the message (e.g., including its content portion); performing additional manual scrutiny of the message (e.g., including its content portion); quarantining the message; blocking the message; delivering the message; augmenting the message to reduce the risk associated with it (e.g., modifying its attachments); analyzing attachments of the message by attempting to execute them in a sandbox or virtual machine; adding a warning to the message prior to allowing the message to be accessed by the intended recipient; and moving the message to a special folder identifying its higher risk.
In some embodiments, a software component is introduced at a protected sender side, the software component encoding information in a header element for recipients to observe. By letting the information be a function of a key that is shared between the sender side and the observer side, a message authentication code can be implemented. Alternatively, asymmetric cryptography such as digital signatures can be used for the authentication, as can streamed authentication methods such as TESLA or other hash chain constructions. The authenticated data may be an empty field, a portion of the message, a counter, data relating to the transmission time, and information about the context of the message creations, such as the IP address from which the message was submitted. It is desirable that the data is encrypted or that obfuscation methods are used; alternatively, proprietary formats can be used to complicate decoding by an unauthorized observer.
Attackers gaining access to email accounts typically perform searches to identify high-value contacts, e.g., by searching the mailbox for keywords indicating financial services, high-profile connections, and more. If a company wishing to limit the damage associated with the corruption of the accounts and machines of external associates were able to send messages that “self destruct,” the damages associated with the corruption may be mitigated. One example of achieving self-destructing emails includes replacing message content with a hyperlink. The outgoing mail server can automatically identify high-risk emails (based on content, recipient, and internal policies) and rewrite the content with a hyperlink that, when clicked, would give the recipient access to the content. This access can be controlled; it can be limited in terms of time after receipt (e.g., 3 days), it can require a password or other authenticating action, it can be conditional on an action not yet having been observed (e.g., no response has been received to this email yet), etc.
Another example of achieving self-destructing emails includes placing an email representing one or more archived messages in a special folder. If the associated account is controlled by the security service provider, received emails can be archived in a password-only storage after some time. This can be implemented by placing an email representing one or more archived messages in a special folder, the email having a hyperlink leading to a password-protected server giving full access to all archived emails. (The password protected server can limit access based on volume, IP address, etc.) There can be a policy determining what messages get auto-archived, based on sender, content, and other indicators. The auto-archiving feature can depend on having observed a high-risk action, e.g., a user opening a risky email, following a link, and entering a text (which may be a password), or accessing the mailbox from an unknown computer.
FIG. 2B is a flowchart illustrating an embodiment of a process for investigating a sender of a malicious message. At least a portion of the process of FIG. 2B may be at least in part implemented on analysis server 102 of FIG. 1, gateway 110 of FIG. 1, message server 106 of FIG. 1, and/or any other server. In some embodiments, at least a portion of the process of FIG. 2B is performed in 210 of FIG. 2A.
At 222, a request for content associated with a responsive message is received. For example, the responsive message is the responsive message sent in 208 of FIG. 2A that is in response to the initial received message of 202. The request for content may be a HTTP/network content request received at a webserver in response to a recipient of the responsive investigative message selecting a reference/link in the responsive message. Other examples of the request include opening a message attachment that makes the request, loading network content referenced in the responsive message, and any other content request associated with the responsive message.
In an attempt to gain access to messaging accounts of the attacker that sent the received malicious message (e.g., recipient of the responsive investigative message), the responsive message is sent (e.g., from a honeypot account) to the attacker account and includes a content reference (e.g., hyperlink, URL, etc.) that when selected or otherwise utilized to make a request, a network request is made and received at 222.
The content reference is identified in the responsive message as a link to access an apparent target content desired to be accessed by the attacker, enticing the attacker to open the message and access the content via the reference. For example, a link identified as leading to monetary transfer confirmation, payment redemption instructions, password information, etc. is included in the message. The reference may actually lead to a web content (e.g., webpage made to appear as a landing page that will eventually provide access to desired content) provided by analysis server 102, gateway 110, recipient message server 106, and/or any other server or security service.
At 224, an acknowledgement to terms of an agreement is requested and obtained. For example, when the attacker requests the content of the reference, access to a message repository of the attacker is requested as a condition of obtaining the apparent target content of the reference (e.g., content desired to be accessed by the attacker via the reference). To ensure that accessing a message account of the recipient of the responsive message and/or reporting associated information is not against the law, a terms/disclaimer requesting authorization is provided. Agreement to these terms/disclaimer is provided as a condition for proceeding (e.g., to obtain the desired content). For example, a webpage provides an End User License Agreement (EULA) request authorization to obtain/utilize the access credentials (e.g., passwords, reset questions, or OAuth credentials) for one or more specified uses (e.g., to prevent fraud or crimes). The user may indicate agreement and authorization by providing a digital authorization (e.g., select checkbox, select button, etc.).
At 226, access to one or more message repositories/accounts is requested and obtained. For example, once a user (e.g., recipient of the responsive message) has agreed to the agreement, the user is provided a request for access to one or more message repositories/accounts of the user. The user is provided a webpage that requests the attacker to grant access (e.g., OAuth access) to his or her email account, or other messaging account. Because the attacker is likely eager to obtain the content of the reference, the attacker likely will allow access to the message repository of the attacker. In some embodiments, once access to the one or more message repositories/accounts is obtained (e.g., access to email box obtained), access to desired apparent target content is provided. For example, automatically generated dummy content that appears to be the final content desired to be accessed by an attacker via the content reference is provided. By providing the dummy content, the attacker is less likely to be suspicious of the content reference and continue to allow access to the message account/repository of the attacker while an investigation is performed. This also encouraged the attacker to interact with similar future content references. The dummy content may appear to be legitimate content (e.g., appears to be a real fund transfer receipt due to formatting and overall look matching a legitimate example) and be personalized/customized for the parties involved (e.g., includes personal information of the message parties) but in fact may include false information (e.g., false account number) to prevent harm as a result of the dummy message.
At 228, access to the one or more message repositories/accounts is utilized to perform an investigation. For example, with access to the attacker's message repository, information about the sender of the malicious message (e.g., attacker) can be investigated and gathered.
If the attacker grants access, a security system is able to read all incoming and outgoing emails from and to the attacker's messaging account. The security system is then able to identify peers of the attacker with whom the attacker interacts. This identification may be performed by identifying the flow of stolen account data, exploit data, or other victim related data, such as address lists. If such data has been exchanged between the attacker and one other account—the “peer account,” then the system may configure a new honeypot and start sending traffic to the peer account. This honeypot can be configured to appear like the attacker, e.g., have the same display name as the attacker, and send messages similar to those exchanged between the attacker and the peer account. Alternatively, the system can use the attacker's account, to which it has access, to send messages to the peer account. When the peer account responds to any such system-originated messages, this is detected, since the response message will use the same thread. Any such response will be hidden from the attacker, and responded to by the security system. This means that the security system now uses the account of the attacker as a honeypot to collect information from the peer account. The system may replace, add, or augment files and messages sent between the two accounts to add fake user data that is helpful for tracking purposes. The security system may further attempt to coerce the peer account holder to give the system OAuth access to his or her account, after which the security system scrutinizes the contents of that email account and identifies peers of that account. These can then be automatically interacted with. The security system can also scan the email messages sent to or from the account of a criminal, looking for apparent passwords, and automatically verifying whether these are valid. The security system can further use methods relating to phishing to gain credentials from the attackers and their peers.
A security system can further scan the messages sent to and from accounts of criminals that have allowed the security system access to his or her messages, identifying messages with malware attachments. Such malware instances can be replaced with flawed versions, with versions with backdoors, with versions that call home to the security system, and with versions that corrupt stolen information, in a way that may be not immediately detectable to the attacker. This way, the security system can reduce the yield of the attacker, track his or her illegitimate activities, protect end users, introduce tracking information, and more. The modified malware can be sent to peers. The security system will avoid sending messages to contacts of the criminal that cannot be determined also to be criminals, or will only send benevolent messages used to determine whether the peer indeed is a criminal. The messages sent from the accounts of criminals or from honeypots configured to look like accounts of criminals may be generated or selected from scripts according to an automated algorithm that takes into consideration the messages between the attacker and the peer account. Administrators of the security service may produce scripts based on such contents, where these scripts can be used by automated algorithms that select scripts and make suitable modifications and personalizations. For example, these modifications may be to mimic the greetings used by the attacker and the peer, or to use matching signature files, when honeypot accounts are used. These greetings can be automatically extracted from messages in the accessible mailboxes of the criminals.
In some embodiments, keyboard timings or other usage pattern information is detected from the attacker (e.g., in order to enable the recognition of repeat users of one or more devices, and the distinction of two different users of the same device). For example, using JavaScript on a provided webpage, entered information is detected. It may not matter whether the attacker enters information correctly or not. For example, assume an attacker is located in London, and is requested to enter information about his location as a confirmation to gain access to a file, and say that the attacker enters “Amsterdam.” Assume further that the name of the attacker is John Nielsen, but he enters the name “Patrick Peterson” in a form. The system detects the timings of the keystrokes, both for keys pressed and keys released, and identifies patterns of use. For example, one user may always release the “A” key approximately 10 ms before pressing the “M” key when writing an “A” followed by an “M,” whereas another user may depress the “M” before releasing the “A” when writing the same letter sequence. Yet another user may type some letter combinations very quickly in a phone keyboard, but very slowly on the keyboard of a regular computer. This timing action is commonly a result of the size and dexterity of the hands of the user, and of the user's familiarity with the keyboard in question. It is also a matter of typing style. As a result, from recording a few keystrokes from an unwitting attacker, it is possible to biometrically identify or distinguish this user, given a set of candidate users. This is helpful to determine the number of users associated with a device, and the number of devices associated with a user, which both help identify the size of a criminal group. Moreover, such information can be used in some jurisdictions as evidence in court.
At 230, information obtained during the investigation is reported. For example, the information about the attacker is gathered and automatically reported to enforcement authorities and/or to generate take-down requests.
Vital account information can be extracted with access to the message account of the attacker. A security system can obtain information sent to the honeypot accounts and sent to or from the messaging accounts of criminals who have given access to their accounts to the security service. This approach allows the security system to map out the network of the attacker, obtain email account data, obtain bank account information, obtain other vital information such as names and addresses of mules, and obtain personal information, including names, phone numbers, and addresses of criminals. Such vital information may be automatically reported to law enforcement agency, appropriate financial institutions, email service providers, and other security services, in order to disrupt the activities of the attacker and his or her peers. Vital account information is detected by comparing text in emails to templates. Examples of templates include a series of words that include the word “bank,” followed by a number of the length of a bank account, a routing number, or other bank account identifier such as SWIFT codes. Another example of a template is an apparent email account, the word “password,” “pwd,” or similar, and a string with the format of a potential password, e.g., a combination of letters and digits, of length between 6 and 20 characters. These, of course, are only examples of templates, and a person skilled in the art will understand that there are multiple useful templates for each type of data. Once a match is made with a template, the associated data can be automatically tested, as in the case of an email account, or forwarded to a human operator that will review the material before it is being used for take-down. Take-down may involve filing a complaint to the appropriate authority, performing a DDoS attack, or attempting to take over the account, as in the case of email accounts. As an email account is taken over, its contents are parsed and potential peer accounts identified. The account that is taken over may then be used as a honeypot account, and vital account information scanned for. In one embodiment, traditional Data Leak Prevention (DLP) techniques and tools are used to identify vital account information.
In some embodiments, the generation and reporting of take-down requests is at least in part automated. In one embodiment, the system outputs lists of vital account information, along with its associated context, for an administrator to classify, verify, and forward to the appropriate authorities. In another embodiment, the system provides notifications to admins, with information relating to vital account information that has already been classified by the system, and with associated context either contained in the notification, or with hyperlinks or other record indicators associated with records containing the context. One classification may simply be the type of vital account information, e.g., email accounts or bank accounts. Another classification may be the assessed urgency to take down the account, which may be assessed based on indications of whether the account belongs to a large criminal operation or not, and whether there are lots of potential victims associated with the vital account information or not. This helps prioritize take-down efforts. Yet another classification may be an indication of the assessed jurisdiction associated with the vital account information, e.g., whether the criminal is in the US, the UK, Nigeria, or China. A further classification is the nature of the account, e.g., whether it is assessed to be a mule account, an account used by the criminal, an account used to coordinate several criminals, etc. Based on the information, including the classifications, the administrator may determine how to best process the information. In another embodiment, rules are set up for what admin to notify, based on the classifications. For example, a bank account belonging to a Dutch bank may cause the selection of three administrators, one associated with the Bank, one associated with the Dutch law enforcement, and one associated with a general admin associated with the operation of the security system. This may be supported with contextual information such as email messages or parts of email messages.
The system may automatically redact portions that are not needed for the recipient of the notification, or replace with a general description such as “A residential address in Denmark,” or “A phone number in Ghana,” or “A bank account with a Hong Kong bank.” The same attack may also result in messages sent to email service providers, DNS hosts, etc. There, the email accounts would be shown, but the email content may be irrelevant, and may be replaced by general descriptions such as “This is a mule account,” or “The recipient of the email is likely to be a victim of a romance scam, and the attacker which is the sender of the email is blackmailing the mule to facilitate a transfer of funds via Western Union.” The system can generate these descriptions from a template of common components. Instead of notifications, it is also possible to provide API access to collaborators, allowing these to review information. This can also be combined with notifications, e.g., “There are three new email accounts to be taken down,” and with redaction based on the roles of different users, and their organizations. This would be managed similar to the personalized redactions for the notifications described above. Further, the system may facilitate the use of common collaborative sharing tools, such as Google Docs, wherein the system has write access to the document, and where some consumers of data have only read access whereas others may also have write access, e.g., to provide feedback such as how many other accounts were registered to the same party. Alternatively, this feedback loop can be created by the recipients of the vital account data sending feedback to the security system, which then uses the feedback to update records and pursue further searches using the data received in the feedback.
In some embodiments, the recipient of the responsive message (e.g., attacker) is notified of the counter-attack on the attacker's resources, and identifies the reason for these counter-attacks to be mounted. At least some of the vital account information that has been collected may be used for communication purposes with the attacker, e.g., phone numbers, email addresses, Facebook account names, skype user names, and postal addresses. Messages can be sent to such accounts (e.g., to discourage future attacks). Messages can also be sent to bank accounts. For example, the security system can send a $1 wire to a bank account, with a message. The message would be part of the payment instructions. The message can also be part of the sender information. The message sent may include a clarification of why the attacker will be penalized, without going into specific details of the technology used to detect their attempt to abuse. For example, the message may be “You attacked ACME Co. Your bank accounts will now be locked down.” or “ACME Corp is protected by Agari. Agari fights back.” In addition, the attacker may be given an opportunity to look up results. For example, the message may contain the text “ACME Corp is protected, as shown at fightback.pro/acmecorp. Do not attack companies enrolled in FightBack™.” Such messages can be sent to one or more of the addresses associated with an attacker. It can be sent from honeypot accounts, it can be sent from accounts associated with the security system, it can be sent from a domain registered to manage notifications, e.g., from “take-down.notification@fightback.pro,” and it can be sent from corrupted accounts of peers. The security service can send messages from accounts that it controls or has gained control to, but can also spoof messages from the accounts of other attackers who have not been compromised, in order to create an appearance that these accounts are controlled by the security service. If these accounts cannot be spoofed due to use of DMARC, then collaboration with the email service providers of the recipients of the notification messages can be used to circumvent DMARC for the delivery of such messages. The notification messages are used to create an association between the attack and the take-down.
FIG. 2C is a flowchart illustrating an embodiment of a process for providing security protection status information. At least a portion of the process of FIG. 2C may be at least in part implemented on analysis server 102 of FIG. 1, gateway 110 of FIG. 1, message server 106 of FIG. 1, and/or any other server.
At 232, a request for security protection status of an entity is received. For example, the request is received via a webpage that provides information on whether a particular entity has subscribed to a security service described in association with the processes of FIGS. 2A and 2B. This allows a potential attacker to verify whether a user is protected by the defensive technology. For example, from a previous attack, the attacker may have been provided a message such as “ACME Corp is protected, as shown at fightback.pro/acmecorp—Do not attack companies enrolled in FightBack™.” When the attacker visits the site fightback.pro/acmecorp, then this site may describe to the attacker that ACME Corp is enrolled in the security service. Some attackers may realize that by modifying the URL, they can verify whether other companies are also protected. For example, the attacker may want to verify whether Company2 is protected by visiting “fightback.pro/company2.” If they are told that Company2 is protected, they are unlikely to want to attack Company2, as this is likely to mean that they would lose additional vital accounts. This feature will serve to encourage legitimate companies to enroll. Enrolling would lower a company's cybersecurity insurance premiums, as they would become less likely to be attacked in the first place, but also less likely to suffer a loss if they are attacked, given that attacks will be detected and deflected.
At 234, security protection status, if any, of the entity is identified. For example, using a database lookup, security services subscribed by the identified entity are identified.
At 236, the identified security protection status is provided. For example, identification of the security protection status is provided via a webpage and/or a message sent to an email or IP address associated with the party performing the request.
At 238, the request is tracked. For example, as the potential attacker visits a site where the request was provided, information relating to the visit, e.g., IP address, user agent, cookies, etc. is collected. A system may attempt to detect repeat visitors, and correlate the identifying information to identifying information associated with attack emails, attack SMSes, etc. (e.g., attack messages also carry identifying information). Some parts of the mail user agent (MUA) are also likely to be reflected in the user agent, for example, such as charsets, operating system versions, etc. There would also be a likely correspondence in IP addresses. This information is added to the profiles of attackers, which are associated with the attacks performed by this attacker. These records may contain collections of user information associated with one or more attacks, permitting the system to build databases over attacker groups. For example, when a party that is matched to an existing group visits “fightback.pro/company2,” then Company2 may receive a notification that somebody was interested in attacking them. A system may maintain statistics over the frequency of lookups for companies, whether protected or not, as a function of time. This permits the system to offer early warnings to organizations, whether protected or not. These early warnings are helpful for security administrators to be aware of.
FIG. 2D is a flowchart illustrating an embodiment of a process for generating and using honey-tokens. At least a portion of the process of FIG. 2D may be at least in part implemented on analysis server 102 of FIG. 1, gateway 110 of FIG. 1, message server 106 of FIG. 1, and/or any other server.
At 242, one or more honey-tokens are generated. For example, honey-tokens are generated based on an entity's public and private information, social network information available online, and based on operation patterns.
The honey-tokens may include generating fake data items in forms of “public honey-token” or “private honey-token.” Examples of such honey-tokens include email addresses, account numbers, project names, news, personal names, etc. These token are used for (I) attracting attackers, (II) tracking attackers, and (III) polluting attacker data. These tokens for attracting scammers can be referred to as “magnets,” tokens for tracking attackers can be referred to as “trackers,” and tokens for pollution can be referred to as “polluters.” Magnets are used to trick the attacker to spawn a new thread of attack based on invalid, but apparently valuable information presented to them. Some magnets are synthetically created, with the sole purpose of attracting attackers, whereas others are legitimate accounts under attack. Trackers are used to create links when attackers use the data they have collected. Polluters help to contaminate the data collected by attackers in order to make it expensive for them to use them.
To be deceptive and used by attackers, the synthetic tokens should be indistinguishable from real names and entities for an outsider. Therefore, they should comply with the format of valid information. This can be achieved either by modification of valid information, or generation of them using a given format. Token generation based on modification can be achieved by replacing some characters, or flipping their orders. As an example, a fake account number can be generated by replacing one of the digits of a real account number. Also, a fake email address can be generated by changing some of the characters of an email address. Generation of honey-tokens based on a given format is another method. For example, an email address can be created based on a given format following the standard of naming of a company, including “[first letter of name][lastname]@[domain name].” As another example, the credit card number also should be generated based on a valid given format.
Both methods of generation of tokens may rely on a dataset of valid entities, including real names of people, email addresses, or phone numbers. These data can be collected based on public data or private data provided by a company that is being protected.
The functionality of magnet honey-tokens may be to attract attackers to target elements of a company based on fake data which is of value and potential interest of attackers. One benefit of these tokens is to burn attacker resources to fake targets distracting them from the valuable ones. Moreover, upon the contact of the attackers with these entities, the system will collect more information about the nature of interests of the attackers and their identity. All the methods mentioned above can be used to track the attackers down and gather more intelligence. The other benefit is to detect new attacks missed by the detection method as described in the first component of this disclosure, since we can be sure that normal users will not interact with the magnets. In other words, similar to magnets that only collect certain materials, these honey-tokens only attract scammers.
The functionality of trackers may be to track the attackers, including tracking interpersonal data exchange between collaborating attackers. This is not always possible using only links or bugs. For example, a trap phone number planted in a document shared with an attacker is a reference point to track the scammer or any of his team members when they call the number. Similarly, a made up staff name that is being mentioned in a document, and has a profile accessible by search engines, is useful to track scammers while they are doing reconnaissance (e.g., using a search engine) and at the time they contact the email address of the made up staff. Another example of tracker honey-tokens is a mail address that enables collecting physical attributes of an attacker, including address and fingerprints. In this case, the attacker is convinced to send a mail or package to a certain address. For example, the attacker might be asked by the system to send a cancelled check as part of a verification process or receive confidential information, such as a copy of W-2 via mail. Tracking includes determining the physical mail delivery address for an attacker, which is part of the vital information of the attacker. Trackers are a valuable asset for linking different campaigns and tracking flow of information collected by attackers within their organization. Moreover, these tokens are beneficial mechanisms of tracking scammers when other mechanisms fail. For example, when attackers block loading images to their computers, the tracking mechanism based on bugs (e.g., small images in the content of email) fails. In comparison, since tracker honey-tokens are actively used by attackers and are generated in a unique manner, they cannot be bypassed by the attackers.
The functionality of polluters may be to contaminate the information collected by attackers. This makes it more expensive for the attackers to distinguish valuable and useless information, which affects their profit margin. For example, if fake credit card information is fed to attackers, then it requires extra work for attackers to check the validity of the credit cards, or have somebody else do it. This also requires extra caution for attackers to avoid activating the trackers when they use an invalid credit card since this also acts as a tracker. Whereas the use of honey-tokens such as fake credit card numbers is known by a person skilled in the art, the use of these in the disclosed system is novel.
Both public and private honey-tokens can be used for the purposes of attracting and tracking. The main difference of these two methods is the way they are deployed and located. In the public honey-token, they are deployed so they become accessible by search engines, spread via the professional social networks, and are injected into the datasets of leaked data. Private honey-tokens are distributed upon initial contact of the attacker and in response to the attacker's requests. For example, a fake account number is introduced as a part of a document shared with an attacker in the process of replying to him. This method considers the mentality of the attackers in locating information useful for them to trick the attacker to use it. For example, an apparently benign sentence such as “for more information, contact email address X,” or “for a copy of data, send an email to address Y” is effective in getting attackers to follow the fake leads. Other variations of the private honey-tokens are those sent to attackers “apparently by mistake.” In this method, the defender sends a collection of supposedly sensitive information to an attacker, and then asks the attacker to delete it. This is done automatically by the system, in response to detecting an attack. The supposedly sensitive information, in addition to the method of delivery, convinces the attacker to use the honey-tokens. The system then tracks the attacker and attempts to infiltrate his network. Another method is to submit fake credentials to login pages where the attacker captures them. These fake credentials can be used to log in to the systems of a target company but only to a sandbox system that tracks the activities of the attackers.
At 244, the one or more honey-tokens are disseminated. For example, the one or more honey-tokens are disseminated publicly or privately, directly to third-party service providers, or embedded in messages it exchanges with an attacker (e.g., in a responsive message). At 246, usages of the honey-tokens are tracked and recorded. At 248, the tracked and recorded information is aggregated. For example, different pieces of identity collected from attackers are aggregated to build profiles of attackers and to provide links between attack campaigns and threat actors.
FIG. 2E is a flowchart illustrating an embodiment of a process for analyzing a received message for security risks. For example, the process of FIG. 2E is utilized to detect lookalike, spoofing, or account take-over risks of a sender of an electronic message and take responsive action to mitigate potential effects of the risk. The process of FIG. 2E may be at least in part implemented on analysis server 102, gateway 110, and/or message server 106 of FIG. 1. In some embodiments, at least a portion of the process of FIG. 2E is performed in 204 of FIG. 2A.
At 252, information about a received message (e.g., message to be delivered to an intended recipient) is received. In some embodiments, the information is received at analysis server 102 of FIG. 1. The information may include information included in or related to the message. For example, the information includes email header information including information related to email accounts (e.g., email address, display name, etc.) of the sender, devices used to compose/send the message (e.g., mail user agent, operating system, device time zone, etc.), networks utilized (e.g., server, IP address, cellular network/carrier, etc.), automation, if any, utilized to send the message (e.g., whether a script/API was utilized to send the message), etc. In some embodiments, the information about the message includes contents of the message (e.g., a copy of the message). Examples of the message include an electronic mail (i.e., email), an instant message, a chat message, and any other forms of electronic messages. The information may be received as a part of a computer security analysis and filtering to identify and neutralize security threats prior to delivering the message and allowing an intended recipient of the message to access the message. In some embodiments, each message received for delivery to its intended recipient associated with the system performing analysis of the message is to be analyzed and information about each of the messages is received for analysis.
At 254, an identity profile associated with a sender of the message is identified and obtained. In some embodiments, the identity profile associated with the sender is identified by identifying an identity profile associated with a sender display name of the message and/or a sender message address (e.g., sender email address) of the message.
The identity profile stores information about a user that can be used to determine a likelihood that a message purportedly sent by or otherwise associated with the user was actually sent by the user. The information stored in the identity profile may include information associated with one of more of the following: observed/trusted message accounts of the user (e.g., email addresses and display names of various email accounts of the user), observed/trusted devices of the user (e.g., mail user agent, operating system, device time zone, etc.), utilized/trusted networks of the user (e.g., servers, IP addresses, cellular networks/carrier, etc.), automation utilized to send messages by the user (e.g., whether a script/API has been utilized to send the message), message contacts of the user, etc. In some embodiments, information of the identity profile may be at least in part obtained from provided information. For example, an employer, an administrator, and/or the user may have provided information that identifies at least a portion of information stored in the identity profile. In some embodiments, information of the identity profile may be at least in part obtained from observed communications of the user. For example, when a message sent by the user or a message received from the user is observed, desired information is extracted from the header of the message and used to build/update and store the identity profile of the user. Whether a specific account, device identifier, networks, etc. are identified as trusted (e.g., not a security risk) in the identity profile may be based on a specification from an administrator and/or the user or past observations of message traffic associated with the user (e.g., threshold number of messages with the associated property detected for the property to be marked trusted). In some embodiments, a security risk associated with each of one or more information entries is determined based on a specification from an administrator and/or the user or past observations of message traffic associated with the user.
In some embodiments, previously received messages from the sender have been profiled by storing information about and/or included in messages in the identity profile of the sender to track historical observations about the sender. For example, in identifying accounts that might have been ATOed, messages sent by the account are to be analyzed based on past observations about typical messages sent by the sender and the degree to which a newly received message from the sender deviates from what has been typically observed about messages sent by the account of the sender. In some embodiments, the historical information about messages by the sender for a particular recipient may be combined with historical information about messages sent by the sender for other recipients to determine a combined message profile/history of the sender for use in assessing security risk of messages by the sender for recipients without an established communication history with the sender. In some embodiments, profiling the message includes profiling, tracking, and/or storing content and/or header information of the message in a data structure that tracks historical information about messages sent by the sender for a particular recipient. In some embodiments, profiling the message includes profiling, tracking, and/or storing content included in the message in the identity profile that tracks historical information about types of content typically included in messages sent by the sender for a particular recipient. For example, the data structure tracks keywords and/or content topic/type included in messages sent by the sender for a particular message recipient and keywords and/or content topic/type detected in the newly received message are used to update this data structure.
In some embodiments, at least a portion of header information of previously received messages has been stored in the identity profile of the sender. In some embodiments, select information included in the header of the message is tracked and associated with the identity profile of the sender. For example, information in the header of the message that identifies one or more of the following is tracked for the sender of the message: a mail user agent, a time zone, IP address, X-headers, supported character sets, and any desired information of interest in the header. One or more different groupings of data in the identity profile for the sender of the message may be updated using the message. For example, certain header information and/or content of messages of the sender may be correlated with each other and associated groups of header entries and/or content entries of messages of the sender are updated when profiling the message. In one example, different groups of data in the identity profile of the sender are categorized based on different devices used by the sender to send messages to a particular recipient.
The table below shows different header information that is collected to build different groupings of data about messages sent using different devices of the sender.
Android | |||||
Feature | iphone | Mac | browser | iPad | phone |
DKIM | yes | yes | no | no | yes |
signature? | |||||
Mime | 1.0 (1.0) | 1.0 (Mac OS | 1.0 | 1.0 (1.0) | 1.0 |
version | X Mail 10.1 \ | ||||
(3251\)) | |||||
Content type | text/plain; | text/plain; | text/html; | text/plain; | text/plain; |
charset=us- | charset=us- | charset=UTF- | charset=us- | charset=UTF- | |
ascii | ascii | 8 | ascii | 8 | |
X-Mailer | iPhone Mail | Apple Mail | N/A | iPad Mail | N/A |
(14B72) | (2.3251) | (14B100) | |||
Message ID | Type 1 | Type 1 | Type 2 (both | Type 1 | Type 2 (both |
formatting and | formatting and | ||||
subdomain) | subdomain) | ||||
Cipher | TLS1_2 | TLS1_2 | N/A | TLS1_2 | TLS1_2 |
This table shows that by recording the header entries historically associated with messages from the same sender, a prediction can be made in terms of whether a newly received message and aspects of the message in combination are consistent with the past observations. Each trusted sender that has sent a message to a specific recipient is associated with a record that describes what different header configurations have been observed for the sender. This can be done both using a time window approach that emphasizes recently observed headers over very old headers, or an approach that takes into account all saved headers. Along with headers or portions of these, the data structure can store counts (e.g., how many times these were observed) and time intervals for the observations. For example, the number of times a particular message feature (e.g., message header item) was observed in received messages from the sender within a recent window of time (e.g., within a threshold time period and/or numerical count of past messages) and timestamps of each associated received message from the sender can be tracked and stored.
In some embodiments, statistics on the commonality of combinations of tracked aspects of messages (e.g., header entry, message body content, etc.) in an identity profile of a sender are determined and updated based on the newly received message. These statistics allow a determination of the likelihood that various aspects of a message would be observed together in the message. This also can be used to determine the likelihood that a new aspect detected in a message from the sender conforms to previously detected changes over time in previous messages from the sender. For example, this information can be used to determine the likelihood that the sender would change from one computing platform to another, the probability that the sender would upgrade their system, and the probability that the sender would use another machine temporarily. Thus message profile data of previously received messages from the sender can be used to determine a Bayesian probability score of a particular message feature being consistent with past observations for a communication between the sender and the recipient, given the context of other aspects of the message and a pattern of previous changes as a function of time.
In some embodiments, the identity profile of a user includes identifying content included in a message signature and updating a data structure that tracks observations about message signatures of messages from the user and associated context in which particular message signatures were utilized. For example, if a message signature that states “Sent from my iPhone” has been tracked and observed in a sufficient number of messages sent by the sender using a mobile phone message client and if a newly received message includes this signature but was sent using a desktop computer message client, this abnormality can be detected based on the historical observations about message signatures of the sender.
In some embodiments, if the identity profile associated with the sender of the message cannot be identified and/or obtained, this process ends and a general security analysis is performed using general factors associated with the sender of the message. For example, the message is analyzed to identify security risks without the benefit of an identity profile. However, generalized past observations about messages from the sender (e.g., generalized based on messages for other recipients from the sender) and/or an organization/domain of the sender may be utilized to analyze a message content keyword, a mail user agent, a time zone, an IP address, an X-header, supported character sets, a message signature, and any other information about the message to determine security risk. In some embodiments, analyzing the message for security risks includes performing a plurality of analyses and determining a risk component score for each of the analyses. These component scores are then combined (e.g., added, weighted then added, averaged, etc.) to determine an overall risk score. In some embodiments, each of the component scores is associated with one or more specific types of risk and a separate total score is calculated for each of the different types of risk based on its associated component scores.
At 256, a security risk assessment of the received message is performed at least in part by comparing the information of the received message with one or more corresponding entries of the identity profile identified for the sender of the received message. For example, identity associated information extracted from the header of the message is compared with the corresponding entries of the obtained identity profile to determine whether the extracted information of the received message conforms with what is known about the sender in the obtained identity profile. Based on how and which extracted information compares/matches with corresponding information in the identity profile, a likelihood that the message was actually authorized by the user of the identity profile is determined.
Performing the security risk assessment may include evaluating/performing one or more security rules and/or determining a risk value associated with the message. Examples of factors assessed during the security risk assessment of the received message include determining whether: the email address of the sender of the received message matches one of known/trusted/secure email addresses specified in the obtained identity profile; the device/software/network used to send the received message matches one of known/trusted/secure devices/software/networks specified in the obtained identity profile; an automation property (e.g., sent using API, script, etc.) of the message matches known/allowed automation properties specified in the obtained identity profile (e.g., if the message was sent via automation, determined whether sender is known to send messages via automation), etc.
By comparing the email account used to send the message with one of the known/trusted/secure email message accounts of the identity profile, a determination can be made that there is a likelihood a recipient may assume that the message came from a known person because the display name matches the known person despite the email address/account of the sender not matching a known email address/account stored in the identity profile for the known person. By comparing the network used to send the message with a known to be trusted network (e.g., access to the network only possible via secure authenticated access) or known to be commonly utilized using a trusted sender's account, a security assessment can be made regarding the message. For example, use of a trusted or known network in combination with other identity profile matching properties of the message can result in a determination that the message is likely an authorized message from a sender. By comparing the properties of a device/software used to send the message with a known to be trusted device/software (e.g., trusted MUA) or known to be commonly utilized according to the identity profile, a security assessment can be made regarding the message. For example, use of a trusted or known device/software in combination with other identity profile matching properties of the message can result in a determination that the message is likely an authorized message from a sender. In some embodiments, the identity profile identifies whether an automation has been or is authorized to be utilized by the user of the identity profile when the sender sends a message. For example, one or more x-header entries identify whether the message was automatically generated. These entries may be identified based on keywords that identify that the message was generated using a script (e.g., generated using an API/PHP mailer/script). By comparing whether the message was sent using automation with whether the identity profile identifies whether an automation has been or is authorized to be utilized by the user of the identity profile, a security assessment can be made regarding the message. For example, the message is identified as suspicious if the message was sent using automation but an identity profile of the sender of the message does not indicate that the sender typically utilizes automation to send messages.
In another example, a security rule and/or risk score assessment factor may be based on how many emails they typically generate per time period; whom these emails are typically sent to; whether emails that are sent are more likely to be responses or not; whether the account owner typically sends a series of very similar messages to different recipients within a short period of time; whether the account owner commonly sends emails with potentially sensitive contents, such as emails referring to wire transfers, account numbers, etc.; and, based on the mail user agents (MUAs) recorded for outgoing messages, what types of devices the account owner typically uses, what servers and IP addresses he or she is associated with, and what service providers, such as wireless service providers are typically used. Similarly, other information associated with the headers, such as the recorded time zone, is observed and recorded; and the security service provider computes estimates of the speed of change of each of these metrics. For example, the security service provider can compute a measurement of the distribution of the frequency of changes between different types of MUAs used by the account holder. Whereas some users will mostly only use one device during one day, some will use several, and many will use different types of devices and service providers (e.g., wireless or cable service) based on the length of the email, the type and size of attachments, and more.
In some embodiments, characterizing information relating to the device identity, very conveniently, can be read out from the “mail user agent” (MUA), which is part of the headers of an email. The MUA identifies the mail reader utilized; its version; the type of character sets the mail reader supports; the name of a carrier; and more. By building a model of the MUAs associated with trusted users, a security control can determine whether a potentially deceptive email has an MUA that matches that of the “corresponding” trusted user or not. If the potentially deceptive email was sent by an attacker, the MUA most likely will not match; but if it was sent from a personal account of the trusted user, then it almost certainly will. The MUA extracted from the message can be compared with stored MUAs associated with the sender in the identity profile of the sender, and a security rule is triggered and/or a risk score assessment is performed based on the result.
However, it is not desirable for attackers to infer the expected MUAs of the users they wish to impersonate—and then masterfully mimic these users by setting the MUA that the security control expects. In some embodiments, when the received message is flagged as potentially deceptive, but is found to have the “right” MUA, then the security system can perform additional verifications. One example is by sending an automated response to the sending account, asking the user to respond to the email—from the “right” account. If the sender was benevolent, the security system will get a response—which will allow it to associate the personal account with the trusted user. But the attacker will not be able to respond from the trusted account.
The comparison of an identified profile stored MUA and an observed MUA does not have to be identical to be considered a match. For example, a user may have upgraded from one version of a software package to another, resulting in another MUA; similarly, a user may switch from one wireless service provider to another. There are many other examples of common and reasonable changes. Some changes, however, are very uncommon. For example, downgrading to a previous version of a software package is uncommon; also, the change from one type of operating system (such as iOS) to another (such as Android) at the same time as a dramatic change in IP address or locality is another uncommon change. The security system may store one or more sets of MUA for each observed account, where any account sending email to a protected organization would potentially be observed. However, in some contexts, only frequent senders are observed, or only senders that satisfy some criteria, such as belonging to a law firm, vendor, financial institution, or the protected organization itself are observed. Alternatively, any party that satisfies a closeness criteria is observed, where this can be the transmission (to or from) of a minimum number of messages, being in the address book of a protected recipient, and more.
The reason multiple MUA sets can be stored for each observed message account is that most users have multiple devices. A user that just started to be observed may not yet have a profile of MUAs associated with it, or the stored collection has not yet stabilized. During such a period, the system may not take any action on emails that are received, unless they are considered potentially deceptive. That means that a user that is not considered deceptive—e.g., its display name does not match any trusted sender of the recipient—but which does not have any MUAs recorded would not be considered a threat. The system may simply record the MUAs as they are observed. MUAs observed coming from confirmed secure identities, such as accounts of controlled parties who use DMARC with p=reject, can be immediately added to the list of MUAs of the associated sender account. In this example, a party is considered controlled if it has strict controls relating to how accounts are generated. For example, a typical enterprise would have strict controls over account creation, and only employees are able to get accounts with them; on the other hand, webmail providers such as Google Gmail do not have strict controls, and allow mostly anybody to get email accounts with them.
In some embodiments, there exists a plurality of aspects of the message to be analyzed using the obtained identity profile, and each aspect is analyzed to determine a risk component score associated with each component. These component scores are then combined (e.g., added, weighted then added, averaged, etc.) to determine an overall risk score. In some embodiments, each of the component scores is associated with one or more specific types of risk and a separate total score is calculated for each of the different types of risk based on its associated component scores. For example, there exists ten risk component scores and five of the component scores are only associated with a malware risk type, four of the component scores are only associated with a phishing risk type, and one of the component scores is associated with both the malware risk type and the phishing risk type. In this example, a total malware risk type score is calculated using the six of the ten risk component scores that are associated with the malware risk type while the total phishing risk type score is calculated using the five of the ten risk component scores that are associated with the phishing risk type.
In some embodiments, using past observation data (e.g., in the identity profile) obtained by profiling past messages from the sender to the specific recipient of the message, various data and statistics as well as clusters of metadata/configurations/content of messages that are likely to be observed together in combination in a message from the sender can be determined. For example, using past observation data generated by profiling past messages from the sender, statistics on the commonality of various combinations of metadata/configurations/content of messages have been determined and stored in a data structure. Using this information in combination with identified information in the contents and/or header of the message, a likelihood the received message conforms to a typical message from the sender for the intended recipient is determined. This likelihood takes into account statistics of likely changes over time. For example, the determined risk reflects the likelihood that the sender would change from one platform to another, the probability that the sender would upgrade their computer system, and the probability that the sender would use a new machine temporarily. Thus, a component risk score value for an aspect of the message may be computed using a Bayesian probability score of the particular observation/feature/content/metadata being consistent with past observations of communications between the sender and the recipient, given the context of other aspects of the message and a pattern of previous changes as a function of time. In some embodiments, past observation data about messages from the sender is analyzed to determine a probability that a combination of features/contents/metadata of the message being analyzed is likely to be exhibited together and this probability is utilized to determine a risk component score.
Therefore, in some embodiments, a risk is identified by determining the conditional probability of a set of message aspects, given the past observations relating to the sender, the sender's organization, and of users in general. It may also take into consideration the meaning of mismatches, e.g., upgrades and potential changes from one phone to another. IP addresses and associated IP traces may also be taken into consideration, along with data about the common case for the considered user. Any aberration is identified, and a risk score is computed from the conditional probability of the observations. This may be done by comparing the probability to at least one threshold and assigning an associated risk score, by algebraically converting the probability to a risk score, or a combination of these approaches. The risk score is also affected by the exposure of the recipient to attacks, message content, and other risk identifiers.
In an illustrative example, Alice and Bob regularly communicate with each other using email. For roughly 75% of the messages Alice sends to Bob, the message emanates from a mail client with mime version “1.0 (Mac OS X Mail 10.1 \(3251\))” and with additional characteristics such as those shown in the “Mac” column of the table above. For roughly 25% of the messages Alice sends to Bob, the message emanates from a mail client with mime version “1.0” and with additional characteristics such as those shown in the “Android ph” column of the table above. Bob's system receives an email E1 from Alice that is sent from a mail client with characteristics such as those shown in the “Mac” column of the table above. This is considered consistent with Alice's past sending behavior, and E1 is delivered. Bob's system receives an email E2 from Alice, that is sent from a mail client with characteristics such as those shown in the “Mac” column of the table above, except that the message is associated with mime version “1.0 (Mac OS X Mail 9.1 \(3121\)).” This would correspond to a downgrade of Alice's system, as opposed to an upgrade. This is considered unusual, and a security action is initiated. The contents of E2 is scrutinized, both using an automated tool and using a manual audit by an admin, after which it is concluded that the message is safe, and is delivered. The new mail client characteristic is entered in a record associated with Alice, along with details relating to the message and its treatment. Bob's system receives an email E3 from Alice that is sent from a mail client with characteristics such as those shown in the “iphone” column of the table above. This is not an entry that is associated with Alice's past observations. In addition, it is known that Alice has an Android phone. This causes an escalation of the message scrutiny. The message is found to have content matching a content risk filter. The determination is that E3 is at high risk of being a message that comes from an ATOed system. An SMS verification message is sent to Alice's previously recorded phone number, and Alice's record is marked as being at high risk of being corrupted. E3 is not delivered, but Bob receives a message saying that a suspect message has been blocked by the system, and that the message came from Alice's account. Cindy also knows Alice, and Cindy receives an email E4 from Alice. The system looks up Alice's record and determines that her account is considered at high risk of being corrupted. The message E4 is automatically scrutinized, but does not match any rule associated with a high risk. Therefore, E4 is marked up with a warning “This message comes from an account that is temporarily associated with risk. Please proceed with caution. Before performing any sensitive action, please verify with the owner of the account.” However, it turns out that Alice really did send E3, from her new phone. Accordingly, she confirms that E3 was sent by her. The security system delivers E3 to Bob, and replaces the marked-up version of E4 in Cindy's inbox with the “clean” version of E4. The system also removes the “corrupted” flag in the record associated with Alice, and records the header configuration associated with E3 in the record. The system does not know whether Alice will still use her Android phone. However, it knows from the response to the verification challenge—which was sent from an iPhone—that the phone number on record for Alice is likely to be associated with an iPhone, but that the phone associated with the “Android ph” device may also be used. Later on, Bob's system receives an email E5 from Alice, not matching any of the previously recorded headers, but instead matching a header configuration commonly used by previously observed scammers. The message scrutiny is escalated, and automated scrutiny indicates that E5 contains a zip file that, when decompressed in a sandbox, contains a malicious file. The system concludes that Alice's device has been corrupted, and adds information about this in the record associated with Alice. A notification message is sent to Alice using SMS. However, Alice does not respond to it. The security system initiates a notification to Alice's mail service provider, indicating that it is likely that Alice's system has been corrupted. Alice's mail service provider reviews the activity associated with Alice's account, and concludes that it is likely that Alice's account has been taken over. They automatically block access to the account and initiate an effort to allow Alice to regain access to her account. Several days later, this completes. Dave has not interacted with Alice in the past, but receives an email E6 from Alice. The system looks up Alice's record and determines that her account is considered at high risk of being corrupted. The message E6 is automatically scrutinized. It is found that it is identical to a message sent in the past from corrupted accounts. Therefore, E6 is not delivered. Alice's account sends another email E7 to Bob, which is trapped by the security system. It does not have content found to be dangerous, and so, is delivered along with a warning “This email was sent from a sender that may be hacked. Please proceed with caution.” The system generates an inquiry to Alice's mail service provider whether the recovery has completed; when the mail service provider responds that Alice's system has been recovered, the flag associated with corruption in Alice's record is set to “none,” and the modified message is searched for. However, the security system cannot find it, and so, does not replace it with its clean version E7.
In some embodiments, performing the security risk assessment includes determining whether the message was received from a sender that has an established relationship with an intended recipient of the message, and if it is determined that the message was received from the sender that has an established relationship contact with the intended recipient of the message, the message is analyzed for security risks using historical observations associated with the sender of the message with respect to the intended recipient of the message. In some embodiments, the sender of the message has an established relationship with the intended recipient of the message if the sender (e.g., from the email address of the sender) has sent a message to the intended recipient of the message (e.g., recipient email address of the message) a threshold number of times, if the intended recipient has previously sent a message to the sender a threshold number of times, and/or if the sender has been sending messages to the intended recipient of the message for a threshold length of time. For example, the sender of the message is the established relationship contact of the intended recipient of the message if a threshold number of messages has been exchanged between the sender and the recipient. The identity profile of the sender of the message can be utilized to determine whether the sender is an established relationship contact of an intended recipient of the message.
In various embodiments, in addition to using the identity profile associated with the sender of the message to analyze the security risk of the message, other types of security risk analysis are performed in determining a total risk score associated with the message. For example, in addition to one or more risk component scores for risk factors determined using past observations, one or more other risk component scores are determined for other types of security risk analysis. The various different types of risk component scores are combined to determine a total risk score. Examples of the other types of security risk analyses include a virus threat detection, a malware threat detection, identification of risky content type (e.g., executable, file attachment, link to a website that requests login information, content that requests OAuth authentication, etc.) included in the message, analysis of a number and type of recipients of the same message, and determining whether the sender from a domain with a Domain-based Message Authentication, Reporting and Conformance (DMARC) policy passes Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) validations.
FIG. 3 is a flowchart illustrating an embodiment of a process for analyzing a received message for security risks. For example, the process of FIG. 3 is utilized to detect account take-over risk of a sender of an electronic message and take responsive action to mitigate potential effects of the risk. The process of FIG. 3 may be at least in part implemented on analysis server 102, gateway 110, and/or message server 106 of FIG. 1. In some embodiments, at least a portion of the process of FIG. 3 is performed in 204 of FIG. 2A.
In some embodiments, a received electronic message is analyzed to identify signs indicative of a message coming from an ATOed message account. If the message is identified as being of a sufficient high risk of coming from an account that has been potentially ATOed, a security action is performed in an attempt to minimize a security risk associated with the message. It is desirable to reduce the false positives and false negatives such ATOed account detection.
In some embodiments, it is determined whether a sender of an electronic message has an established relationship with an intended recipient of the electronic message. For example, if the sender of the message has previously communicated with the intended recipient a sufficient number of times for at least a threshold length of time, the sender of the electronic message is determined to have an established relationship with the intended recipient. In response to a determination that the sender of the electronic message has an established relationship with the intended recipient, the electronic message is analyzed based at least in part on previously observed communication between the sender and the intended recipient to determine a security risk of the electronic message for the intended recipient. For example, given what is already known about the sender of the message based on a classification and analysis of previous communications between the sender and the intended recipient, it can be determined whether the newly received message conforms to a pattern detected in the previous communications. Based on the result of the analysis of the electronic message, a security action is performed, if applicable. For example, the electronic message may be blocked if a sufficiently high level of risk is detected and/or the message may be modified to include a warning about the ATOed account risk if a sufficient medium level of risk is detected based on the analysis. If no or a low level of risk is detected, the message may be allowed to be accessed by the intended recipient by delivering the message to a message inbox of the recipient.
In some embodiments, in response to a determination that the sender of the electronic message does not have an established relationship with the intended recipient, it is determined whether an electronic message account of the sender of the electronic message is likely an independently controlled account. For example, a message that was sent from an account that belongs to a large organization that closely controls who can send a message via its domain is not an independently controlled account whereas a personal email message account is an independently controlled account. In response to a determination that the electronic message account of the sender of the electronic message is likely an independently controlled account, the message is analyzed to determine whether the message is an automatically generated message. For example, a header of the message is analyzed to determine whether the message was automatically generated using a script or a program. In response to a determination that the message is an automatically generated message, a security action is performed. For example, the electronic message may be blocked if a sufficiently high level of risk is detected and/or the message may be modified to include a warning about a security risk if a sufficiently medium level of risk is detected based on the analysis. If no or a low level of risk is detected, the message may be allowed to be accessed by the intended recipient by delivering the message to a message inbox of the recipient.
At 302, information about a received message (e.g., message to be delivered to an intended recipient) is received. In some embodiments, the information is received at analysis server 102 of FIG. 1. The information may include information included in or related to the message. For example, the information includes email address header information including an email address and a display name of the sender of the message. In some embodiments, the information about the message includes contents of the message (e.g., a copy of the message). Examples of the message include an electronic mail (i.e., email), an instant message, a chat message, and any other forms of electronic messages. The information may be received as a part of a computer security analysis and filtering to identify and neutralize security threats prior to delivering the message and allowing an intended recipient of the message to access the message. In some embodiments, each message received for delivery to its intended recipient associated with the system performing analysis of the message is to be analyzed and information about each of the messages is received for analysis. In some embodiments, the received information is the information received in 202 of FIG. 2A.
At 304, the message is profiled. In some embodiments, step 304 is only performed if it is determined that a security risk associated with the message is below a threshold (e.g., risk score determined in 308 and/or 310 is below a threshold). Profiling the message includes storing information about and/or included in the message in a database to track historical observations about the sender of the message. For example, in identifying accounts that might have been ATOed, messages sent by the account are to be analyzed based on past observations about typical messages sent by the sender and the degree to which a newly received message from the sender deviates from what has been typically observed about messages sent by the account of the sender. In some embodiments, the historical information about messages by the sender for a particular recipient may be combined with historical information about messages sent by the sender for other recipients to determine a combined message profile/history of the sender for use in assessing security risk of messages by the sender for recipient without an established communication history with the sender. In some embodiments, profiling the message includes profiling, tracking and/or storing content and/or header information of the message in a data structure that tracks historical information about messages sent by the sender for a particular recipient. In some embodiments, profiling the message includes profiling, tracking and/or storing content included in the message in a data structure that tracks historical information about types of content typically included in messages sent by the sender for a particular recipient. For example, the data structure tracks keywords and/or content topic/type included in messages sent by the sender for a particular message recipient and keywords and/or content topic/type detected in the newly received message are used to update this data structure.
In some embodiments, at least a portion of header information of the message is stored in profiling the message. In some embodiments, select information included in the header of the message is tracked and associated with a history message profile of the sender. For example, information in the header of the message that identifies one or more of the following is tracked for the sender of the message: a mail user agent, a time zone, IP address, X-headers, supported character sets, and any desired information of interest in the header. One or more different profiles for the sender of the message may be updated using the message. For example, certain header information and/or content of messages of the sender may be correlated with each other and associated groups of header entries and/or content entries of messages of the sender are updated when profiling the message. In one example, different profiles of the sender are categorized based on different devices used by the sender to send messages to a particular recipient.
The table below shows different header information that is collected to build different profiles about messages sent using different devices of the sender.
Android | |||||
Feature | iphone | Mac | browser | iPad | phone |
DKIM | yes | yes | no | no | yes |
signature? | |||||
Mime | 1.0 (1.0) | 1.0 (Mac OS | 1.0 | 1.0 (1.0) | 1.0 |
version | X Mail 10.1 \ | ||||
(3251\)) | |||||
Content type | text/plain; | text/plain; | text/html; | text/plain; | text/plain; |
charset=us- | charset=us- | charset=UTF- | charset=us- | charset=UTF- | |
ascii | ascii | 8 | ascii | 8 | |
X-Mailer | iPhone Mail | Apple Mail | N/A | iPad Mail | N/A |
(14B72) | (2.3251) | (14B100) | |||
Message ID | Type 1 | Type 1 | Type 2 (both | Type 1 | Type 2 (both |
formatting and | formatting and | ||||
subdomain) | subdomain) | ||||
Cipher | TLS1_2 | TLS1_2 | N/A | TLS1_2 | TLS1_2 |
This table shows that by recording the header entries historically associated with messages from the same sender, a prediction can be made in terms of whether a newly received message and aspects of the message in combination are consistent with the past observations. Each trusted sender that has sent a message to a specific recipient is associated with a record that describes what different header configurations have been observed for the sender. This can be done both using a time window approach that emphasizes recently observed headers over very old headers, or an approach that takes into account all saved headers. Along with headers or portions of these, the data structure can store counts (e.g., how many times these were observed) and time intervals for the observations. For example, the number of times a particular message feature (e.g., message header item) was observed in received messages from the sender within a recent window of time (e.g., within a threshold time period and/or numerical count of past messages) and timestamps of each associated received message from the sender can be tracked and stored.
In some embodiments, statistics on the commonality of combinations of tracked aspects of messages (e.g., header entry, message body content, etc.) of a sender are determined and updated based on the newly received message. These statistics allow a determination of the likelihood that various aspects of a message would be observed together in the message. This also can be used to determine the likelihood of a new aspect detect in a message from the sender conforms to previously detected changes over time in previous messages from the sender. For example, this information can be used to determine the likelihood that the sender would change from one computing platform to another, the probability that the sender would upgrade their system, and the probability that the sender would use another machine temporarily. Thus message profile data of previously received messages from the sender can be used to determine a Bayesian probability score of a particular message feature being consistent with past observations for a communication between the sender and the recipient, given the context of other aspects of the message and a pattern of previous changes as a function of time.
In some embodiments, profiling the message includes identifying content included in a message signature and updating a data structure that tracks observations about message signatures of messages from the sender and associated context in which particular message signatures were utilized. For example, if a message signature that states “Sent from my iPhone” has been tracked and observed in a sufficient number of messages sent by the sender using a mobile phone message client and if a newly received message includes this signature but was sent using a desktop computer message client, this abnormality can be detected based on the historical observations about message signatures of the sender.
At 306, it is determined whether the message was received from a sender that has an established relationship with an intended recipient of the message. In some embodiments, the sender of the message has an established relationship with the intended recipient of the message if the sender (e.g., from email address of the sender) has sent a message to the intended recipient of the message (e.g., recipient email address of the message) a threshold number of times, if the intended recipient has previously sent a message to the sender a threshold number of times and/or if the sender has been sending messages to the intended recipient of the message for a threshold length of time. For example, the sender of the message is the established relationship contact of the intended recipient of the message if a threshold number of messages have been exchanged between the sender and the recipient. In some embodiments, a sender model developed for the sender of the message is utilized to determine whether the sender is an established relationship contact of an intended recipient of the message.
In some embodiments, determining whether the message was received from an established relationship contact of an intended recipient of the message includes determining a trust score associated with the sender of the message for the intended recipient of the message. If the trust score is above a threshold, the sender is identified as having an established relationship with the recipient and otherwise, the sender is identified as not having an established relationship with the recipient. The trust score indicates the closeness of the relationship between the sender and the intended recipient. This can either be a binary predicate or a real number. In a simplified example, the trust score can be set to 1 (e.g., indicating established relationship) if each of the two parties has sent the other at least three messages over a course of no shorter than one month, and otherwise to 0 (e.g., indicating not an established relationship). In another example, the trust score can be a function of the number of messages received by the recipient organization sent by the sender's organization and the number of messages that have been identified as undesirable, whether by the classifier or by a recipient.
In some embodiments, the trust score of the message identifies the extent to which the system recognizes the sender based on its historical message traffic; as such, it may not be limited to the history of the recipient or her organization. For example, a message from a sender with a very brief history would receive a low trust score, especially if the communication pattern is similar to that of previously identified malicious senders. A sender with a longer history and low traffic volume (but very few or no complaints of past abuse) would have a higher trust score, and a sender with a long history, high volume, and few or no complaints would correspond to an even higher trust score.
In some embodiments, determining whether the sender of the message has an established relationship with the intended recipient includes determining whether the sender of the message is included in a contact list (e.g., address) of the intended recipient. For example, if the sender of message is included in the contact list of the intended recipient and a sufficient number of the message was previously exchanged between the sender and the recipient, it is determined that the sender has an established relationship with the recipient.
In some embodiments, determining whether the sender of the message has an established relationship with the intended recipient includes obtaining a social, organizational, communication, collaboration, business and/or other relationship information of the sender and/or the intended recipient. Information about the sender and/or other users connected/related to the intended recipient may be obtained by requesting the desired information from a service (e.g., an external third-party service accessed via an Application Programming Interface such as Microsoft Graph API). For example, an identifier of the intended recipient of the message is provided to the service, and the service provides a list of other users connected to the intended recipient (e.g., connected via a social network, organizational relationship, business contact, etc.) that is ordered by the various other user's relevance to the intended recipient (e.g., order based on previous communication, collaboration, business relationships, etc.). It is determined that the sender of the message has an established relationship with the intended recipient if the sender is included in this list as having a sufficient relationship with the intended recipient (e.g., included in the list). Otherwise it is determined that the sender of the message does not have an established relationship with the intended recipient. In another example, an identifier (e.g., email address) of the sender of the message is provided to the service and the service provides information about the sender (e.g., information about the sender gathered across various different message repositories, contact lists and social networks). This information about the sender is used to assess a strength of a relationship between the sender and the intended recipient of the message (e.g., along with message history between them), and if the strength value of the relationship is greater than a threshold value, it is determined that the sender of the message has an established relationship with the intended recipient. Otherwise it is determined that the sender of the message does not have an established relationship with the intended recipient.
If at 306, it is determined that the message was received from the sender that has an established relationship contact with the intended recipient of the message, at 308 the message is analyzed for security risks using historical observations associated with the sender of the message with respect to the intended recipient of the message.
An example of the historical observations is the historical observations updated in 304. The historical observations include information about messages from/to the sender of the message to/from the recipient of the received message. In some embodiments, there exists a plurality of aspects of the message to be analyzed using the historical observations, and each aspect is analyzed to determine a risk component score associated with each component. These component scores are then combined (e.g., added, weighted then added, averaged, etc.) to determine an overall risk score. In some embodiments, each of the component scores is associated with one or more specific types of risk and a separate total score is calculated for each of the different types of risk based on its associated component scores. For example, there exists ten risk component scores and five of the component scores are only associated with a malware risk type, four of the component scores are only associated with a phishing risk type, and one of the component scores is associated with both the malware risk type and the phishing risk type. In this example, a total malware risk type score is calculated using the six of the ten risk component scores that are associated with the malware risk type while the total phishing risk type score is calculated using the five of the ten risk component scores that are associated with the phishing risk type. Examples of the aspects of the message analyzed using historical observations include message content keyword, a mail user agent, a time zone, an IP address, an X-header, supported character sets, a message signature, and any information about the message.
In some embodiments, using past observation data generated by profiling past messages from the sender to the specific recipient of the message, various data and statistics as well as clusters of metadata/configurations/content of messages that are likely to be observed together in combination in a message from the sender can be determined. For example, using past observation data generated by profiling past messages from the sender, statistics on the commonality of various combinations of metadata/configurations/content of messages have been determined and stored in a data structure. Using this information in combination with identified information in the contents and/or header of the message, a likelihood the received message conforms to a typical message from the sender for the intended recipient is determined. This likelihood takes into account statistics of likely changes over time. For example, the determined risk reflects the likelihood that the sender would change from one platform to another, the probability that the sender would upgrade their computer system, and the probability that the sender would use a new machine temporarily. Thus, a component risk score value for an aspect of the message may be computed using a Bayesian probability score of the particular observation/feature/content/metadata being consistent with past observations of communications between the sender and the recipient, given the context of other aspects of the message and a pattern of previous changes as a function of time. In some embodiments, past observation data about messages from the sender is analyzed to determine a probability that a combination of features/contents/metadata of the message being analyzed is likely to be exhibited together and this probability is utilized to determine a risk component score.
Therefore, in some embodiments, a risk is identified by determining the conditional probability of a set of message aspects, given the past observations relating to the sender, the sender's organization, and of users in general. It may also take into consideration the meaning of mismatches, e.g., upgrades and potential changes from one phone to another. IP addresses and associated IP traces may also be taken into consideration, along with data about the common case for the considered user. Any aberration is identified, and a risk score is computed from the conditional probability of the observations. This may be done by comparing the probability to at least one threshold and assigning an associated risk score, by algebraically converting the probability to a risk score, or a combination of these approaches. The risk score is also affected by the exposure of the recipient to attacks, message content, and other risk identifiers.
In an illustrative example, Alice and Bob regularly communicate with each other using email. For roughly 75% of the messages Alice sends to Bob, the message emanates from a mail client with mime version “1.0 (Mac OS X Mail 10.1 \(3251\))” and with additional characteristics such as those shown in the “Mac” column of the table above. For roughly 25% of the messages Alice sends to Bob, the message emanates from a mail client with mime version “1.0” and with additional characteristics such as those shown in the “Android ph” column of the table above. Bob's system receives an email E1 from Alice that is sent from a mail client with characteristics such as those shown in the “Mac” column of the table above. This is considered consistent with Alice's past sending behavior, and E1 is delivered. Bob's system receives an email E2 from Alice, that is sent from a mail client with characteristics such as those shown in the “Mac” column of the table above, except that the message is associated with mime version “1.0 (Mac OS X Mail 9.1 \(3121\)).” This would correspond to a downgrade of Alice's system, as opposed to an upgrade. This is considered unusual, and a security action is initiated. The contents of E2 is scrutinized, both using an automated tool and using a manual audit by an admin, after which it is concluded that the message is safe, and is delivered. The new mail client characteristic is entered in a record associated with Alice, along with details relating to the message and its treatment. Bob's system receives an email E3 from Alice that is sent from a mail client with characteristics such as those shown in the “iphone” column of the table above. This is not an entry that is associated with Alice's past observations. In addition, it is known that Alice has an Android phone. This causes an escalation of the message scrutiny. The message is found to have content matching a content risk filter. The determination is that E3 is at high risk of being a message that comes from an ATOed system. An SMS verification message is sent to Alice's previously recorded phone number, and Alice's record is marked as being at high risk of being corrupted. E3 is not delivered, but Bob receives a message saying that a suspect message has been blocked by the system, and that the message came from Alice's account. Cindy also knows Alice, and Cindy receives an email E4 from Alice. The system looks up Alice's record and determines that her account is considered at high risk of being corrupted. The message E4 is automatically scrutinized, but does not match any rule associated with a high risk. Therefore, E4 is marked up with a warning “This message comes from an account that is temporarily associated with risk. Please proceed with caution. Before performing any sensitive action, please verify with the owner of the account.” However, it turns out that Alice really did send E3, from her new phone. Accordingly, she confirms that E3 was sent by her. The security system delivers E3 to Bob, and replaces the marked-up version of E4 in Cindy's inbox with the “clean” version of E4. The system also removes the “corrupted” flag in the record associated with Alice, and records the header configuration associated with E3 in the record. The system does not know whether Alice will still use her Android phone. However, it knows from the response to the verification challenge—which was sent from an iPhone—that the phone number on record for Alice is likely to be associated with an iPhone, but that the phone associated with the “Android ph” device may also be used. Later on, Bob's system receives an email E5 from Alice, not matching any of the previously recorded headers, but instead matching a header configuration commonly used by previously observed scammers. The message scrutiny is escalated, and automated scrutiny indicates that E5 contains a zip file that, when decompressed in a sandbox, contains a malicious file. The system concludes that Alice's device has been corrupted, and adds information about this in the record associated with Alice. A notification message is sent to Alice using SMS. However, Alice does not respond to it. The security system initiates a notification to Alice's mail service provider, indicating that it is likely that Alice's system has been corrupted. Alice's mail service provider reviews the activity associated with Alice's account, and concludes that it is likely that Alice's account has been taken over. They automatically block access to the account and initiate an effort to allow Alice to regain access to her account. Several days later, this completes. Dave has not interacted with Alice in the past, but receives an email E6 from Alice. The system looks up Alice's record and determines that her account is considered at high risk of being corrupted. The message E6 is automatically scrutinized. It is found that it is identical to a message sent in the past from corrupted accounts. Therefore, E6 is not delivered. Alice's account sends another email E7 to Bob, which is trapped by the security system. It does not have content found to be dangerous, and so, is delivered along with a warning “This email was sent from a sender that may be hacked. Please proceed with caution.” The system generates an inquiry to Alice's mail service provider whether the recovery has completed; when the mail service provider responds that Alice's system has been recovered, the flag associated with corruption in Alice's record is set to “none,” and the modified message is searched for. However, the security system cannot find it, and so, does not replace it with its clean version E7.
In various embodiments, in addition to using historical observations associated with the sender of the message to analyze the security risk of the message, other types of security risk analysis are performed in determining a total risk score associated with the message. For example, in addition to one or more risk component scores for risk factors determined using past observations, one or more other risk component scores are determined for other types of security risk analysis. The various different types of risk component scores are combined to determine a total risk score. Examples of the other types of security risk analysis include a virus threat detection, a malware threat detection, identification of risky content type (e.g., executable, file attachment, link to a website that requests login information, content that requests OAuth authentication, etc.) included in the message, analysis of a number and type of recipients of the same message, and determining whether the sender from a domain with a Domain-based Message Authentication, Reporting and Conformance (DMARC) policy passes Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) validations.
If at 306 it is determined that the message was received from a sender that does not have an established relationship with the intended recipient of the message, at 310, the message is analyzed for security risks using general factors associated with the sender of the message. For example, the message is analyzed to identify security risks without the benefit of observations of previous communication history between the sender of the message and the intended recipient of the message. However, generalized past observations about messages from the sender (e.g., generalized based on messages for other recipients from the sender) and/or an organization/domain of the sender is utilized to analyze a message content keyword, a mail user agent, a time zone, an IP address, an X-header, supported character sets, a message signature, and any other information about the message to determine whether the message is sufficiently different from the generalized past observations to indicate a security risk. In some embodiments, analyzing the message for security risks includes performing a plurality of analyses and determining a risk component score for each of the analyses. These component scores are then combined (e.g., added, weighted then added, averaged, etc.) to determine an overall risk score. In some embodiments, each of the component scores is associated with one or more specific types of risk and a separate total score is calculated for each of the different types of risk based on its associated component scores.
In some embodiments, in 310, it is determined whether the electronic message account of the sender of the message is likely an independently controlled account. For example, an account that belongs to a large organization that closely controls who can send a message via its domain is not an independently controlled account whereas a personal email message account is an independently controlled account. In response to a determination that the electronic message account of the sender of the electronic message is likely an independently controlled account, the message is analyzed to determine whether the message is an automatically generated message. For example, a header of the message is analyzed to determine whether the message was automatically generated using a script or a program. In response to a determination that the message is an automatically generated message, a risk component score of the message is set to be high enough to warrant performing a security action.
In various embodiments, examples of other types of analyses performed in 310 include one or more of the following: a virus threat detection, a malware threat detection, identification of risky content type (e.g., executable, file attachment, link to a website that requests login information, content that requests OAuth authentication, etc.) included in the message, analysis of a number and type of recipients of the same message (e.g., attacker may prefer targeting people one by one, to avoid detection), and determining whether the sender from a domain with a Domain-based Message Authentication, Reporting and Conformance (DMARC) policy passes Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) validations.
FIG. 4 is a flowchart illustrating an embodiment of a process for analyzing individual aspects of a message for security threats. The process of FIG. 4 may be at least in part implemented on analysis server 102, gateway 110, and/or message server 106 of FIG. 1. In some embodiments, at least a portion of the process of FIG. 4 is performed in 204 of the process of FIG. 2A and/or 308 and/or 310 of the process of FIG. 3.
At 402, content included in a message is analyzed to determine one or more content risk component scores of the message. For example a message body of the message is analyzed to identify whether it includes one or more text/keywords from a list of keywords associated with a security risk. A keyword may be included in the list because the keyword identifies conversations about sensitive content that could cause harm to the recipient if the recipient replies or takes action related to the keyword. For example, keywords “social security number,” “password,” “login,” “wire instructions,” “confidential,” “payment,” “ID,” obfuscated text, etc. may be included in the list of keywords associated with a security risk. A content risk component score is determined based on whether the message includes a text/keywords from the list of keywords (or associated synonyms or related words) associated with a security risk. For example, an increase in the number (e.g., of different types) and degree of risk of security risk keywords included in the message increases the associated content risk component score.
If the sender of the message has been determined to have an established relationship with the recipient of the message, past observations about messages sent by the sender are utilized in determining the content risk component score based on whether the message includes a text/keywords from the list of keywords (or associated synonyms or related words) associated with a security risk. For example, if it is common for a sender to communicate with the recipient about invoices and payment, an inclusion of a keyword related to invoices and payment would not cause the content risk component score to go up as much as compared to a situation in which it is not common for sender to communicate with the recipient about invoices and payment. Thus a contribution of a security risk keyword included in the message to the content risk component score is reduced if the same or similar keyword in scope and topic (e.g., keyword that is a synonym or topically related word) has been previously observed in previous messages from/to the sender to/from the recipient. The magnitude of this reduction may depend on the number and length of time the same or similar keyword in scope and topic has been previously observed in previous messages from/to the sender to/from the recipient.
In some embodiments, analyzing content included in the message to determine one or more content risk component scores of the message includes determining a content risk component score based on a message signature included in the message. For example based on past observations about types of email signatures typically included in email messages from the sender of the message, the associated content risk component score is increased if an expected signature is not included in the message (e.g., given other detected attributes of the message and the expected signature for the given other detected attributes) or if an unexpected signature is detected (e.g., never observed signature or included signature is an out of context signature that does not match an expected signature for the given detected attributes of the message).
At 404, entries included in a header of the message is analyzed to determine one or more header entry risk component scores of the message. Examples of the entries included in the analyzed header include one of more of the following: a mail user agent (i.e., MUA) identification, time zone identification, IP address, X-header, supported foreign language character sets of the sender, identification of automation or script that generated the message, or any other data included in the header (e.g., email header) of the message. For each header entry to be analyzed, a header entry risk component score is calculated based on a risk factor associated with the entry. For example, certain sender IP addresses and/or header entries, given what is known about the intended recipient (e.g., mismatch between sender and recipient) may increase the associated header entry risk component score. If the sender of the message has been determined to have an established relationship with the recipient of the message, past observations about headers of messages sent by the sender are utilized in determining the header entry risk component scores. For example, the header entry risk component score for a header entry is reduced if the same or similar entry (e.g., change in entry from a previously observed entry conforms to known change pattern) has been previously observed in previous message headers of messages from the sender of the message. The magnitude of this reduction may depend on degree of similarity and/or conformance to a typical pattern of change from previous observations.
In some embodiments, the header entry risk component score for a header entry is associated with whether the message is an automatically generated message. For example, one or more x-header entries identify whether the message was automatically generated. These entries may be identified based on keywords that identify that the message was generated using a script (e.g., generated using a PHP mailer/script). If the sender of the message has been determined to have an established relationship with the recipient of the message, past observations about headers of messages sent by the sender are utilized in determining the header entry risk component scores. For example, the header entry risk component score for a header entry identifying an automatically generated message is reduced if the sender typically sends automatically generated messages (e.g., including the same or similar header entry) to the recipient of the message. The magnitude of this reduction may depend on degree of similarity and/or conformance to a typical pattern of change from previous observations. The following are examples of header entries identifying an automatically generated message and these entries are identified by matching one or more search terms with at least a portion of the text of these entries: “X-Mailer: PHPMailer 5.2.23 (https://github.com/PHPMailer/PHPMailer)”; “X-Php-Originating-Script: 1002:srjvdopc.php(1189): runtime-created function(1): eval( )'d code(1): eval( )'d code.”
At 406, one or more other security analyses is performed to determine one or more other security risk component scores. This step may be optional in various embodiments. Examples of other types of analysis performed include one or more of the following: a virus threat detection, a malware threat detection, identification of risky content type (e.g., executable, file attachment, link to a website that requests login information, content that requests OAuth authentication, etc.) included in the message, analysis of a number and type of recipients of the same message, and determining whether the sender from a domain with a Domain-based Message Authentication, Reporting and Conformance (DMARC) policy passes Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) validations.
In some embodiments, performing a security analysis includes identifying which domains and subdomains are used to send legitimate traffic, e.g., by recording what subdomains/domains are used to originate large volumes of emails, and which are not known to be spam or fraud email. For example, “large amounts” may mean greater than a threshold value, such as 100 emails per week, or at least 0.1% of the traffic associated with a particular domain, or any traffic that is not known to be good, e.g., by being associated with correct SPF and/or DKIM data in the headers. Next, any traffic associated with a subdomain and domain that is not on the list of subdomains/domains that are known to send legitimate traffic is flagged, and, depending on a policy and/or contents, quarantined, blocked, marked up, or escalated for additional scrutiny.
In some embodiments, a security analysis involves web bugs, which are also referred to as web trackers. Some users set their browser preferences not to permit web bugs, whereas others do not. Therefore, the acceptance or rejection of a web bug is a trait that can be tracked. When it changes, that is indicative of risk. A web bug can be set to send a signal to the security service when the email or webpage in which it is integrated is rendered. The security service can send a message to a user considered at risk for having been corrupted, and then determine whether the web bug is operating in a manner that is consistent with past uses. The email can also demand that the user allows web bugs, after which user-specific information can be collected. If this is found to be inconsistent with past observations, the associated risk component score is increased.
At 408, one or more of the risk component scores are combined together to determine one or more combined security risk scores. Determining a combined security risk score includes statistically combining (e.g., adding together, weighting then adding together, averaging, weighted averaging, etc.) together the various risk component scores to determine a single combined risk score. In some embodiments, each of the risk component score(s) is associated with one or more specific types of risk. For example, risk component scores of each risk type are to be combined together by type to determine a total risk score for each specific risk type. For example, a security risk component score may be identified as being associated with a malware risk type and/or a phishing risk type and a combined security risk score for the malware risk type and a separate combined security risk score for the phishing risk type are calculated. In some embodiments, the combined security risk scores are utilized in determination of which security action to perform in 212 of FIG. 2A.
FIG. 5 is a flowchart illustrating an embodiment of a process for analyzing aspects of a received message based on whether the message is from an independently controlled account of a sender. The process of FIG. 5 may be at least in part implemented on analysis server 102, gateway 110, and/or message server 106 of FIG. 1. In some embodiments, at least a portion of the process of FIG. 5 is performed in 308 and/or 310 of the process of FIGS. 3 and/or 204 of the process of FIG. 2A. For example, the process of FIG. 5 is performed in response to a determination that the sender of the electronic message is not an established communication contact of the intended recipient of the message.
At 502, it is determined whether an electronic message account of a sender of the electronic message is likely an independently controlled account. For example, a message that was sent from an account that belongs to a large organization that closely controls who can send a message via its domain (e.g., web domain) is not an independently controlled account whereas a personal email message account is an independently controlled account.
In some embodiments, determining whether the electronic message account of a sender of the electronic message is likely an independently controlled account includes identifying a domain of an address (e.g., email address) of the sender of the message using the domain to identify using preconfigured data, whether the domain corresponds to independently controlled accounts. For example, certain domains are known to only allow not independently controlled accounts and any email address using these domains is identified as not an independently controlled account, while other domains are known to allow independently controlled accounts and any email address using these domains are identified as an independently controlled account. If the domain is unknown, the electronic message account of the sender is identified as an independently controlled account.
In some embodiments, the electronic message account of the sender of the electronic message is determined to be likely an independently controlled account based on a message traffic pattern associated with the electronic message account of the sender. For example, based on the volume of messages (e.g., large volume of message traffic above a threshold to/from the sender indicates that it is not an independently controlled account) and/or number/ratio of sent messages vs. received messages (e.g., a ratio of sent messages by the sender as compared to messages to the sender that is above a threshold indicates that it is not an independently controlled account where as a generally even ratio of sent vs. received indicates an independently controlled account), it is determined whether the electronic message account of the sender of the electronic message is likely an independently controlled account.
The notion of autonomy (e.g., independently controlled) of an account is important with respect to trust of the account. For example, a Google Gmail account is autonomous (e.g., independently controlled). Even though many members share the same domain, there is no coherency in their actions. On the other hand, an official work organization email address of one employee is not autonomous from another employee of the same organization.
In a first example, consider Alice with an email address with the domain “Aliceco.com” that sends an email to Bob at an email address with the domain “Bobco.com.” Assume that the recipient Bob has a trust relationship with Alice (i.e., the recipient email address for Bob has sufficient interaction with the Alice email account). Then there is “personal trust” by the recipient directed to the sender. Assume that the recipient does not have a trust relationship with Alice, but somebody else at “Bobco.com” does. Then there is “organizational trust” by the recipient directed to the sender. Assume now that the recipient Cindy at “Bobco.com” has no trust relationship with Alice, but Cindy does have one with Dave at Aliceco.com. Then there is “personal transitive trust” by the recipient directed to the sender. This is because Alice and Dave both belong to “Aliceco.com,” and “Aliceco.com” is one autonomous entity—Alice and Dave are not two independent autonomous entities. Finally, assume that the recipient has no trust relationship with either Alice or Dave—or anybody else at “AliceCo.com”—but that somebody else at “Bobco.com” does. This shows “organizational transitive trust.”
In another example, consider Bob using his Google Gmail (“gmail”) personal account, sends an email to somebody at “Bobco.com.” Assume that the recipient has a trust relationship with Bob (e.g., the recipient email address has sufficient interaction with the Bob “gmail” email account). Then there is “personal trust” by the recipient directed to the sender. Assume that the recipient does not have a trust relationship with Bob's “gmail” account, but somebody else at “Bobco.com” does. Then there is “organizational trust” by the recipient directed to the sender. Assume now that the recipient has no trust relationship with Bob, but they do have one with Cindy's personal “hotmail” account. There is no trust—Bob and Cindy are not two independent autonomous entities when represented by their personal email addresses.
Thus if an email comes from a stranger whose email address is similar to a party the recipient trusts, then this is a high-risk scenario. Trust is different from more general reputation: one is not more likely to act on an email from a trustworthy but unknown organization than one of an email from a non-trustworthy and unknown organization. However, whether one has a good relationship with a sender matters more in terms of trust than whether others have a good relationship with the sender. Different kinds of trusts may be computed in different ways but also have different strengths. For example: strength(“personal trust”)>strength(“organizational trust”); strength(“personal trust”)>strength(“personal transitive trust”); strength(“personal transitive trust”)>strength(“organizational transitive trust”); strength(“organizational trust”)>strength(“organizational transitive trust”). In some embodiments, different weights can be assigned to these different types of trust to determine a risk of a message.
If at 502 it is determined that the electronic message account of the sender of the electronic message is likely an independently controlled account, at 504, the message is analyzed to determine whether the message is an automatically generated message. For example, a header of the message is analyzed to determine whether one or more x-header entries identify whether the message was automatically generated. These entries may be identified based on keywords that identify that the message was generated using a script (e.g., generated using a PHP mailer/script). The following are examples of header entries identifying an automatically generated message and these entries are identified by matching one or more search terms/keywords with at least a portion of the text of these entries: “X-Mailer: PHPMailer 5.2.23 (https://github.com/PHPMailer/PHPMailer)”; “X-Php-Originating-Script: 1002:srjvdopc.php(1189): runtime-created function(1): eval( )'d code(1): eval( )'d code.”
In some embodiments, determining whether the message is an automatically generated message includes identifying a likely scripted behavior associated with a protected account. For example, attackers typically configure accounts they have compromised to forward emails to another account, either selectively (such as based on the subject line, the sender, the thread, etc.) or for all emails. In addition, attackers sometimes configure compromised accounts so that selective emails are hidden, as will be described in more detail below. When attackers make such a configuration, then this affects the traffic patterns in a way that will be measured and detected by the security service. By monitoring the different mail folders, including the inbox, the sent box, the archive, the trash folder and other folders, the security service provider will detect forwarding behavior that is anomalous in that it has not been performed by the account owner before; that is selective; that is rapid; or that is to recipients that are considered high risk, or any combination of these. It also detects signs of scripted forwarding, which is indicated by a very short time period between receipt of an email and the forwarding of the email. In addition, the security service also looks for other indications of scripted behavior, such as an anomalous addition of an account in the bcc, which is considered anomalous by not having been performed previously, and/or which is considered scripted due to the time periods being very short. Another related detection method is to observe if the MUA of emails to some recipients of emails sent from the protected account are different than those of others, and considered high risk, e.g., due to information that is anomalous for the account owner.
If at 504 it is determined that the message is an automatically generated message, at 506, an automated message security risk component score associated with the message is set (e.g., set to a high value) to reflect a high security risk of the message (e.g., higher than otherwise). This security risk component score may be utilized in 212 of FIG. 2A and/or 408 of FIG. 4.
If at 502 it is determined that the electronic message account of the sender of the electronic message is likely not an independently controlled account or if at 504, it is determined that the message is not an automatically generated message, at 508, the automated message security risk component score associated with the message is set to reflect a low risk of the message (e.g., lower than otherwise).
FIG. 6 is a flowchart illustrating an embodiment of a process for wrapping encrypted content of the message. The process of FIG. 6 may be at least in part implemented on analysis server 102, gateway 110, and/or message server 106 of FIG. 1. In various embodiments, at least a portion of the process of FIG. 6 is performed in 212 of FIG. 2A. For example, the process of FIG. 6 describes one of the security actions that is selected to be performed.
If a message includes encrypted content such as an encrypted email attachment, that encrypted content is often unable to be properly analyzed for security threats because analysis tools are unable to access the encrypted content. Hackers may take advantage of this by sending an encrypted malware attachment along with a password to be utilized by the recipient to open the attachment.
At 602, encrypted content included in a message is identified. Examples of the message include an email, instant message, a chat message, and any other forms of electronic messages. The message may be analyzed as a part of a computer security analysis and filtered to identify and neutralize security threats prior to allowing an intended recipient of the message to access the message. In some embodiments, each message received for delivery to its intended recipient associated with the system performing analysis of the message is to be analyzed. Examples of the encrypted content include: an encrypted executable file, an encrypted zip file, an encrypted text, an encrypted script, an encrypted image, and any other encrypted content. The encrypted content may have been identified by identifying content that requires a password to access it.
At 604, a wrapped version of the identified encrypted content is generated and the message is modified to include the wrapped version of the encrypted content instead of the original encrypted content. In some embodiments, wrapping the encrypted content includes embedding the encrypted content in an executable program. When the executable program is executed, the executable program requests a decryption password from the user and the encrypted content of the message is encrypted using the decryption password and the decrypted content is analyzed for security threats prior to allowing the user access to the decrypted content once the analysis has completed without identifying a security threat. If the security analysis identifies a threat, a user may not be allowed to access the decrypted content and the security threat may be logged or reported to an administrator.
For example, the wrapped version of an encrypted zip file is a file that, when opened, causes execution, whether of the file wrapper itself or of an associated application that the message recipient needs to download, and as the file wrapper is executed, it requests and receives a decryption key, PIN, or password from the user and uses the PIN or password to decrypt the wrapped zip file. This is done by executing the unzip program associated with the zip file, or a compatible version to this, providing the unzip program with the PIN or password provided by the user. It then automatically accesses the contents of the unzipped file and analyzes it for security risks. This can be done in a multiplicity of ways, including detonating each file, determining whether any of the files match an anti-virus signature, determining whether any of the files has executable code segments in it, etc. The same approach also works for messages with attachments that are encrypted pdfs, or any other encrypted file. In such cases, the execution of the wrapper file causes the decryption of the encrypted file, which is then analyzed for security risks, including executable code. If a file, independent of type, passes the verification, then the decrypted content is made available to the recipient. Thus, the user experience associated with the opening of wrapped encrypted content would be the same as that of unwrapped encrypted content, except for a delay during security analysis (e.g., in most cases this would be too short to detect).
At 606, the message with the wrapped version of the encrypted content is allowed to be delivered. For example, the modified message is allowed to be delivered to an email inbox (or other email categorization folder to be actively accessed by a user to obtain new messages, e.g., not a spam or trash folder) of an end recipient. Allowing the modified message to be delivered includes allowing an intended user recipient of the message to be able to access the wrapped encrypted content. When the recipient opens the wrapped encrypted content, the wrapper program requests a decryption key, decrypts the encrypted content using the decryption key, and initiates the security analysis of the decrypted content prior to allowing the recipient access to the decrypted content of the encrypted content. Any security analysis technique or method described in this specification may be performed on the decrypted content to analyze it for security threats. If a security threat is detected, the user may not be allowed access to the decrypted content and a security may be performed. The security action may include revoking access to the message, deleting the message, forwarding the message, reporting the message, further modifying the message, moving the message (e.g., to a different folder), preventing access to a portion of the message, providing an additional warning, and/or performing further analysis.
FIG. 7 is a flowchart illustrating an embodiment of a process for tracking trusted contacts. The process of FIG. 7 may be at least in part performed by analysis server 102, gateway 110 and/or message server 106 of FIG. 1. Examples of the contacts include email addresses, usernames, display names, user identifiers, an identification photo, and any other identifier that may be utilized to identify a sender or recipient of a message. At least a portion of the process of FIG. 7 may be performed in 204 of FIG. 2A and/or 306 of FIG. 3. For example, one or more steps of the process of FIG. 7 are performed to determine whether a sender of a message is a trusted contact or has an established relationship with the recipient of the message.
At 702, trusted contacts for a user (e.g., message recipient) are determined. The trusted contacts are to be utilized to identify potential message threats of the user. The trusted contacts identify one or more contacts (e.g., senders or recipients of messages) that are familiar to the user because the user has previously interacted with the contact and/or is aware of the contact. In some embodiments, determining the trusted contacts includes receiving a list of contacts for the user. For example, the user provides access to an address book of the user and information about contacts in the address book is received. In some embodiments, the trusted contacts include contacts that have been specifically identified by the user. In some embodiments, information about the trusted contacts is stored. For example, the trusted contacts for the user are stored in a database of trusted contacts. This database may track trusted contacts for a plurality of different users and allows trusted contacts to be retrieved for a specific identified user. The stored information of each contact may include one or more of the following: email address, associated name (e.g., display name), relationship identifier, identifying image (e.g., contact photo), username, instant message identifier, address, phone number, a measure of trust, a measure of message interaction, and any other identifier utilized to identify a sender or a receiver of a message.
In some embodiments, the trusted contacts for the user are at least in part determined automatically based on contacts detected in messages sent or received by the user. For example, by observing and analyzing message traffic of the user and patterns of message recipients and senders, contacts that receive messages from the user and contacts that send messages to the user can be determined and correlated to infer and determine trust, frequency, and/or importance of interaction and relationship between the user and the contact to identify one or more of these contacts as a trusted contact. In one example, if a threshold number of messages has been sent to and from a contact for a user, the contact is identified as a trusted contact and added to a stored list of trusted contacts for the user. Information about the messages of the user utilized to at least in part automatically determine the trusted contacts has been obtained for analysis by receiving at least a portion of the messages (e.g., a copy of the entire message, email addresses and names of contacts of messages, etc.) for analysis (e.g., at server 102 from server 104, gateway 110, or server 106 of FIG. 1).
At 704, trusted contacts for a group that the user belongs to are determined. For example, trusted contacts for the users included in the group are aggregated to identify patterns among the aggregated trusted contacts. Examples of the group include a network domain that the user belongs to (e.g., domain of the email address of the user), an entity/organization that the user belongs to (e.g., company that the user belongs to), a message service provider, or an authority that controls a message account of the user. In some embodiments, determining trusted contacts for the group includes aggregating information about a trusted contact and/or a network domain of one or more trusted contacts from information gathered for different users for the trusted contact and/or the network domain. In some embodiments, determining the trusted contacts for the group includes storing information about the trusted contacts in a data storage structure and associating this stored information with the group.
At 706, determined trusted contacts are utilized to identify potential message threats for the user. For example, the contacts in the trusted contacts may be utilized as a proxy for contacts that are familiar to the user and if an attacker tries to attack the user using an impersonation attack, contact being impersonated likely corresponds to one of the contacts in the list of trusted contacts of the user. By determining a measure of similarity between a sender identifier of a message received for the user with each identifier of each trusted contact, messages attempting impersonation attacks may be identified. For example, if the email address of the sender matches an email address of a trusted contact, the message is to be trusted and not filtered but if the email address of the sender does not match any trusted contacts but is similar to an email address of a trusted contact, the message is identified as potentially a part of an impersonation attack and filtered. Filtering the message may include blocking the message, quarantining the message, further analyzing the message, and/or modifying the message (e.g., insert a warning).
FIG. 8 is a flowchart illustrating an embodiment of a process for determining information about a message sender to be utilized to assess a risk of a message. The process of FIG. 8 may be at least in part implemented on analysis server 102, gateway 110, and/or message server 106 of FIG. 1. In some embodiments, at least a portion of the process of FIG. 8 is performed in 702 and/or 704 of FIG. 7. For example, the process of FIG. 8 may be repeated for each trusted contact determined for a user (e.g., for each contact in a list of trusted contacts stored in a repository) and stored in a data structure that tracks the trusted contacts. The process of FIG. 8 may be repeated periodically. At least a portion of the process of FIG. 8 may be performed in 204 of FIG. 2A and/or 306 FIG. 3.
At 802, a measure of global reputation for a sender is determined. The sender may correspond to a group of individual sender addresses in some embodiments or an individual sender address in other embodiments. For example, the sender corresponds to a trusted contact in a list of trusted contacts determined using the process of FIG. 7. In another example, the sender corresponds to a domain of a trusted contact identified using the process of FIG. 7. In some embodiments, the sender is a network/Internet domain and the measure of global reputation corresponds to all individual sender addresses of the domain. For example, the determined measure of global reputation of a domain is applicable to all email addresses within the domain. In some embodiments, the measure of global reputation for a sender is specific to an individual sender address. For example, the measure of global reputation for a sender is specific to an email address. In some embodiments, the sender is one of a plurality of senders in a list of senders to be analyzed to predetermine its global reputation. The list of senders may be automatically determined from one or more previously received messages (e.g., senders of previously received messages) and/or specified by a user/administrator. The measure of global reputation of the sender is applicable for a plurality of recipients of a message from the sender while a measure of local reputation of the sender is specific to a particular recipient domain or individual recipient address of a message from the sender.
In some embodiments, the measure of global reputation indicates a general measure that a sender is likely to send a message that is of value to a recipient of the message. For example, a higher measure of reputation indicates a higher likelihood that any message sent by the sender will not include malicious and/or undesired content (e.g., message will not include a virus, malware, spam, etc.). In some embodiments, determining the measure of global reputation includes determining one or more component factors to be utilized to determine a total measure of global reputation. For example, each determined component factor may be utilized to add, subtract, or multiply a value to/from the measure of global reputation to determine the total measure of global reputation. In one example, determined component factor values are summed to determine the global reputation measure. In some embodiments, machine learning or another automated process is utilized to determine the measure of global reputation based on gathered/generated information about the sender of the global reputation.
In some embodiments, determining the measure of global reputation for the sender includes determining whether an identifier of the sender (e.g., domain name, subdomain, IP address) is included in a list of senders known to be reputable. For example, there exists a predetermined list of entities and their associated identifiers that are known to be reputable and if the identifier of the sender is included in the predetermined list, the resulting measure of global reputation would be higher than otherwise. In some embodiments, determining the measure of global reputation for the sender includes determining whether an identifier of the sender is included in a list of senders known to be not reputable. For example, there exists a list of IP addresses associated with a server that are known to be commonly utilized to send spam messages and in the event an IP address associated with the sender is included in this list, the determined measure of global reputation would be lower than otherwise. Whether the identifier of the sender is included in the list of senders known to be reputable or not reputable may be utilized to determine a component factor value utilized in determining the measure of global reputation of the sender.
In some embodiments, determining the measure of global reputation for the sender includes determining a category of business associated with an entity of the sender. For example, businesses in certain categories (e.g., banking) may be associated with a higher reputation than businesses in other categories (e.g., digital marketing). In some embodiments, using a list/database that maps an identifier of a sender to a known associated category/line of business, the category/line of business associated with the sender is determined, if applicable (e.g., the line of business for some senders may be unknown or not applicable). A reputation component factor (e.g., value to be added, multiplied, or subtracted to/from total score measure) associated with the identified category/line of business may be utilized in determining the measure of global reputation.
In some embodiments, determining the measure of global reputation for the sender includes analyzing domain registration history and Domain Name System (i.e., DNS) activity of the sender. For example, a sender that is typically reputable will register a domain name far ahead of time prior to the use of the domain while a less reputable sender will likely temporarily utilize a domain for a short period of time prior to moving on to another domain and will register a domain within a short amount of time prior to the use of the domain. In some embodiments, determining the measure of global reputation includes utilizing a component factor value determined based on the domain registration history and DNS activity analysis (e.g., add, multiply, subtract, etc. using the factor value). For example, the factor value is based at least in part on a length of time since registration of a domain of the sender, an amount of time between registration of the domain and a first use of the domain to send a message, Internet content (e.g., webpage) located at a URI utilizing the domain of the sender, an entity that registered the domain of the sender, etc.
In some embodiments, determining the measure of global reputation for the sender includes analyzing historical statistics and/or a history of messages sent by the sender. For example, there exists one or more repositories of previous messages sent by the sender and the repositories of messages are analyzed to determine one or more of the following: an amount/volume/rate of messages sent by the sender, a number/breadth of different recipients (e.g., number of different domains of recipients, number of different email addresses of recipients, etc.) of messages from the sender, a distribution of messages sent to different recipients, a length of time the sender has been sending messages, a regularity that the sender has been sending messages (e.g., difference in average number of messages per time period), a type of content of messages sent by the sender, a difference/regularity between content of messages sent by the sender, amount/rate of content opened/viewed by recipients of messages sent by the sender, a number/rate of messages sent by the sender that have been identified as malware, spam, and/or a virus by an analysis/filter/scanner tool, etc. The historical analysis may be performed using machine learning. In some embodiments, based on the historical analysis, a historical analysis component factor value is determined and the historical analysis component factor value is added, multiplied, subtracted, etc. to determine the measure of global reputation for the sender.
In some embodiments, determining the measure of global reputation for the sender includes determining whether an identifier of the sender is similar to an identifier of another sender. For example, it is determined whether a domain of the sender is similar to a domain of another sender. Determining whether an identifier of the sender is similar to an identifier of another sender may include determining whether an identifier of the sender is similar to an identifier of another sender with a relatively high measure of global reputation. For example, an attempt to confuse a recipient by utilizing a domain that is only slightly different from a highly reputable domain is detected. In some embodiments, based on the similarity analysis, a similarity component factor value is determined and the similarity component factor value is added, multiplied, subtracted, etc. to determine the measure of global reputation for the sender.
In some embodiments, the global reputation for the sender is determined by combining (e.g., averaging, adding, etc.) measures of local reputation (determined in 804) for the sender determined for each recipient of a group of different recipients to determine a combined measure (e.g., combined score).
At 804, a specific measure of local reputation for the sender is determined for each of one or more different recipients. For example, although the measure of global reputation determined in 802 may apply to any recipient that receives a message from the sender, the specific measure of local reputation is only applicable to a specific recipient. In one example, one recipient may have a different relationship to a sender than another recipient (e.g., existing business relationship) and interest/relevance of a message from the sender may be different for different recipients and this difference is reflected as a different measure of local reputation for each different recipient. In some embodiments, the one or more different recipients include the user in 702 of the process of FIG. 7. In some embodiments, the recipient represents a network/Internet domain and the measure of local reputation corresponds to all individual recipients of the domain. For example, the determined measure of local reputation for a recipient domain is applicable to all recipient email addresses within the domain. In some embodiments, the measure of local reputation for the sender is specific to an individual recipient address.
In some embodiments, the recipient is one of a plurality of recipients in a list of recipients to be analyzed to predetermine the local reputation of the sender for the specific recipient. The list of recipients may correspond to the recipients/email servers accessible (e.g., list of email domains being managed) by an analysis server. In some embodiments, each email server of each recipient performs its own determination of its measure of local reputation for the sender. In some embodiments, the measure of local reputation is determined dynamically. For example, when a recipient receives a message from the sender, the recipient determines the measure of local reputation for the sender.
In some embodiments, the measure of local reputation indicates a measure that the sender is likely to send a message that is of value to a specific recipient. For example, a higher measure of reputation indicates a higher likelihood that an authentic message sent by the sender will not include malicious and/or undesired content (e.g., message will not include a virus, malware, spam, etc.) for the specific recipient. In some embodiments, determining the measure of local reputation includes determining one or more factors to be utilized to determine a total measure of local reputation. For example, each determined factor may be utilized to add, subtract, or multiply a value to/from the measure of local reputation to determine the total measure of local reputation. In some embodiments, machine learning or another automated process is utilized to determine the measure of local reputation based on gathered/generated information about the sender.
In some embodiments, determining the measure of local reputation for the sender includes determining whether an identifier of the sender (e.g., domain name, subdomain, IP address) is included in a list of senders known to be reputable for the recipient. For example, there exists a predetermined list of entities and their associated identifiers that are known to be reputable for the specific recipient. If the identifier of the sender is included in the predetermined list, the resulting measure of local reputation would be higher than otherwise. In some embodiments, determining the measure of local reputation for the sender includes determining whether an identifier of the sender is included in a list of senders known to be not reputable for the specific recipient. For example, there exists a list of IP addresses associated with a server that are known to be commonly utilized to send spam messages and in the event an IP address associated with the sender is included in this list, the determined measure of local reputation would be lower than otherwise. Whether the identifier of the sender is included in the list of senders known to be reputable or not reputable may be utilized to determine a component factor value utilized to determine the measure of local reputation of the sender.
In some embodiments, determining the measure of local reputation for the sender includes determining a category of business associated with an entity of the sender with respect to a property of the specific recipient. For example, businesses in certain categories (e.g., banking) may be associated with a higher reputation than businesses in other categories (e.g., digital marketing) with respect to the category of business of the recipient (e.g., recipient is also in banking). In some embodiments, a reputation component factor (e.g., value to be added, multiplied, or subtracted to/from total score measure) associated with the identified category/line of business with respect to the recipient may be utilized in determining the measure of local reputation
In some embodiments, determining the measure of local reputation for the sender includes analyzing domain registration history and Domain Name Service (i.e., DNS) activity of the sender with respect to a property of the recipient. For example, it may be typical for certain recipients to be in communication with senders that utilize a domain for a short period of time while for other recipients it is not typical. In some embodiments, determining the measure of local reputation includes utilizing a component factor value determined based on the domain registration history and DNS activity analysis (e.g., add, multiply, subtract, etc. using the factor value). For example, the factor value is based at least in part on a length of time since registration of a domain of the sender, an amount of time between registration of the domain and a first use of the domain to send a message, Internet content (e.g., webpage) located at a URI utilizing the domain of the sender, an entity that registered the domain of the sender, etc.
In some embodiments, determining the measure of local reputation for the sender includes analyzing historical statistics and/or a history of messages sent by the sender for the specific recipient domain or individual recipient addresses. For example, there exists a repository of previous messages sent by the sender to the recipient (e.g., messages stored at a recipient message server of the recipient) and the repository of messages is analyzed to determine one or more of the following: an amount/volume/rate of messages sent by the sender, a number/breadth of different individual users of the recipient (e.g., number of different email addresses of recipient) that received messages from the sender, a distribution of messages sent to different individual users of the recipient, a length of time the sender has been sending messages to the recipient, a regularity that the sender has been sending messages to the recipient (e.g., difference in average number of messages per time period), a type of content of messages sent by the sender to the recipient, a difference/regularity between content of messages sent by the sender to the recipient, amount/rate of content opened/viewed by the recipient of messages sent by the sender, a number/rate of messages sent by the sender that have been identified as malware, spam, and/or a virus by an analysis/filter/scanner tool, etc. The historical analysis may be performed using machine learning. In some embodiments, based on the historical analysis, a historical analysis component factor value is determined and the historical analysis component factor value is added, multiplied, subtracted, etc. to determine the measure of local reputation of the sender for the recipient.
In some embodiments, determining the measure of local reputation for the sender includes determining whether an identifier of the sender is similar to an identifier of another sender and/or an identifier of the recipient. For example, it is determined whether a domain of the sender is similar to a domain of another sender or a domain of the recipient. Determining whether an identifier of the sender is similar to an identifier of another sender or the recipient may include determining whether an identifier of the sender is similar to an identifier of another sender with a relatively high measure of local reputation for the recipient. For example, an attempt to confuse a user by utilizing a sender domain that is only slightly different from a highly reputable domain for the recipient is detected. In some embodiments, an attempt to confuse a user by utilizing a sender domain that is only slightly different from a domain of the recipient is detected (e.g., detect trying to mimic an intra-organization message). In some embodiments, based on the similarity analysis, a similarity component factor value is determined and the similarity component factor value is added, multiplied, subtracted, etc. to determine the measure of local reputation of the sender for the recipient.
At 806, a global sender model for the sender is determined. For example, the sender model may be utilized to determine whether a message that indicates a sender was actually sent by the indicated sender. In some embodiments, the sender model identifies one or more properties that are characteristic of a message that is sent by the sender. In some embodiments, the sender model associates the sender with one or more IP addresses of message servers that are known or authorized to send messages for the sender. For example, an IP address of a last server that sent a message is a reliable identifier that indicates an origin of the message and this IP address information is utilized to determine whether the last server that sent the message corresponds to the sender identified in the message. In some embodiments, the sender model includes directly provided information. For example, a list of IP addresses of servers that send messages for the sender is received from a user, the sender, or a published source of information about the sender. In some embodiments, at least a portion of the sender model is determined using message authentication/validation information about the sender. For example, IP addresses associated with a domain of the sender are obtained using standardized message authentication/validation systems (e.g., using Domain-based Message Authentication (DMARC), DomainKeys Identified Mail (DKIM), Sender Policy Framework (SPF), etc.).
In some embodiments, the sender model is automatically determined. For example, using one or more repositories storing messages received from the sender, a list of server IP addresses authorized or historically known to send messages for the sender is automatically determined. The one or more repositories may include a message store of a plurality of different recipients (e.g., different recipient message servers managed by an analysis server) and external message sources (e.g., information from third-party sources that gather message information). Machine learning may be utilized to automatically detect sources of and properties that are characteristic of authentic messages from the sender using historical information about messages previously sent by or on behalf of the sender. In some embodiments, an IP address is automatically associated with the sender in the sender model if it is detected that a message likely/verified to be sent by the sender was sent from the IP address. In some embodiments, before an IP address is associated with the sender, the sender must have sent a message from the IP address at least a threshold number of times. In some embodiments, a message is determined to have been sent by the sender if the message was validated using an email authentication/validation system and/or sent from the IP address that has been utilized to send messages identified as being sent by the sender for at least a threshold amount of time and/or a threshold number of times. Other factors may be utilized to verify whether a message in a repository was sent by the sender prior to using IP address information of the message in determining the sender model of the sender.
In some embodiments, an IP address is only added to the sender model to be associated with the sender in the event the IP address has been determined to be consistent for the sender. For example, a history of senders associated with the IP address is analyzed and the IP address is only associated with the sender if the IP address is not already associated with another sender, has not been associated with another sender for at least a threshold amount of time, and/or the number of different previous senders that have been with associated with the IP address is less than a threshold number.
In some embodiments, the sender model identifies one or more blocks of adjacent IP addresses that are authorized or historically known to send messages on behalf of the sender. These blocks of adjacent IP addresses may be owned or be under the control of a single administrative entity or domain or may be detected to exhibit similar sending behavior. The block of adjacent IP addresses may be specified by a user, a sender, an administrator, and/or a source of published information about the sender or a provider authorized by the sender. In some embodiments, one or more blocks of adjacent IP addresses to be included in the sender model are automatically determined. For example, once one or more IP addresses within a block of adjacent IP addresses have been associated with a sender model, the entire block of adjacent IP addresses may be associated with the sender model if they are determined or expected to exhibit similar message sending behavior.
In some embodiments, the sender model identifies a network/Internet domain that is common to all hostnames of servers that are authorized or historically known to send messages on behalf of the sender. The servers that share this network/Internet domain may be owned or be under the control of a single administrative entity or domain or may be detected to exhibit similar sending behavior. The network/Internet domain may be specified by a user, a sender, an administrator, and/or a source of published information about the sender or a provider authorized by the sender. In some embodiments, the network/Internet domain to include within the sender model is automatically determined. For example, once one or more IP addresses whose hostnames share an organizational network/Internet domain have been associated with a sender model, all servers whose hostnames share that network/Internet domain may be associated with the sender model if they are determined or expected to exhibit similar message sending behavior.
In some embodiments, the sender model identifies one or more autonomous system numbers (i.e., ASN) associated with servers that are authorized or historically known to send messages on behalf of the sender. For example, an ASN identifies a collection of IP routing prefixes owned by or under the control of a single administrative entity or domain and the ASN associated with the sender is specified in the sender model. The ASN associated with the sender may be specified by a user, a sender, an administrator, and/or a source of published information about the sender. In some embodiments, the ASN associated with the sender is automatically determined. For example, once one or more IP addresses associated with a sender model have been identified, the ASN(s) associated with the IP addresses may be associated with the sender if they are determined or expected to exhibit similar message sending behavior.
The determined or specified sender model associated with a sender may be stored in a data structure such as a list, a database, a table, or any other data structure that can be indexed based on an identifier of the sender.
At 808, a specific sender model for the sender is determined for each of one or more recipients, if applicable. For example, although the sender model determined in 806 may apply to any recipient, the specific sender model is only applicable to a specific recipient. In one example, one recipient may receive a message from the sender via a different set of sending message servers than another recipient due to geographical location differences between the recipients. In some embodiments, the recipient represents a network/Internet domain and the recipient specific sender model corresponds to all individual recipients of the domain. In some embodiments, the recipient specific sender model is specific to an individual recipient address. In some embodiments, the recipient specific sender model is determined in a similar manner as the sender model determined in 806 except for utilizing data specific to the recipient rather than various different recipients. For example, using a repository storing messages received from the sender to only the recipient, individual or neighborhoods of IP addresses associated with the sender model for a sender are automatically determined.
FIG. 9 is a flowchart illustrating an embodiment of a process for determining a total risk measure of a contact. The process of FIG. 9 may be at least in part implemented on analysis server 102, gateway 110, and/or message server 106 of FIG. 1. At least a portion of the process of FIG. 6 may be performed in one or more steps of the process of FIG. 2A and/or FIG. 3 (e.g., in 204, 306, etc.).
At 902, a measure of trust associated with a message contact (e.g., sender of a message) is determined. In some embodiments, the measure of trust (e.g., numerical value) indicates a measure that the message contact is likely to send a message that is of value to a recipient/user. For example, a higher measure of trust indicates a higher likelihood that an authentic message sent by the contact will not include malicious and/or undesired content (e.g., message will not include a virus, malware, spam, impersonation attack, etc.). The measure of trust may be for a domain of the message contact that covers all messages of the same domain, a group of domains (e.g., domains of similar category), a group of contact addresses, or a specific contact address (e.g., email address). In some embodiments, the measure of trust is for a specific recipient/user. For example, the measure of trust indicates a measure of trust between the message contact and a specific recipient/user. In this example, the measure of trust may be determined based on a history of interaction between the message contact and the specific user.
In some embodiments, the measure of trust is determined at least by a portion of the process of FIG. 8. For example, the measure of trust is the specific measure of local reputation determined in 804. In another example, the measure of trust is the measure of global reputation included in the global sender model determined in 806. In another example, the measure of trust is determined based on a combination (e.g., average, sum, product, etc.) of the measure of global reputation and the specific measure of local reputation.
At 904, a measure of spoofing risk associated with the message contact is determined. For example, a likelihood that a spoofing attack could be technically carried out to spoof the message contact is determined. The measure of spoofing risk may be for a domain of the message contact that covers all messages of the same domain, a group of domains, a group of contact addresses, or a specific contact address (e.g., email address). The measure of spoofing risk may be a numeric score corresponding to the spoofing risk associated with the message contact.
An organization with a published and complete Domain-based Message Authentication, Reporting and Conformance (i.e., DMARC) policy has a low risk of being spoofed, as does each user account associated with such an organization. An organization that has a DMARC policy but which does not reject all messages that fail corresponds to a medium risk, as do users of such an organization. An organization without a DMARC policy or one that only involves monitoring and no rejection is associated with a high risk of being spoofed, as are users of such an organization. For example, if the message contact is associated with a DMARC policy that requires every message of the domain of the message contact to be signed with a digital signature, the measure of spoofing risk is assigned a low risk value. If the message contact is associated with a DMARC policy that enables but does not require every message of the domain of the message contact to be signed with a digital signature, the measure of spoofing risk is assigned a medium risk value. If the message contact is not associated with a DMARC policy, the measure of spoofing risk is assigned a high risk value. Thus, determining the measure of spoofing risk associated with the message contact may include assigning a score based on the DMARC or other message validation system policy associated with the message contact.
At 906, the measure of trust and the measure of spoofing risk are combined to determine a measure of total risk associated with the message contact. For example, the measure of trust and the measure of spoofing risk are multiplied together to determine the measure of total risk. In another example, the measure of trust and the measure of spoofing risk are averaged together to determine the measure of total risk. In another example, the measure of trust and the measure of spoofing risk are summed together to determine the measure of total risk. Thus, the measure of total risk is able to measure the threat of the message contact being impersonated, both in terms of the likely impact to the recipient (e.g., measure of trust provides a gauge on the likelihood the message recipient is likely to confuse the spoofed message as a message from a highly trusted and important contact) and the likelihood of technical feasibility (e.g., measure of spoofing risk provides a gauge on the measure of technical feasibility). In some embodiments, the measure of trust and the measure of spoofing risk may be each weighted before being combined. In some embodiments, the determined measure of total risk is stored in a data structure and associated with the message contact.
At 908, the measure of total risk is utilized to mitigate risk of messages received from the message contact. For example, when a message from the message contact is received, its measure of total risk for the sender of the message (e.g., message contact) is obtained and the measure of total risk is utilized to determine whether to filter and/or allow the message to be delivered. In an example, if a value of the measure of total risk is above a threshold value, the message is identified as a risk and the message is filtered to reduce its risk to the recipient.
FIG. 10 is a flowchart illustrating an embodiment of a process for assessing a received message for filtering. The process of FIG. 10 may be at least in part implemented on analysis server 102, gateway 110, and/or message server 106 of FIG. 1. At least a portion of the process of FIG. 10 may be performed in 308 and/or 310 of FIGS. 3 and/or 204 and/or 212 of FIG. 2A. At least a portion of the process of FIG. 10 may be performed in 406 of FIG. 4.
At 1002, information about a message is received. In some embodiments, the information is received at analysis server 102 of FIG. 1. The information may include information about a sender of the message. For example, the information includes email address header information including an email address and a display name of the sender of the message. In some embodiments, the information about the message includes contents of the message. Examples of the message include an electronic mail (i.e., email), an instant message, a chat message, and any other forms of electronic messages.
At 1004, it is determined whether a sender of the message exactly matches a trusted contact. For example, it is determined whether an address of the sender of the message (e.g., in a “From:” field of a message header) exactly matches an address of a trusted contact in a list of trusted contacts for the recipient of the message. In some embodiments, the trusted contacts include trusted contacts identified in 702 and/or 704 of FIG. 7. For example, a list of trusted contacts for the recipient of the message is obtained from storage and email addresses for each trusted contact of the list are compared with the email address of a sender of the message to identify whether there is an exact match.
If at 1004 it is determined that the sender of the message exactly matches the trusted contact, at 1006, it is determined to allow the message to be fully accessed by the recipient, if applicable. For example, because the sender of the message exactly matches the trusted contact, the message is allowed to be delivered (e.g., by sending the message to a mail delivery server and indicating that the message is allowed to be delivered) to the recipient user. In some embodiments, the message is allowed to be accessed by the recipient without message filtering that would otherwise be performed if the message was identified as potentially a part of an impersonation attack. In some embodiments, the message is further analyzed prior to allowing it to be fully accessed by the recipient. For example, the message may be analyzed to identify whether it includes a virus, a spam, or a malware. In some embodiments, the total risk score determined using 906 of FIG. 9 is utilized to determine whether to allow full access to the message. If a value of the measure of total risk of the sender is above a threshold value, the message is identified as a risk and the message is filtered as in 1010 to reduce its risk to the recipient.
If at 1004 it is determined that the sender of the message does not exactly match a trusted contact, at 1008, it is determined whether the sender of the message is similar to a trusted contact. For example, by determining whether the sender of the message is similar to a trusted contact, a likelihood of confusion by a recipient of the message that the message is from a trusted contact is determined. In some embodiments, the determining whether the sender of the message is similar to a trusted contact includes determining a measure of similarity between the sender of the message and each contact in a list of trusted contacts. In some embodiments, the list of trusted contacts includes trusted contacts identified in 702 and/or 704 of FIG. 7. For example, a list of trusted contacts for the recipient of the message (e.g., recipient identified in a “To:” field of the message) is obtained from storage.
In some embodiments, determining the measure of similarity includes determining a string similarity measure (e.g., string distance) using a string matching algorithm (e.g., Jaro-Winkler). For each trusted contact in a group of trusted contacts, string similarity measures may be determined between an address of the trusted contact and/or a display name of the trusted contact with an address of the sender of the message (e.g., string in a “From:” field of the message between “<” and “>” characters), a display name of the sender of the message (e.g., string in a “From:” field of the message prior to “<” character), and/or a subject of the message. For example, potentially six string similarity measures may be determined for each trusted contact email/display name combination (e.g., trusted contact address compared to sender address, trusted contact address compared to sender display name, trusted contact address compared to message subject, trusted contact display name compared to sender address, trusted contact display name compared to sender display name, and trusted contact display name compared to message subject).
Comparison of the subject to the message to the trusted contact address/display name is performed to detect masquerade attempts in which the actual sender uses deceptive display names and/or subject lines to trick recipients that emails are from a trusted sender. For example, the sender joe123@gmail.com may set his display name to appear as a subject line, and use a subject line that appears as a from email address. This attacker may use the display name “Please review this material and let me know your thoughts. Fwd: slide deck, June 15 version,” and the subject line “Bob Bigboss <bbigboss@bigbossventures.com>” to an email. The display name, being very long, will often hide the attacker's email address (e.g., which is displayed after the display name for a typical mail client, or not displayed at all for some mail clients). Many recipients will not realize that the subject line appears where the sender address is normally shown, and vice versa. Therefore, such recipients will believe that the email comes from Bob Bigboss <bbigboss@bigbossventures.com>, despite it being displayed in the subject field. In some embodiments, the subject of the message is only utilized to perform the determination of the measure of similarity if the display name of the sender of the email is longer than a threshold length.
In some embodiments, prior to performing the string comparison to determine the measure of similarity, element portions of the strings are sorted (e.g., alphabetically sorted) based on a predetermined order. The element portions of the string may be delimited by a space character or other special characters (e.g., comma, period, etc.). For example, strings “Bob Bigboss” and “Bigboss Bob” may be determined to be not similar in string distance despite them being a simple reversal of the order of the first/last names. Thus, the element portions “Bob” “Bigboss” in “Bob Bigboss” can be alphabetically sorted as “Bigboss Bob” prior to being used in the string comparison.
In some embodiments, determining the measure of similarity includes detecting use of substitution characters that mimic corresponding traditional alphabet/number characters in the sender address, sender display name, and/or subject of the message prior to comparison with identifiers of the trusted contact. For example, an attacker may use substitution characters to visually mimic a character in an identifier of a trusted contact (e.g., replace “o” with zero, replace with Cyrillic letter, replace with Greek letter, replace with symbol resembling a traditional letter/number, etc.). In some embodiments, if substitution characters are detected, various versions of the sender address, sender display name, and/or subject of the message that replace one or more different combinations of substitution characters with corresponding traditional characters are generated and utilized in the string comparisons with the identifiers of the trusted contacts.
In some embodiments, it is determined that the sender of the message is similar to a trusted contact if any measure of similarity (e.g., string distance measure) meets a threshold value. For example, if any string distance measure determined for a list of trusted contacts is greater than a threshold value, the message is identified as potentially an impersonation attack message and it is determined that the sender of the message is similar to the trusted contact.
In some embodiments, messages that are highly authentic (e.g., associated with a valid DMARC signature, correct SPF records, or both) but which come from domains that are associated with low control are to be subject to increased analysis. For example, a measure of control of the domain of the sender is determined. The measure of control measures how easy it is to create an account of the domain without having to pass a careful screening. For example, any user is able to create a Google Gmail account by setting the username to any available user name and setting the display name to any correctly formed display name. Thus, domains correspond to a very low degree of control by the domain owner. In contrast, the typical enterprise or government entity has high control over account creation, allowing only employees and affiliates to create accounts, where these have to satisfy some common criteria related to the real-life identity of the user. When the message is identified as having high authenticity but low domain control, then the display name is to be scrutinized (e.g., compared to trusted display names using string distance as previously discussed), whereas for domains with high control, the display name is not scrutinized (e.g., display name impersonation detection not performed).
If at 1008 it is determined that the sender of the message is similar to a trusted contact, at 1010, it is determined to filter the message, if applicable. Filtering the message may include modifying at least a portion of the message, affecting delivery of the message, providing a notification regarding the message, and/or performing additional analysis on the message. An example of filtering the message is performing a security action.
In some embodiments, modifying at least a portion of the message includes modifying (e.g., replacing, adding or removing/deleting) data included in a data field (of the message) that includes an identification of the sender of the message. For example, the data field that is identified to include the identification of the sender is selected from a plurality of data fields of a message header and contents of the selected data field is modified. Examples of the identification of the sender includes a display name, an email address (e.g., “from” email address), a reply-to address, a phone number, an image, a content link, or any other identifier/identification of the sender specified in the message. The data field of the message may be included in a header of the message. For example, the data field of the message is a “From:” field, a “Reply-To:” field or a “Return-Path:” field of an email message header. In some embodiments, the message is a SMS message or a MMS message and a phone number of the sender in the data field is modified. For example, the sender phone number is removed or changed to a different number. In some embodiments, modifying data included in the data field includes modifying a location identifier of content associated with the sender of the message. For example, a URL to an image of the sender is modified to reference a different image (e.g., replacement image includes a warning message).
One example filtering is quarantining the message and sending an automated message to the email address in the “From:” field of the message regarding the quarantine. The automated email may require the recipient to click on a hyperlink that is unique and not predictable to an attacker. If the system determines that such a link was clicked on (e.g., by receiving a corresponding GET request), then the email may be taken out of quarantine and delivered.
Another example filtering is sending an automated email in response to the received message (e.g., whether to the address in the from field or a potential address in the ‘reply-to’ field or both), requiring the recipient to click on a hyperlink where he or she has to enter a code obtained from an authenticator module, such as a SecurID token or Google authenticator app. If the entered code is correct, the message is taken out of quarantine and delivered.
In an alternative embodiment, the received message is not quarantined but delivered to its recipient after being modified. For example, a warning message is added to one or more header fields and/or the body of the message (e.g., add warning message to subject of message, add warning message to modify sender address, etc.). In some embodiments, the received message is modified to change, remove, and/or censure at least a portion of the message (e.g., remove attachment, remove hyperlinks, remove/modify reply to address, etc.).
If at 1008 it is determined that the sender of the message is not similar to a trusted contact, the process returns to 1006. In an alternative embodiment, if at 1008, it is determined that the sender of the message is not similar to a trusted contact, the message is identified for filtering if the recipient of the message has never sent a message to the sender of the message. In some embodiments, the total risk score determined using 906 of FIG. 9 is utilized to determine whether to allow full access to the message. If a value of the measure of total risk of the sender is above a threshold value, the message is identified as a risk and the message is filtered in 1010 to reduce its risk to the recipient.
FIG. 11A is a flowchart illustrating an embodiment of a process for modifying a display name of a sender of the message. The process of FIG. 11A may be at least in part implemented on analysis server 102, gateway 110, and/or message server 106 of FIG. 1. In some embodiments, at least a portion of the process of FIG. 11A is performed in filtering the message in 1006 and/or 1010 of FIG. 10. At least a portion of the process of FIG. 11A may be performed in 212 of FIG. 2A. For example, 1104 of FIG. 11A is performed in 212 of FIG. 2A as a selected security action to perform.
At 1102, a message is identified as suspicious. For example, it is identified in 708 that a sender of the message is similar to a trusted contact based on a measure of similarity of a sender of the contact with a trusted contact of a particular identified recipient of the message. An example of a trusted contact is a contact that has been previously identified by the recipient (e.g., included in an address book of the recipient) or is a contact with whom the recipient has had at least a minimum amount of positive engagement (e.g., having exchanged emails at least twice, and at least two weeks apart) without a recent “negative engagement” (e.g., recipient has not recently marked a message from the contact as spam). In some embodiments, the message is identified as suspicious if a sender of the message has not previously sent a message to a recipient identified in the message. In some embodiments, the message is identified as suspicious if a recipient identified in the message has not previously sent a message to the sender of the message. In some embodiments, the message is identified as suspicious if a spam detector, a virus detector, and/or a malware detector has detected that the message includes a spam, virus, or malware.
At 1104, a display name of a sender of the message is modified prior to allowing the message to be accessed by a recipient user of the message. For example, the display name of the sender is rewritten to include a warning regarding its risk. In one example, consider an email with display name “Pat Peterson,” but not associated with an email address of a Pat Peterson that is considered trusted. This may cause the system to determine that the email is risky, and modify the display name to “Warning! Unknown user with the name ‘Pat Peterson.’” Conversely, if an email is determined to come from a trusted sender, the system may modify the display name by adding symbol(s) (e.g., icon of a star) identifying its risk. In some embodiments, display names of senders in messages identified as not suspicious are normalized, which may involve removing anything looking like a trust indicator (e.g., such as an icon of a star) from the display name, or adding another symbol to the display name. Alternatively, a message from a user that is neither considered risky nor trusted could have its display name removed and replaced by only the message address of the sender (e.g., only email address without display name), drawing the attention of the recipient to the fact that this is a user with whom the system has not determined there to be a trust relationship. This may be particularly beneficial to users who use mail clients that do not display the full email address, but only show the display name.
In some embodiments, in addition to or instead of the display name, an email address of the sender is also modified. For example, the entire “From:” field of a header of the message that includes both the display name and an email address is modified with a warning.
FIG. 11B is a flowchart illustrating an embodiment of a process for modifying a reply address of a sender of the message. The process of FIG. 11B may be at least in part implemented on analysis server 102, gateway 110, and/or message server 106 of FIG. 1. In some embodiments, at least a portion of the process of FIG. 11B is performed in filtering the message in 1006 and/or 1010 of FIG. 10. At least a portion of the process of FIG. 11B may be performed in 212 of FIG. 2A. For example, 1104 of FIG. 11B is performed in 212 of FIG. 2A as a selected security action to perform.
At 1112, a message is identified as suspicious. For example, it is identified in 508 that a sender of the message is similar to a trusted contact based on a measure of similarity of a sender of the contact with a trusted contact of a particular identified recipient of the message. An example of a trusted contact is a contact that has been previously identified by the recipient (e.g., included in an address book of the recipient) or is a contact with whom the recipient has had at least a minimum amount of positive engagement (e.g., having exchanged emails at least twice, and at least two weeks apart) without a recent “negative engagement” (e.g., recipient has not recently marked a message from the contact as spam). In some embodiments, the message is identified as suspicious if a sender of the message has not previously sent a message to a recipient identified in the message. In some embodiments, the message is identified as suspicious if a recipient identified in the message has not previously sent a message to the sender of the message. In some embodiments, the message is identified as suspicious if a spam detector, a virus detector, and/or a malware detector has detected that the message includes a spam, virus, or malware.
At 1114, a reply address of a sender of the message is modified prior to allowing the message to be accessed by a recipient user of the message. In the event where the message does not have a reply address, a “Reply-To:” field is automatically added to the message. This can be a real email address, different from the “from” address of the received message, and act as a quarantine for outgoing responses to high-risk emails. In such a quarantine, the recipient system can carefully verify (e.g., whether automatically or using manual effort, or a combination thereof) that the outgoing message is safe before it is automatically sent to the “from” address of the received email.
In some embodiments, an address in a “Reply-To:” field of an email header is replaced or inserted with a warning message (e.g., not a valid reply address) regarding the suspicious risk of the message. In one example, the “reply to” address of a message is replaced/created as “Warning! This is a user you have never sent an email to—If you want to proceed, remove this text from the recipient field of the email you want to send, and add the address of the recipient you wish to send it to.” This reply address will cause a pop-up on some message clients with the text above (e.g., and an error stating that it is not a valid email address) or may cause on some message clients to bounce the email.
FIG. 12 is a flowchart illustrating an embodiment of a process for securing a message. The process of FIG. 12 may be at least in part implemented on analysis server 102, gateway 110, and/or message server 106 of FIG. 1. In some embodiments, at least a portion of the process of FIG. 12 is performed in filtering the message in 1006 and/or 1010 of FIG. 10. At least a portion of the process of FIG. 12 may be performed in 204 and/or 212 of FIG. 2A and/or 308 and/or 310 of the process of FIG. 3. At least a portion of the process of FIG. 12 may be performed in 406 of the process of FIG. 4.
At 1202, a first risk analysis of the message is performed. For example, it is determined whether the message is suspicious. In some embodiments, steps 1004 and/or 1006 of FIG. 10 is performed in 1202. For example, it is determined whether the sender of the message is similar to a trusted contact. By determining whether the sender of the message is similar to a trusted contact, a likelihood of confusion by a recipient of the message that the message is from a trusted contact may be determined. In some embodiments, the determining whether the sender of the message is similar to a trusted contact includes determining a measure of similarity between the sender of the message and each contact in a list of trusted contacts. In some embodiments, the list of trusted contacts includes trusted contacts identified in 702 and/or 704 of FIG. 7. For example, a list of trusted contacts for the recipient of the message (e.g., recipient identified in a “To:” field of the message) is obtained from storage.
In some embodiments, determining the measure of similarity includes determining a string similarity measure (e.g., string distance) using a string matching algorithm (e.g., Jaro-Winkler). For each trusted contact in a group of trusted contacts, string similarity measures may be determined between an address of the trusted contact and/or a display name of the trusted contact with an address of the sender of the message (e.g., string in a “From:” field of the message between “<” and “>” characters), a display name of the sender of the message (e.g., string in a “From:” field of the message prior to “<” character), and/or a subject of the message. For example, potentially six string similarity measures may be determined for each trusted contact email/display name combination (e.g., trusted contact address compared to sender address, trusted contact address compared to sender display name, trusted contact address compared to message subject, trusted contact display name compared to sender address, trusted contact display name compared to sender display name, and trusted contact display name compared to message subject).
Comparison of the subject to the message to the trusted contact address/display name is performed to detect masquerade attempts in which the actual sender uses deceptive display names and/or subject lines to trick recipients that emails are from a trusted sender. For example, the sender joe123@gmail.com may set his display name to appear as a subject line, and use a subject line that appears as a from email address. This attacker may use the display name “Please review this material and let me know your thoughts. Fwd: slide deck, June 15 version,” and the subject line “Bob Bigboss <bbigboss@bigbossventures.com>” to an email. The display name, being very long, will often hide the attacker's email address (e.g., which is displayed after the display name for a typical mail client, or not displayed at all for some mail clients). Many recipients will not realize that the subject line appears where the sender address is normally shown, and vice versa. Therefore, such recipients will believe that the email comes from Bob Bigboss <bbigboss@bigbossventures.com>, despite it being displayed in the subject field. In some embodiments, the subject of the message is only utilized to perform the determination of the measure of similarity if the display name of the sender of the email is longer than a threshold length.
In some embodiments, prior to performing the string comparison to determine the measure of similarity, element portions of the strings are sorted (e.g., alphabetically sorted) based on a predetermined order. The element portions of the string may be delimited by a space character or other special characters (e.g., comma, period, etc.). For example, strings “Bob Bigboss” and “Bigboss Bob” may be determined to be not similar in string distance despite them being a simple reversal of the order of the first/last names. Thus, the element portions “Bob” “Bigboss” in “Bob Bigboss” can be alphabetically sorted as “Bigboss Bob” prior to being used in the string comparison.
In some embodiments, determining the measure of similarity includes detecting use of substitution characters that mimic corresponding traditional alphabet/number characters in the sender address, sender display name, and/or subject of the message prior to comparison with identifiers of the trusted contact. For example, an attacker may use substitution characters to visually mimic a character in an identifier of a trusted contact (e.g., replace “o” with zero, replace with Cyrillic letter, replace with Greek letter, replace with symbol resembling a traditional letter/number, etc.). In some embodiments, if substitution characters are detected, various versions of the sender address, sender display name, and/or subject of the message that replace one or more different combinations of substitution characters with corresponding traditional characters are generated and utilized in the string comparisons with the identifiers of the trusted contacts.
At 1204, it is determined whether the first risk analysis results in a determination that the message meets a first criteria. For example, it is determined whether the message meets a criteria to be deemed suspicious. In some embodiments, message meets the first criteria if a measure of similarity (e.g., string distance measure) meets a threshold value. For example, if any string distance measure determined for a list of trusted contacts (e.g., determined in 1202) is greater than a threshold value, the message is identified as potentially an impersonation attack message and it is determined that the message meets the first criteria.
In some embodiments, the message meets the first criteria if a sender of the message has not previously sent a message to a recipient identified in the message. In some embodiments, the message meets the first criteria if a recipient identified in the message has not previously sent a message to the sender of the message. In some embodiments, the message meets the first criteria if a spam detector, a virus detector, and/or a malware detector has detected that the message includes a spam, virus or malware.
In some embodiments, a total risk score determined using 906 of FIG. 9 is utilized to determine whether message meets the first criteria. For example, if a value of the measure of total risk of the sender is above a threshold value, the message is identified as meeting the first criteria.
If at 1204 it is determined that the message does not meet the first criteria, at 1206 it is determined to allow the message to be fully accessed by the recipient, if applicable. For example, because the sender of the message exactly matches the trusted contact or sender of the message is not similar to any trusted contact, the message is allowed to be delivered (e.g., by sending the message to a mail delivery server and indicating that the message is allowed to be delivered) to the recipient user. In some embodiments, the message is allowed to be accessed by the recipient without message filtering that would otherwise be performed if the message was identified as potentially a part of an impersonation attack. In some embodiments, the message is further analyzed prior to allowing it to be fully accessed by the recipient. For example, the message may be analyzed to identify whether it includes a virus, a spam, or a malware.
If at 1204 it is determined that the message does meet the first criteria, at 1208 the message is modified prior to sending a modified version of the message to a specified recipient of the message. For example, a warning message is added to one or more header fields and/or the body of the message (e.g., add warning message to subject of message, add warning message to modify sender address, etc.). The first risk analysis is performed before sending the modified version of the message. Sending the modified version may include delivering the modified version to the specified recipient (e.g., deliver to a mailbox of the specified recipient on server 106 of FIG. 1).
In some embodiments, modifying at least a portion of the message includes modifying (e.g., replacing, adding or removing/deleting) data included in a data field of the message that includes an identification of the sender of the message (e.g., modify an identifier of the sender). Examples of the identification of the sender includes a display name, an email address (e.g., “from” email address), a reply-to address, or any other identifier/identification of the sender specified in the message. The data field of the message may be included a header of the message. For example, the data field that includes the identification of the sender is a “From:” field, a “Reply-To:” field or a “Return-Path:” field of an email message header. The contents of the data field may be modified to provide a warning to a recipient, prevent a potential confusion of an identity of the sender of the message by the recipient of the message and/or prevent the recipient from responding to the message or sending a message to the sender of the message.
In some embodiments, the received message is modified to change, remove, and/or censure at least a portion of a content of the message (e.g., remove attachment, remove hyperlinks, remove a portion of the message content beyond a selected beginning body portion, etc.). For example, a message body section of an email message is modified to censure at least a portion of a content of the email message. In some embodiments, modifying the message includes inserting an inquiry associated with a verification of the sender of the message, wherein the inquiry requests a user response.
At 1210, a second risk analysis of the message is performed and it is determined whether the second risk analysis results in a determination that the message meets the second criteria. In some embodiments, the modified version of the message is sent to the specified recipient of the message (e.g., sent to a mailbox of the specified recipient on server 106 of FIG. 1) prior to a conclusion of the second risk analysis. For example, the modified version of the message is sent and delivered to a mailbox of the specified recipient of the message prior to the conclusion of the second risk analysis. In some embodiments, the second risk analysis concludes upon determination of whether the second risk analysis results in a determination that the message meets the second criteria.
In some embodiments in 1210, any of a plurality of different types of verification/security actions may be performed to further analyze and verify the message (e.g., verify an identity of the sender of the message). For example, it is determined whether a classification of the sender of the message requested and received from the specified recipient of the message matches an automatically identified classification of the sender, and it is determined the message meets the second criteria if a user response to the requested classification matches the automatically identified classification (e.g., see the process of FIG. 13A). In another example, an automatically generated reply message to a received message is sent the sender of the received message requesting verification of an identity of the sender of the message and it is determined the message meets the second criteria if the sender has provided a valid identity in response to the reply message (e.g., see the process of FIG. 14A).
If at 1210 it is determined that the second risk analysis results in a determination that the message meets the second criteria, at 1212, content of the message that was previously prevented from being accessed by the specified recipient is provided to the specified recipient of the message. The second risk analysis may be a more in-depth and/or resource intensive analysis of the message reserved for messages that fail the first risk analysis. For example, an original version of the message prior to the modification in 1208 is sent to the specified recipient of the message. This original version may be a duplicate message in addition to the initially provided modified version of the message (e.g., original version delivered as a new message to the specified recipient) or this original version may be a replacement message of the initially provided modified version of the message (e.g., initially provided modified message is deleted from mailbox of the specified recipient of the message and replaced with the original version). In some embodiments, the content of the message that was previously prevented from being accessed is included a new message sent to the specified recipient of the message.
If at 1210 it is determined that the second risk analysis results in a determination that the message does not meet the second criteria, at 1214 content of the message that was prevented from being accessed by the specified recipient remains not accessible by the specified recipient. In some embodiments, the message is deleted or quarantined. For example, after a period of time of message not meeting the second criteria and/or if it is determined during the second risk analysis that the message is potentially hazardous to a specified recipient of the message, the message is automatically deleted or quarantined to prevent access by the specified recipient to the entire message. In some embodiments, a notification is provided to an administrator. For example, the administrator is provided a warning about the message failing the second risk analysis.
FIG. 13A is a flowchart illustrating an embodiment of a process for detecting misrecognition of a sender of a message by a recipient of the message. The process of FIG. 13A may be at least in part implemented on analysis server 102, gateway 110, and/or message server 106 of FIG. 1. In some embodiments, at least a portion of the process of FIG. 13A is performed in one or more steps of the processes of FIGS. 2A, 3 and/or 4. In some embodiments, at least a portion of the process of FIG. 13A is performed in one or more steps of the process of FIG. 12. For example, at least a portion of the process of FIG. 13A is performed in performing the first and/or second risk analysis of the process of FIG. 12.
At 1302, a message is identified as suspicious. For example, it is identified in 1008 that a sender of the message is similar to a trusted contact based on a measure of similarity of a sender of the contact with a trusted contact of a particular identified recipient of the message. An example of a trusted contact is a contact that has been previously identified by the recipient (e.g., included in an address book of the recipient) or is a contact with whom the recipient has had at least a minimum amount of positive engagement (e.g., having exchanged emails at least twice, and at least two weeks apart) without a recent “negative engagement” (e.g., recipient has not recently marked a message from the contact as spam). In some embodiments, the message is identified as suspicious if a sender of the message has not previously sent a message to a recipient identified in the message. In some embodiments, the message is identified as suspicious if a recipient identified in the message has not previously sent a message to the sender of the message. In some embodiments, the message is identified as suspicious if a spam detector, a virus detector, and/or a malware detector has detected that the message includes a spam, virus, or malware.
In some embodiments, by basing the whether the message is suspicious on knowledge about trusted contacts of the specified recipient of the message, a message is only classified as suspicious and risky based on the likelihood that the recipient will confuse the sender with a trusted contact specific to the recipient. Otherwise, the risk may be marginal if the recipient does not know or trust the sender of the message since the sender is likely not impersonating someone that the recipient already knows. Thus a message is particularly dangerous if it is not from a trusted party, but the recipient thinks it is. In contrast, if the recipient knows that an email from an untrusted party is from an untrusted party, he or she is not as much at risk as he or she is not likely to feel compelled to comply with the requests or instructions in the message
At 1304, the sender of the message is automatically classified. In some embodiments, classifying the sender includes identifying a classification/category of the sender. For example, a relationship classification/category of the sender with respect to the specified recipient of the message is automatically determined based on a property of an identifier of the sender (e.g., domain), previous message history between the sender and recipient, and/or other list or database (e.g., database of business contacts of the recipient). Examples of the classification of the sender include a college, a business partner, a friend/acquaintance, or unknown.
For example, if the sender is associated with the same domain as the recipient, then the sender is classified as a colleague classification. This classification may also be used if the email address of the sender is a known personal email address of a user with a colleague message address. This personal address may be determined using manual registration of such addresses by the account owner, as well as by identification of message traffic indicative of a work account being related to a personal account, such as having closely related display names and extensive forwarding of material from one account to the other. If the sender is a service provider or a client of an entity associated with the recipient, then the sender is classified as a business partner classification. This type of classification may be identified by detection of a sufficient volume of message traffic over time between the sender and the recipient, or from a database/list of recorded business contacts/relationships. In some embodiments, the sender is classified as a friend/acquaintance classification for a given sufficient volume of message traffic over time between the sender and the recipient but cannot be classified as a colleague or a business partner. If the sender cannot be classified as a colleague, business partner, or friend/acquaintance, the sender is classified as known/stranger.
In some embodiments, the sender of the message is automatically classified based on a list of trusted contacts tracked for the recipient (e.g., tracked using the process of FIG. 7). For example, a trusted contact in the stored list of trusted contacts may be associated with a classification identifier provided by a user and/or automatically determined. An identifier of the sender of the email may be utilized to locate a corresponding entry in the stored list of trusted contacts to identify its classification.
At 1306, a manual classification of the sender of the message is requested from the specified recipient of the message. For example, before the message is fully provided to the recipient, a classification of the sender of the message is requested from the user in order to verify the recipient's believed classification of the sender as compared to the automatically determined classification. In some embodiments, the message is modified to change, remove, or obfuscate (e.g., remove attachment, remove hyperlinks, hide phone numbers, only retain a beginning portion of contents of the message and hide ending portion of the message, etc.) at least a portion of the message to prevent the recipient from having full access to the message prior to verification of the recipient's knowledge about the sender of the message. In some embodiments, the message is modified to include selection choices corresponding to the classification options (e.g., different selectable HTML hyperlinks included in the message and selection of a particular hyperlink option sends a request to the unique address of the hyperlink that can be detected by a server to identify which classification option was selected based on the unique address of the request corresponding to the selection option). In some embodiments, if a recipient replies to the message to the sender prior to providing the classification, the reply message is held/quarantined at a mail server until it is determined that it is safe to send the message. Another classification option is to identify the sender as a spammer or malware attacker. Selection of this classification may result in the removal of the email and blocking of future messages from the sender.
FIG. 13B shows an example of a modified message requesting manual classification of the sender of the message. Message 1320 includes contents of the original message 1322 as well as added selected choices 1324 that requests the recipient to classify the sender of the message.
Returning to FIG. 13A, at 1308, based on the response to the manual classification request, a security action is performed, if applicable. In some embodiments, if the manual classification response does not match the automatically determined classification, a security action is performed to warn the recipient about the mismatch and/or prevent the user from fully accessing or replying to the message. For example, the message may be deleted and replaced with a version of the message that has been modified (e.g., subject, sender display name, sender address, reply to address, and/or content of the message removed or modified with a warning indicator). In another example, the message may be deleted and quarantined for additional review by the recipient and/or an administrator. In some embodiments, in the event the sender of the message was correctly classified manually by the recipient and the automatic classification was incorrect, an opportunity is provided to add the sender of the message to the list of trusted contacts for the recipient and/or add an identifier of the sender (e.g., email address and display name) to an existing contact (e.g., as a secondary email address) in the list of trusted contacts. The sender may be added to the list of trusted contacts by the recipient, an administrator, or by the sender (e.g., by requiring the user to prove access to an account of an existing trusted contact).
FIG. 14A is a flowchart illustrating an embodiment of a process for requiring a sender of a message to verify an identity of the sender. The process of FIG. 14A may be at least in part implemented on analysis server 102, gateway 110, and/or message server 106 of FIG. 1. In some embodiments, at least a portion of the process of FIG. 14A is performed in filtering the message in 1006 and/or 1010 of FIG. 10. In some embodiments, at least a portion of the process of FIG. 14A is performed in one or more steps of the process of FIG. 12. For example, at least a portion of the process of FIG. 14A is performed in performing the first and/or second risk analysis of the process of FIG. 12. At least a portion of the process of FIG. 14A may be performed in one or more steps of the processes of FIGS. 2A, 3 and/or 4. For example, it is performed as a security action in 212 of FIG. 2A.
At 1402, a message is identified as suspicious. For example, it is identified in 1008 that a sender of the message is similar to a trusted contact based on a measure of similarity of a sender of the contact with a trusted contact of a particular identified recipient of the message. An example of a trusted contact is a contact that has been previously identified by the recipient (e.g., included in an address book of the recipient) or is a contact with whom the recipient has had at least a minimum amount of positive engagement (e.g., having exchanged emails at least twice, and at least two weeks apart) without a recent “negative engagement” (e.g., recipient has not recently marked a message from the contact as spam). In some embodiments, the message is identified as suspicious if a sender of the message has not previously sent a message to a recipient identified in the message. In some embodiments, the message is identified as suspicious if a recipient identified in the message has not previously sent a message to the sender of the message. In some embodiments, the message is identified as suspicious if a spam detector, a virus detector, and/or a malware detector has detected that the message includes a spam, virus, or malware.
At 1404, the message is prevented from being fully accessible by the specified recipient of the message. For example, at least a portion of the message is modified or removed. In another example, the message is quarantined and not delivered to the recipient.
At 1406, an automatic reply to the message is sent requesting verification of an identity of the sender of the message.
This verification attempt may be utilized to identify good emails from accounts that are not trusted, but which are nevertheless associated with trusted persons. For example, if one executive's name is John Adams, and another executive receives an email from a John Adams—but not the same account as to which she has a trust relationship—then this is a potentially deceptive email—but also an email that is potentially from another account (such as the personal account) of the trusted person. The reply message includes the message “Your email triggered an alert. Have you sent emails to the recipient using another email address? If so, please click here. Otherwise, click here.” The first hyperlink (associated with the first occurrence of “here”) would lead to a website where the visitor enters his or her “other” email address (e.g., trusted contact address), and a verification email is sent to that address. That verification email contains a challenge value, such as a secret string of alphanumeric characters, that the recipient has to copy and paste into the site where the email address was entered. The second hyperlink takes the user to a site where he or she is offered to solve a CAPTCHA, associate a phone number (e.g., by sending an SMS challenge value to the phone number), or perform another action that attackers are typically unwilling to perform.
FIG. 14B shows an example of an automatic reply message requesting verification of an identity of the sender of the message. Message 1420 informs the user that the sender's message has been quarantined and will not be delivered unless identity of the sender is established. Message 1420 instructs the sender to forward the automatic reply message to a second message account (e.g., account of trusted contact) that the sender has previously used to communicate with the recipient and using the second account, forward again the forwarded message to a verification system for verification of the possession of the second account.
Returning to FIG. 14A, the automatic reply to the message may be utilized to detect spoofing attempts. For example, the automatic reply is sent to a system of the sender to request verification that the sender identified in the message actually sent the message. For example, at least two installations of message security systems, where a first installation is associated with a first entity and a second installation is associated with a second entity, the second system identifies receipt of an email originating with a sender associated with the first system. The second system then sends an inquiry to the first system, where the inquiry contains information related to the email. The first system determines whether the email associated with the inquiry was sent from the indicated apparent sender, and generates a response to the second system. If the second system receives a negative response, then the email is not delivered to the intended recipient, or if it has already been delivered, then it is either removed from the inbox or a notification is sent to the recipient, warning the recipient of the email. In addition, a notification may be sent to an administrator associated with the second system. In some embodiments, a notification is also sent to an admin associated with the first system. If, on the other hand, the response to the inquiry is a positive response, then the email is delivered to the recipient. If an email has more than one recipient within the second system, then it is delivered to each such recipient. Here, the first and second systems may access emails in different ways. For example, the first system may correspond to an outbound collector of emails and the second system to an OAUTH access of one or more email boxes. The first system may also be an appliance controlling or relaying emails, or be an OAUTH-enabled method to access the various mailboxes (including the sent folder) of one or more users. In some embodiments, all communications between the two security systems are encrypted and authenticated.
At 1408, if the sender has provided a valid identity in response to the automatic reply in 1406, the message is allowed to be fully accessible by the specified recipient. For example, if the user has provided an established position of an alternate trusted account that can be trusted (e.g., account of trusted contact) or has otherwise provided or proved an identity of the sender, the message is allowed to be fully accessible. Making the message fully accessible may include allowing the message to be delivered and accessed by the recipient with all of its original content. This may also cause the sender (e.g., sender email address) to be whitelisted or associated with an increased trust value (e.g., add to trusted contacts). In some embodiments, the provided full access message includes a warning, bringing to the attention of the recipient that this is an email from a potential stranger.
If the sender does not provide a valid identity in response to the automatic reply in 906, the message may remain unable to be fully accessible by the specified recipient of the message. In some embodiments, the message is indicated to an administrator and/or deleted.
In some embodiments, if the reply to the address of the message is identified or unknown to be unattended (e.g., not monitored by a recipient user), the message is provided to the recipient in a modified form and/or with a warning.
FIG. 15 is a flowchart illustrating an embodiment of a process for determining a change in historical reputation of a sender of a message. The process of FIG. 15 may be at least in part implemented on analysis server 102, gateway 110, and/or message server 106 of FIG. 1. In some embodiments, at least a portion of the process of FIG. 15 is performed in filtering the message in 1006 and/or 1010 of FIG. 10. In some embodiments, at least a portion of the process of FIG. 15 is performed in one or more steps of the process of FIG. 12. For example, at least a portion of the process of FIG. 15 is performed in performing the first and/or second risk analysis of the process of FIG. 12. At least a portion of the process of FIG. 15 may be performed in one or more steps of the process of FIGS. 2A and/or 3.
At 1502, a long term measure of reputation associated with a sender of a message is determined. The long term measure of reputation may be for a specific address and/or domain of the sender. For example, long term measure of reputation is determined based on the amount of historical message traffic between the sender (or network domain of sender) and the recipient (or network domain of recipient). Large amounts of traffic may correspond to a high long term measure of reputation, unless there is a sufficient portion of the traffic that is flagged as undesirable (e.g., being spam, including virus/malware, etc.). Additionally, a long time period of traffic may correspond to a high long term measure of reputation, unless a sufficient portion is flagged as being undesirable. To the extent that it is available, a large open rate (e.g., the recipient opened the message) or a high response rate (e.g., whether replying to message or selecting links in message) also may correspond to a high long term measure of reputation, unless a sufficient portion is flagged as being undesirable. An example of a “sufficient” portion may mean that a fixed portion of the traffic, such as 2%. The long term measure of reputation may capture historical message traffic within several recent months. In some embodiments, when determining a long term measure of reputation for a domain, individual long term measures of reputation for accounts of the domain may be aggregated to determine the long term measure of reputation for the domain.
At 1504, a recent short term measure of reputation associated with the sender of the message is determined. The recent short term measure of reputation may be for a specific address and/or domain of the sender. The recent short term measure of reputation is determined using the same/similar factors as the long term measure of reputation but within a smaller time window. For example, the recent short term measure of reputation may capture historical message traffic within a day.
The recent short term measure of reputation may be low if a large portion (e.g., 5% of traffic within the time window) of message traffic between the sender (or network domain of sender) and the recipient (or network domain of recipient) is associated with complaints, spam detection, the detection of unwanted URLs, or unwanted attachments. An unwanted URL/attachment is one that is judged likely to be associated with risk, e.g., using a blacklist or an anti-virus scan. Complaints may correspond to users reporting an email as spam or phish, or placing it in a spam folder. Complaints can either be local (only a very small number of users, such as less than 1% of recipients, report the message) or pervasive (a greater portion of users report the email, e.g., more than 1%).
At 1506, changes in the recent short term measure with respect to the long term measure of reputation are detected and utilized to determine whether and/or how to filter the message. For example, if the sender is associated with a low (bad) long term measure of reputation (e.g., below a threshold) and a low (bad) recent short term measure (e.g., below another threshold), the message from the sender is identified as suspicious and filtered (e.g., blocked and/or modified with a warning). In some embodiments, if the sender is associated with a high (good) long term measure of reputation (e.g., above a first threshold) but low (bad) recent short term measure (e.g., below a second threshold), the message from the sender is identified as likely taken over by a malicious attacker. For example, the message may be filtered (e.g., blocked and/or modified with a warning), may require manual review by an administrator, or require an action by the sender (e.g., require sender to respond to a challenge) prior allowing delivery of the message (e.g., modified message with warning).
In some embodiments, let Ri be a reputation associated with a receiver, and for concreteness, assume that this corresponds to a numeric value between 0 and 1, inclusive. Let Bi be a recent short term measure of reputation associated with an email E received by the same recipient. For concreteness, this is also a value between 0 and 1, inclusive. Here, i is a number corresponding to the recipient. Further, let G be the long term measure of reputation associated with the email E, and may be a number between 0 and 100, for example. The value SUM(Bi*Ri)/G is computed, where SUM corresponds to adding the entries associated with all recipients of E. If SUM(Bi*Ri)/G >t1, where t1 is a first threshold, then a first action is taken. This action may be to block emails from the sender of E, remove E from the inbox of all recipients, and determine whether any of the users who appear to have opened E have had their computers corrupted or credentials stolen. This can be determined by asking the user, by scanning the user's machine, or by reviewing logs of incoming/outgoing traffic to the user's machine, where this review is preferably automated. Further, the action may involve increasing Ri by 10% for each user who filed a response Bi indicative of a threat. If SUM(Bi*Ri)/G<t2, where t2<t1 then the reputation Ri of each user who filed a response Bi indicative of a threat is decreased, e.g., by 5%. If the number of users filing a response Bi is indicative of a threat within a time T of receipt of the email E, then the email is considered to be associated with pervasive badness, otherwise local badness.
Generation of Flash Signatures for Defense Against Targeted Attacks
Targeted attacks are a threat to enterprises, governments, and wealthy individuals. Most targeted attacks use email for delivery, due to the ubiquity of email and the poor built-in security of email.
The traditional approach to detecting abusive emails is to create a blacklist of artifacts known to be unwanted; additions to this blacklist are typically made after large volumes of a malicious artifact have been transmitted, and some of the emails reported or trapped in honeypots and thereby brought to the attention of a person or algorithm that initiates the blacklisting of the artifact. This is a process that is poorly suited to targeted attacks, since such attacks typically intentionally avoid volume use of artifacts.
A better approach to detect targeted attacks is to identify when an email is deceptive, e.g., an email from a stranger that uses a display name that matches the display name of a party that the email recipient trusts. However, while believed to catch most deceptive emails, no security technology is foolproof, and it is therefore beneficial to create backup detection methods that help provide a second line of defense.
Detection of deceptive emails is utilized to train an early-detection structure based on signatures. A simple example illustrating the method is to detect a collection of deceptive emails, such as emails that use some form of identity deception, and to extract all artifacts from these deceptive emails; then to determine that some artifacts occur some minimum number of times, such as at least twice, and then to determine that these artifacts are not common among desirable emails (e.g., high confidence in determining malicious emails); such artifacts are determined to be high-risk, and a signature is automatically generated to identify them. This signature is then applied to other emails that were not identified as being deceptive. These include both emails being sent at a future time, and emails that have already been delivered. A security action is then taken on any detected emails; this security action would preferably be the same as that taken for the emails from which the artifacts were first extracted, or based on a classification rule that changes as the system learns more about the nature of the threat. Such additional learning includes insights derived from sandboxing (whether automatic or manual), automated website scraping, and more. Example security actions comprise not delivering the email, or if it already has been delivered, to remove it from the user inbox; to quarantine the message; to mark up the message with a warning; and to send the message for additional scrutiny, including manual review, or automated analysis such as sandboxing, or to feed the email to an active defense system that automatically, semi-automatically, or using manual effort engages in a conversation with the apparent attacker in order to identify the nature of the threat, collect identifiers such as bank accounts and email accounts to be sent to service providers for take-down, and more. If the blacklisted artifact, i.e., the artifact from which a signature was produced, is associated with a sender that the system recognizes as trusted, then this preferably triggers a review of whether this sender has been compromised; whether the sender sent the artifact legitimately; and whether the signature associated with the artifact should be modified or removed. As the system observes additional uses of the artifact, it manages counters related to whether the artifact was part of a known-bad email, e.g., based on the email having a deceptive identity as the sender; whether it is associated with an apparent stranger with respect to both the recipient and the system as such; and whether the email is associated with a sender that the system has listed as trusted, whether with respect to the recipient or in general. The system generates and maintains a risk score based on these counts, and preferably also based on the time of arrival of the different associated emails. Using this score or weighted score, the system selects what signatures to consider active, meaning traffic is compared with respect to them; and which ones are stored for potential future use. As a weighted score falls below a threshold, the associated signature for the artifact is not considered active; as it falls below another and lower threshold, the signature is not stored as a prospective signature for which the score is still maintained. If a score associated with a signature that is stored as a prospective signature increases above the first threshold, then the signature is again made active. Signatures whose score falls below the second threshold are not stored as prospective signatures, but either not stored at all or only stored as a historical signature. A person skilled in the art will recognize that this approach enables an agile system with low error rates, and furthermore, by associating an action such as delete, quarantine, or mark up with a warning on a per-signature basis, it is possible to minimize the practical impact of a false positive in which a legitimate email is flagged as deceptive based on containing a blacklisted artifact. A person skilled in the art will further appreciate that an artifact can be one or more attached files; one or more included URLs; one or more matches with text sequences; a match with a cascading style sheet or other formatting convention; the attack type classification of an email; or any combination of these. A feature is an individual measurable property or characteristic of a phenomenon being observed.
To address an adversary with ever-changing strategies, there is a need to detect signatures of attacks as the latter are created or modified. This is the notion of agility, which is one of the benefits of the disclosed method. This is achieved by frequent evaluation of threats and comparison with established signatures and other detection methods, to determine what signatures and other methods to retire. Alternatively, in an embodiment wherein signatures are verified according to a probabilistic schedule, a signature that is more likely to be triggered, especially when no other detection method is likely to trigger, is attempted to be matched with a potential threat with a greater probability than a signature that is less likely to trigger. The benefit of this approach is that it is sensitive to cache sizes, where the cache is used to hold signatures to be attempted to match with potential threats. Not all signatures are necessarily compared for any one potential threat. The selection may be made based of detected features, such as potentially deceptive display name, emails from likely strangers, emails from senders with low reputations, emails containing attachments (especially of types that can be executed), and emails with subject lines that are considered high risk. These are only some examples of such features, as will be understood by a person skilled in the art. Signatures are selected to be placed in a cache at least in part based on their associated probabilities of matching threats that are not detected by other detection methods including other signatures, which are identified by a benefit score. The benefit score can be computed in a variety of ways. In one example embodiment, it comprises three values: one counter indicating how often it has been attempted to be matched within a window time period; one counter indicating how often it is triggered in this window time period but where no other signature with a higher current benefit score triggered; and one score that is the second counter divided by the first counter. Thus, if one signature has been the signature with the highest benefit score to trigger eight times during a time period of two days out of an attempted two hundred attempts, then the score is 0.04. Another signature with a score of 0.16 is four times as useful for an unknown threat. Therefore, the first signature is selected with a probability of 0.04/(0.04+0.16)=20% of the time, should the cache only allow one of these two signatures to be stored. This is a simplified example, though, as a realistic implementation would use caches with space for hundreds if not thousands of signatures, and the system may maintain hundreds of thousands of signatures at any point in time. Here, the cache does not need to correspond to a physical storage cache, but could be represented by another form of storage; the cache corresponds to the storage space associated with a filter sensor. In one example embodiment, this filter sensor corresponds to a local filter in a mail server or gateway. Additional signatures may be stored locally, on other computers and storage, and accessed through a LAN, or may be stored in a cloud server, or a combination of these. Periodically, a central repository of signatures feed new signatures to local repositories, which then select which ones to store based on associated scores, including benefit scores. Not all mail filters would cache or store the same signature at a particular point in time. Thus, one server may detect threats using different signatures than another server, but as some signatures trigger at a larger number of threats, their associated benefit scores increase locally. A central authority collects updated scores and promotes useful signatures to local filters by sending updated scores for already cached signatures, or scores and signatures for signatures that are not cached. This causes good signatures to be identified at a local level but promoted to a global level, thereby taking advantage of the distributed system identifying their usefulness.
In a system where the time constraints limit the amount of signatures matched to potential threats, these are also preferably selected using a probabilistic method based on their estimated benefit score. A local server can request from a repository, including a cloud repository, to receive signatures corresponding to selected criteria, e.g., addressing BEC threats; addressing malware threats and having benefit scores above a threshold; and addressing threats associated with attachments, signatures with estimated false positives below a threshold value, and more. This way, a decentralized detection system using the disclosed technology allows for local differences in terms of specializations and requirements. As a result, different distributed systems can be clustered in terms of the similarity of their needs and requirements: they will correspond to greatly overlapping collections of signatures being cached. This will happen automatically, but is helpful for the centralized authority to quantify, as it permits effective sharing of threat information, including information relating to scores and signatures, between entities that are in one and the same cluster. It also helps identify risky subsystems: when one such subsystem is successfully attacked, other, closely related subsystems can be reconfigured. One such reconfiguration is to cache a larger number of signatures of a particular type; or to forward all emails matching some criteria to a cloud detection unit that then performs a more in-depth security analysis of these emails, without significantly increasing the computational load on the subsystem at risk. This can be reconfigured again once the threat is identified as having changed anew.
A first phase of an embodiment, is the detection of high-risk emails based on a detection method not using signatures or artifacts, but based, for example, on a deceptive sender identity. An example of emails with deceptive sender identities include spoofed emails, which can be detected by observing an email without a DMARC signature when one is expected, or with invalid SPF data. Another example of emails with deceptive sender identities are emails from strangers, with respect to the recipient, with display names matching trusted parties with respect to the recipient; or emails sent from webmail accounts where the display name is set to correspond to a brand identity, such as “ACME Bank.” This type of deceptive email can be detected by identifying emails coming from non-trusted senders but where the display name matches a trusted sender, wherein “trusted” can be defined as a sender that a recipient has had at least a minimum amount of interaction with, has in his or her contacts list, or which corresponds to an entry in a whitelist of commonly known brands. A person skilled in the art will recognize that there are additional methods of defining trusted, and that this is just an example definition for the sake of concreteness. Yet another form of deceptive email is an email that comes from a sender using a look-alike domain, such as “<user>@AcmeBank.high-security1234.com,” where <user> corresponds to a user name such as Alice Boss, high-security1234.com is an unknown domain registered by the attacker, and AcmeBank is a well-recognized brand used as a subdomain. A person skilled in the art will recognize that there are many other examples of look-alike domains, and will know that they can commonly be detected by using a distance metric and a whitelist, where the system determines whether a domain, subdomain, or combination thereof have a distance from a whitelisted domain that is below a threshold set by the system. Yet another form of deceptive email is an email sent from a corrupted account. This can be a trusted corrupted account, following the above definition of trusted, in which case it can be detected by the system recording what Mail User Agents (MUAs) are associated with a given email sender, followed by the detection of an email that uses another and potentially suspect MUA. A new MUA is not immediately a sign of certain corruption, but a sign that can be used to automatically or manually establish whether an account take-over (also known as a corruption) took place. A corrupted sender is trusted in a situation such as where the attacker sends malicious emails to prior contacts of the account owner of the account he compromises. In contrast, an attacker sends emails to other email users, e.g., by sending malicious emails to a set of users not associated with the corrupted account. Emails from corrupted accounts that are untrusted senders can be detected by use of detecting the presence of blacklisted artifacts, or by detecting emails from non-trusted parties but containing files that are high-risk, such as encrypted zip files or executables. The former use case indicates another important use of flash signatures derived from blacklisted artifacts. Emails can also be identified as likely to be deceptive based on complaints filed by recipients, who may, for example, forward such emails to the security service or provide feedback to their mail reading program, where an example feedback is to place the email in the spam folder. An automated agent with access to the user mailbox can detect that an email was moved by the recipient from the inbox to the spam folder, and thereby identify it as potentially deceptive or high risk, and export the email or portions of it to a server processing high-risk artifacts and generate signatures from these.
A second phase associated with an embodiment of the disclosed method is the selection of artifacts to generate signatures from. The system identifies artifacts associated with malicious emails, such as emails from known bad senders, containing known-bad artifacts, and emails that are deceptive, as described above; it then extracts all artifacts from it. Artifacts might be explicit or implicit. Explicit artifacts are pieces of information that exist in the content of an email or its header. In comparison, implicit information is information that is computed based on a function defined over the explicit functions. For example, location of a sender of an email is an implicit artifact that is generated based on the IP address of the email sender, which is an explicit artifact of a received email. A malicious email may have multiple artifacts (both implicit and explicit artifacts), such as a text snippet; an attachment; location of the sender; a subject line; or a display name. Having extracted one or more artifacts from the malicious email, the system determines whether these have already been recorded, and if so, increases the associated counts associated with senders that are believed to be malicious. Otherwise, the system generates one or more tentative signatures from the one or more artifacts, where a signature depends on one or more artifacts. The system then determines the commonality of the generated artifacts in traffic from trusted senders, and in traffic from untrusted senders that do not appear to be malicious. If these counts are below set thresholds, such as no more than 0.00001% of trusted emails containing the artifact and not more than 0.01% of untrusted but believed to be non-malicious senders having the artifact, then the tentative artifact signature is stored, otherwise it is discarded. If an email contains two artifacts and both of these result in the tentative signatures being discarded, then the system determines whether a signature generated from the combination of the two artifacts would be also discarded. This way, the system generates signatures that are “sufficiently unique” to malicious traffic to cause no more than an acceptable number of false positives. This corresponds to the confidence of the signature. These signatures are stored, along with the statistics used to validate them. Later on, these statistics are updated and used for selection of what signatures to use as active signatures, which ones to retire from being active, which ones to prioritize if the system is short of resources, and so on. In one example, an email contains an attachment that has a name, a size, a type, and a content. A signature may be generated from the name, size, and type, or if that is not sufficiently unique, from all of the features. A signature can also be generated from the attachment features and, in addition, from additional features of the email, such as “sent by a trusted party,” “sent using an API,” “subject line is less than 20 characters long,” and “subject line contains the word ‘invoice’.” The signature is a description of the artifact and its features, and may be expressed as a list of these descriptors, or optionally, as a value that results from ordering the artifacts and features according to a pre-set order, such as alphabetically, and applying a hash function such as MD5 to the ordered list. Alternatively, more than one signature can be generated from one set of artifacts, where one signature could be in “accessible” format, and therefore readable by a program or a person, and another signature can use a compression function or cryptographic digest function to generate a fixed-length signature. In cases where the “accessible” signature is too long to be practical to read and process each time an email needs to be scored with respect to matching stored artifacts, the digest signature is preferred. On the other hand, in situations where approximate matches with signatures is desired, such as “9 out of 11 features are matched,” the accessible signature is preferred. In one embodiment, the system also stores multiple signatures that are accessible, where each signature is associated with a certain degree of certainty. For example, many attacks may use zip file attachments that contain files whose names include the word “invoice,” but this may not be sufficient to determine that the email should be blocked, but only for a warning to be incorporated in the email; however, if another signature is also matched, describing that the length of the file in the zip file is 10225 bytes long, then the email is blocked. This is because this adds certainty to the system. Thus, the automated analysis of one or more malicious emails may result in multiple signatures per such emails, each one of which is associated with different expected error rates, and also associated with different security actions to be performed when the signature is triggered, whether alone or in combination with other signatures. All generated signatures that pass the thresholds described above are stored in a memory area, out of which there is at least one type, but preferably many types, each type corresponding with a treatment of the signature. Example treatments include active signatures that are matched to a large share of incoming emails, where the exact selection may depend on the general risk exposure at the time of the delivery; the risk associated with at least one of the sender, recipient and message; and system aspects such as the system load. Another treatment is to store the signature in a storage area whose signatures are updated when malicious emails are detected, or periodically, such as once every night when the system load is low. Yet another treatment is to simply store the signature for later review of it and its catch rate. When a collection of features are being observed in an email, they form a pattern. We can call a pattern that is qualified to detect abuse a “signature.” One measure of the quality of a signature is a score that we refer to as the support score; a high support score corresponds to a pattern having identified a malicious email a large number of times. In one embodiment, if two signatures detected the same set of malicious emails, but one of them detected an additional malicious email, then that is better. Thus, the system determines, preferably in batch mode, when such pairs of signatures exist and remove the signature with the smallest support score.
Implicit features are those extracted from implicit information of an email. For example, the number of words and characters in the subject line, and the language of the email can be determined based on the subject line and content of an email. Another example of implicit information is the location of a sender of an email that can be extracted using an IP address of a sender. Also, features indicating if a sender is using a proxy or Tor for sending an email are other examples of implicit features. Auxiliary information also can be used to form implicit features. For example, HR information of an organization can be used to determine if a receiver of an email is a “C” level executive. Another type of implicit information includes applying quantization methods. For example, a feature can be extracted to identify if the email is received during the work hours, or it is being received after hours. Similarly, if the email is received during the weekdays or weekends is determined. Another class of implicit features is related to stylometric aspects of the content of emails, such as length of sentences, usage of punctuation, pronouns, etc.
A typical format of a signature is in the form of a set of name-values. However, for sake of scalability of comparison of incoming emails with signatures, a signature will be normalized as a string of characters that is formed by concatenating name values in ascending or descending order of names.
A third phase in an embodiment is the management of signatures. A score is kept for each signature, where this score preferably is a function of the commonality of the associated artifact(s) in deceptive or otherwise malicious email; the commonality in emails from strangers that is not classified as deceptive or malicious; and the commonality in emails from trusted parties. The function also preferably normalizes these counters by counters indicating the volume of deceptive, malicious, from-stranger, and trusted emails, and uses windowing to discount historical events in favor of recent events. An example scoring function is the value S, where S=0 if the commonality of the artifact(s) in trusted email exceeds a first threshold, such as 0.00001% of all trusted emails, and S=10000*DA/DT+SA/ST otherwise, where DA is the count of deceptive emails in the last week having the artifact, DT is the total volume of deceptive email in the last week, SA is the count in the last week of the artifact in emails from strangers (relative to the recipient), and ST is the total number of emails from strangers in the last week. Here, 10000 is a scaling factor that can be configured by individual recipients or their organizations, and which is used to trade the importance of artifacts in targeted attacks against that of non-targeted attacks. The system then manages a collection of the highest-scoring signatures as active signatures; these will be used to detect potential abuse. The system may also maintain a collection of active signatures relative to a particular organization that is a client of the security system, where this collection may add a weight for attacks of some types, such as BEC attacks or ransomware attacks, and may use a different window size or other windowing technique. Preferably this latter list would not keep any duplicates relative to the “universal” active list. The recipient-specific active list would be used to detect threats for traffic sent to the associated client. A client can also configure the system to identify threats in outgoing traffic; this detection can be governed by yet another list of active signatures, computed according to yet different criteria. Each signature is also associated with at least one action indicator, where different clients can select different actions, and where the actions may depend on whether the traffic is incoming or outgoing, and on the observed volume of the detected artifact. A more common artifact, for example, can receive priority in terms of manual and automated review, making quarantine potentially more attractive than marking the email up with a warning and delivering it, or the use of open quarantine, which a person skilled in the art will recognize is a combination of quarantine and email content modification. In addition to maintaining active lists, the system also maintains lists of potential threats. These correspond to signatures with lower associated scores. The signatures of this type are not matched to incoming emails, but are periodically updated with respect to their associated score. When a new signature is generated, it is placed in this list, unless its signature score is sufficiently high for it to be placed in an active list. If a signature score falls below another threshold, the signature is removed from this list and only stored in a historical list; alternatively, the system may keep signatures with scores below this threshold for some amount of time, such as one week, and then remove the signatures unless their associated scores have increased above the threshold again. In one embodiment, signatures are primarily generated to address targeted threats, such as spear phishing and Business Email Compromise attacks, whereas in another embodiment, signatures are primarily generated to address malicious scattershot attacks such as malware attacks, including ransomware attacks; in yet another embodiment, both of these types of threats are addressed. In this latter case, the signatures associated with targeted attacks may be kept separately from the signatures of the non-targeted (or scattershot) attacks, or separate quotas for the two are maintained; alternatively, the two types may be weighted in different ways when the score is computed. For example, a targeted attack may have an associated multiplier weight of 10 associated with the generation of its signature, relative to the scattershot attack. This is to account for the likely lower volumes of targeted attacks, and the commonly higher risk associated with them. In another embodiment, the score associated with a signature takes as input a value that corresponds to the risk associated with the attack, where the risk value corresponds to a combination of the likelihood of victimization and the expected losses for each victimization. For example, for a BEC attack, the system may have a likelihood weight of 22 and a loss weight of 10, whereas for a scattershot ransomware attack, the likelihood weight may be 3 and the loss weight 7.25. In an example embodiment where the risk score is computed as the product of the likelihood weight and the loss weight, these two attacks would have risk scores of 220 (=22*10) and 21.75 (3*7.25). These risk values may be used to impact the scores associated with signatures for two associated threats; if used as additive values, the score for the BEC attack would be increased by 220 whereas the score of the ransomware attack would be increased by 21.75. Such risk-based modifications can preferably be performed conditional on a certain recent activity, e.g., only if the signature has been matched at least twice in a day; risk-based score modifications can also be performed using any other arithmetic and logical operations, just like the score function may be using any such operations. Additional scores are also preferably managed, such as the benefit score described above. The use of scores associated with signatures enables the selection, propagation, updating, prioritization, modification, and retiring of signatures, as will be clear to a person skilled in the art. The scores represent false positive rates, false negative rates, cost of evaluation, and the extent to which the associated signatures contribute to the detection of malicious content in the presence of other signatures—the latter is a form of coverage score indicating the extent to which only the associated signature identifies a threat. Thus, low coverage means that other signatures detect the same types of threat. Scores can be Booleans, integers, real values, and multidimensional representations comprising such values; scores can be absolute, like a false positive score, but can also be relative to other signatures, such as coverage scores. A person skilled in the art will appreciate that the scores associated with a signature represent a modifiable and flexible description associated with the management of the signature. Similar records of scores are also useful to associate with other detection methods for the same purposes, as will be appreciated by a person skilled in the art.
Signatures and other detectors are preferably associated with a hierarchy. For example, one detector determines whether an email comes from a party with a relationship to a recipient, e.g., is from a party who has exchanged at least a threshold number of emails, such as six, with the recipient over a time exceeding a threshold time value such as two weeks. If this detector triggers, then a first collection of associated rules and signatures are evaluated, whereas if it does not trigger, another second collection of associated rules and signatures are evaluated. The first collection, evaluated only when the email comes from a party with a relationship with the recipient, may contain a rule or signature aimed at determining if the email contains a malicious attachment. If so, it is concluded that the trusted sender has been corrupted, and this party is notified of the breach. The message is also redacted to make the unsafe components safe, e.g., removing macros from an excel spreadsheet, or wrapping the spreadsheet in a file, as described above, where this file causes the macros to be suppressed, or which evaluates their functionality in a sandbox. The first collection may also contain rules and signatures identifying spoofed messages. The second collection, evaluated only when the email comes from a party without a relationship with the recipient, may also contain a rule or signature aimed at determining if the email contains a malicious attachment, but if so, then the email is simply not delivered. The second collection may also contain rules and signatures aimed at detecting the use of display names indicative of a trusted party. A person skilled in the art will appreciate that additional levels of a hierarchy are beneficial, and can be used for further contextualization of what rules and signatures are evaluated provided a particular context. The context comprises the received email, its sender, the history between the sender and recipient, as well as indicators not related to the message, such as local and global threat levels; one such threat level indicator can be used to prioritize the detection of one or more types of threats, and is useful to suppress wide-spread campaigns of related attacks.
Some of the signatures are global and some are local. Global signatures apply to multiple parties to be defended, whereas local signatures are specific to one group of users, such as those belonging to one organization or part thereof.
A fourth phase of an embodiment is the detection of malicious emails using system-generated signatures. As emails are processed by the system, the system determines the potential presence of artifacts in these emails. This can be done for all emails, or it can be performed selectively or even probabilistically. For example, the system may scan for a particular type of artifact, or for a particular signature, only if the recipient matches a list of high-priority recipients, or the sender or the message triggers a deep scan in which signatures are matched. Such a trigger may be dependent on the sender and the message, e.g., the message being received from an anomalous location, at an anomalous time (both with respect to other messages from the sender). It may also be dependent on the recipient, e.g., a recipient that has recently been in the news and may therefore be more targeted, or a recipient whose associated end user has been found to perform dangerous actions, such as clicking on attachments from strangers. Some signatures may be attempted to match only for some messages, which may be selected using a pseudo-random method (such as selecting a pseudo-random number between 1-100 and determine if it is less than a threshold set to 37), or if some criteria not known to be typical senders are satisfied (e.g., the sending date and time converted to seconds after a baseline time is an odd number). If such a probabilistic scan results in detection, the system may automatically modify the matching for this signature, all signatures belonging to a similar category (such as ‘associated with malware distribution’), or all signatures. This is similar to how some organizations, when under attack, scrutinize each incoming entity, but otherwise only scrutinize entities assessed to be high-risk, or selected at random. Another matching approach is to use the score associated with a signature to determine the likelihood of a probabilistic verification. However, if the system attempts to match one signature with a high score, and this involves scanning for keywords in the subject line and scanning for the existence of an attachment that is a zip file, then other signatures also depending on scanning subject lines and the type of the attachments are preferably also verified, since the incremental cost of doing so is marginal. Therefore, signatures are preferably organized within their relative lists in a manner that reflects the type of artifacts they depend on, allowing simple “discounted” verification of signatures by a system that is resource constrained and cannot verify all signatures. Another alternative is to perform some verifications in real-time, and others in batch mode. For examples, messages sent to a user that is not believed, based on his or her account activity, to be currently active could be delivered or quarantined at the time of arrival of the message, and scanned before the user is believed to again become active. This allows delayed scanning and delivery of messages during inactive hours, such as during the night; if a user suddenly appears to be active during a time it was assessed he would not be active, all messages for this user, whether quarantined or delivered without a careful scan with respect to signatures, can be processed. In one embodiment, the scanning of messages with respect to signatures can be outsourced by the security service to agents located closer to the recipient, such as mail servers and gateways. In another embodiment, the scanning of messages is run as a cloud-based service, and in another using an appliance-based security service inserted in the delivery path to the recipient. In one embodiment, only cached signatures are scanned for, where some portion of the active signatures is cached by servers performing the matching. Different servers may receive different sets of cached signatures, where some signatures are given to all or many servers and other signatures are only given to some. The allocation of signatures to servers can be probabilistic or based on historical detections, as well as on configurations made in response to requests by clients; or a combination of these approaches.
Signatures can be automatically classified based on their value and error, where the value corresponds to a combination of the assessed likelihood that the signature will block a threat and the risk associated with the threat; and the error corresponds to the assessed or measured risk that the signature will result in a false positive, i.e., the incorrect classification of a message as being malicious. The latter can also be weighted by the harm associated with such a misclassification, where this is a value that reflects the assessed loss of benefit associated with performing the filtering action associated with the signature when this should not have been done. It is evident that the loss is greater for the blocking of messages than the open quarantining of messages, for example, making the loss a recipient-specific value given that different recipients may have different actions configured for one and the same signature. (Alternatively, signatures can be generated and maintained on a per-recipient basis, with potential overlap between organizations. From a system storage and computation perspective, this may be done virtually only, and the real representations and processes stored in a manner that allows greater resource reuse.)
In one example use case, an attacker sends ten emails that are malicious. Four of these are detected as malicious by a security service that detects identity deception, and another two are detected based on a security service that identifies servers and IP addresses that are associated with malicious behavior. However, the remaining four emails are not detected. Based on having identified six emails to be malicious, along with other malicious messages that are also detected, the disclosed technology extracts features from the known-malicious emails and clusters these. The clustering results in the six above-mentioned emails being found to be similar, based on having the same features. These features include subject lines, header contents, email, text, email formatting such as cascading style sheets, and attachments and descriptions of these attachments. Example attachment descriptions include the name of the software that produced the file, the name of the file, the length of the file, the date the file was produced, the size of the file, the type of the file, keywords in the file, and more. This collection of features comprise an agile signature. The system determines whether this signature triggers traffic that is not known to be malicious. In this example, it only triggers the four emails that were part of the burst sent out by the attacker, and not other emails. It does not trigger emails that have been observed from trusted senders. This makes it a good signature, as it is likely to have low false positives. One or more such signatures are generated from each cluster of malicious messages. These signatures are stored for a limited period of time, and scored. A signature's “hit score” increases every time it matches an email. A signature also has a “confirmation score” that increases every time the signature matches an email that was already known to be malicious, based on other metrics and detectors, such as identity deception detectors. In addition, the system stores when such matches took place. A signature with a high confirmation score is trustworthy. A signature with a low hit rate is not useful. A signature that is trustworthy and useful is good. If a signature has a low confirmation score, this could be due to catching non-malicious emails, i.e., causing false positives, or due to there being a large number of malicious emails that is not detected using the techniques that were first used to identify the cluster and generate the signature. The former is undesirable, whereas the latter is a sign of success for the signature method. While it is better not to rely on signatures in the long run, as they are not believed to be as robust against adversarial changes, it is desirable for the signatures to pick up where other measures fail. To resolve whether a low confirmation score corresponds to a high false positive rate or a high catch rate of the signatures relative to the catch rate of other techniques, messages that cause the hit score but not the confirmation score to increase are further scrutinized, whether all of them, or a sample of them. This additional scrutiny can be implemented in a multiplicity of ways, including but not limited to manual review by an expert, additional computational analysis, such as sandboxing and detonation, one or more rounds of automated interaction with a party associated with the sender, such as the apparent sender, a party associated with the reply-to address, a trusted party with the same display name as the display name of the sender, and more.
By performing additional analysis, it is determined whether the triggering messages were malicious (indicative of a high relative catch rate of the signature, which is desirable) or benevolent (indicative of a high false positive rate, which is not desirable). If a signature is found to have a high relative catch rate, this can trigger a notification to an admin to attempt to find other non-signature methods to detect the malicious cluster of emails, and if a signature is found to have a high false positive rate, then it may be retired or augmented. An augmented signature is one with additional requirements imposed for it to trigger, such as additional features required to be detected. If a signature is retired or augmented, then messages that triggered the old signature, prior to this action, can be re-evaluated and, conditional on another triggering outcome, a retroactive action can be taken.
Good signatures that keep getting triggered are saved, whereas signatures that are not good are deleted or retired, and signatures that do not keep getting triggered are retired based on resource constraints, such as constraints on how many signatures can be kept active at any time, where an active signature is matched against at least some email to determine whether it triggers. When a good signature is triggered on an email, a security action is taken in this email. This action may be associated with the signature that was triggered; for example, a signature that is associated with a malicious campaign involving certain abuse causes the email to be blocked, whereas a signature associated with a likely malicious campaign involving likely abuse causes the triggered email to be augmented with a warning. When a signature is created, the system preferably retroactively detects whether messages triggering this signature have been delivered to users, and are in their inboxes; if so, the system may take a retroactive filtering action.
Another inventive aspect of the disclosed technology is a wrapping technology that is used in the context of encrypted zip files. These constitute a risk to systems as risks associated with these are poorly detected, and commonly both attackers and benevolent users send encrypted zip files. As the files are opened and decrypted by the user, the mail security software is no longer in control. To address this, encrypted zip files are detected when they are sent as attachments to emails and other messaging systems, such as Skype, and then replaced with what we refer to as “wrapped” versions. A wrapped version of an encrypted zip file is a file that, when opened, causes execution, whether of the file wrapper itself or of an associated application that the message recipient needs to download, and as the file wrapper is executed, it performs three tasks: (1) it requests a PIN or password from the user, and receives this; (2) it uses the PIN or password to decrypt the wrapped zip file. This is done by executing the unzip program associated with the zip file, or a compatible version to this, providing the unzip program with the PIN or password provided by the user; and (3) automatically accessing the contents of the unzipped file, determining for its contents whether any of these files is risky. This can be done in a multiplicity of well-known ways, including detonating each file; determining whether any of the files match an AV signature; determining whether any of the files has executable code segments in it, and more. As a person skilled in the art will appreciate, the same approach also works for messages with attachments that are encrypted pdfs, or any other encrypted file type; in such cases, the execution of the wrapper file causes the decryption of the encrypted file, which is then scanned for risky elements, including executable code. If a file, independently of type, passes the verification, then the decrypted file is made available to the recipient, whether this corresponds to the decrypted zip file or its contents, a decrypted pdf, or other file. After the verification passes, the wrapped file would preferably be opened for the user to see. Thus, the user experience associated with the opening of wrapped files would be the same as that of unwrapped files, except for a delay that in most cases would be too short to detect, and but for the effects of opening a malicious file, which of course is the goal of the novel approach to address. If an encrypted file is found to be malicious after having been decrypted, then a signature is preferably created for the encrypted file and the emails it was associated with. Such a signature may, for example, be a file type, such as “encrypted zip file,” the size may be 18007 bytes, and the creation date may be “Jan. 6, 2017.” Based on this signature, other malicious messages containing this payload with a very big likelihood can be detected. This is preferably done not only for emails to be received by the system after the signature is created, but also retroactively, by accessing the inboxes of users, or by accessing a database proactively built as the messages arrived, describing the features of emails that are high-risk according to some measure, such as having an encrypted zip attachment and being from a non-trusted party. Such records would indicate what users received these attachments, and identify the emails. As soon as the system has identified candidate messages to be compared with the new signature, a match is made, and if the new signature triggers, then a retroactively applied filtering action is taken.
In one example, an attacker has corrupted a collection of email accounts, and is using that to send malicious emails. In FIG. 16, one such example email is shown. The headers of the example email is also shown in FIG. 17. In some embodiments, a system detects this as coming from a non-trusted sender, which is a measure relative to the recipient. The system then scrutinizes the email in more detail. Based on the signature field of the email and other content of the email, the email is determined to appear to be associated with BBB, which is a US institution. However, scrutiny of the headers reveals that it was not sent by a server associated with BBB, and it was in fact sent from a time zone that is not associated with US mail servers but which may be associated with UK mail servers or West African mail servers. Based on this, a determination is made that this is a malicious email. Additional scrutiny involving databases of known corrupted accounts, such as accounts known to be breached in large-scale breaches, indicates that this email came from such an account. The system generates a collection of signatures for this threat. A first example signature determines that the email is sent from a known-corrupted account to a party that does not consider the sender trusted, and containing the text “Better Business Bureau.” A second signature generated is an email coming from a time zone outside the US, from a party that is not trusted to the recipient, where the email has a URL that is associated with a URL shortening domain, and containing the phrases “within 48 hours” and the phrase “download.” Additional signatures are also generated, as will be understood by a person skilled in the art.
In one example embodiment, an email is classified as likely unwanted if it comes from a stranger (a party the recipient has never received an email from), and the email address of the sender is on a blacklist such as “haveIbeenpwned’ or another list of compromised email accounts, and the email contains at least one of a URL and an attachment. For such emails, it is determined whether any signature in use would have blocked it. If yes, then the score associated with any such signature is increased; if no, then a signature is generated. In one example, the signature may create a signature that says: if the email comes from a stranger, contains a URL or an attachment, and contains a word or a phrase contained in the originally detected email triggering this signature generation, but which is not commonly occurring in other emails. This way, if an attacker sends the same email from another corrupted account, but where this account has not been reported to the system as corrupted, then the signature will still catch the email, whereas the generic rule would not.
In another example embodiment, the use of agile signatures is used to reduce computational load. It is well understood that sandboxing and related technologies are creating a computational burden for receiving systems that is often not manageable. In response to that problem, the disclosed technologies dramatically reduce the computational burden of the systems.
The approach is explained using the illustrative example below:
-
- 1. The system determines if a sender is spoofed. Example approaches involve using DMARC, using IP-based reputation, and by determining whether a sender-based model is matched. If the email is determined to not be spoofed, or that the risk of being spoofed is below a threshold set by the system, then the system determines whether the sender is a “high control” sender. High control senders do not offer free accounts to users, and maintain a very high standard of security. The system curates a list of high control senders over time by identifying domains and companies that adhere to high security standards, e.g., has a DMARC p=reject policy, and which do not transmit UGC (User Generated Content). As will be understood by a person skilled in the art, additional methods can be used to make a list of high control domains. This list is consulted to determine whether a sender is on it. Emails from high control senders are not scrutinized for malware attachments unless a malware-related signature is matched. Such signatures may identify a set of criteria associated with a malware attack that has been discovered to infiltrate organizations that are considered high control, or whose associated score is close to that required by the system for the system to identify it as high control. Examples of high control senders are well-recognized financial institutions. If the sender is high control and there are no triggering signatures associated with high-control domains, then any attachments and URLs are not scrutinized for malware.
- 2. Otherwise, the system determines whether the sender is trusted with respect to the recipient. The trusted predicate can be determined by measuring the amount of traffic in both directions that is sent between the sender and the receiver, and determine whether this exceeds a threshold, such as at least four emails in both directions. If the sender is trusted, then it is determined by the system whether there is an ATO (or corruption) sign associated with the email. This corresponds to a higher than acceptable risk of the account being under the control of an attacker. One example method of doing this, as disclosed in a co-pending application, is to automatically examine the headers of the email and determine whether the Mail User Agent (MUA) is significantly different from historically observed MUAs for the same sender. Another method is to evaluate signatures associated with corruption, as disclosed in this application. If the sender is trusted and there is not a high risk of corruption, then attachments and URLs are not scrutinized for malware.
- 3. Otherwise, if the sender is a stranger to the recipient, which means that the email comes from a party the sender has not previously communicated with, then it is determined whether the email has an attachment that is high-risk in that it is associated with executables. For example, word documents with macros can be dangerous, and therefore, these are high-risk; similarly, encrypted zip files are associated with higher than normal risk. If the email has such an attachment and it is not from a domain with a reputation exceeding a high threshold, then the email is stripped of its attachment and not screened. Similarly, if the email contains a URL that is not associated with a very trustworthy domain that is not used to distribute malware, then the URL is preferably stripped or proxied, where proxied URLs are evaluated by the system as the user clicks. Thus, in these circ*mstances, the email attachments and URLs are also not scrutinized for malware, except where a recipient policy requires proxying of semi-suspect URLs.
- 4. Otherwise, the attachment or URL should be scrutinized, but preferably not in real-time. Therefore, attachments are preferably wrapped, as described previously, and URLs are proxied. This results in a delayed computational burden, and only if the recipient of the email clicks on the attachment or URL, and not if he or she ignores them.
This way, the computational burden is significantly reduced using the disclosed technology, which enables systems to selectively scrutinize emails to a much greater level, without the malware detection effort causing the systems to thrash or otherwise fail to operate in an efficient manner. Thus, the disclosed security measures improve the efficiency, which in turn allows for a more careful security scrutiny of potential threats, which thereby increases the security of the users of the system.
FIG. 18 is a flowchart illustrating an embodiment of a process for generating a signature. At 1801, a malicious email is detected based on an existing detector. In 1802, it is determined whether the email is also detected by a signature in use. If it is, then in 1803, the associated signature scores are updated, and in 1804, a filtering action is performed. If it isn't detected, then in 1805, at least one signature is generated, and tested in 1806 with respect to at least a corpora, one for benevolent messages and one for malicious messages. It is determined what the false positive rate is by determining how many benevolent messages are detected by the generated signature, and it is determined what the recall rate the signature corresponds to by determining how many malicious messages are detected by it. In 1807, the determined false positive rate is compared to a threshold, and if the false positive rate exceeds the threshold, then the process continues to 1808, where the signature is discarded. Otherwise, the computation proceeds to step 1811 where the recall rate is compared with a second threshold, and if this is below the second threshold, then the process continues to 1808, otherwise to 1812 where a signature is generated and its scores set according to the computed false positives and the recall rates, or using another scoring system as described previously. In 1809, it is determined whether to time out based on the number of attempts to create a signature. For example, if ten signatures have failed to be created for the email, then the system may conclude that it should time out and proceed to 1810 where the generation process is ended; otherwise, the process continues by going to 1805 and generating another signature. Other criteria for timing out can also be used, and these may depend on the estimated danger of the threat posed by the email, where a high threat corresponds to many attempts to create a signature. Moreover, the thresholds associated with steps 1807 and 1811 may also preferably depend on the assessed threat, where a high threat corresponds to a greater willingness to accept false positives and low recall rates.
FIG. 19 is a diagram illustrating an embodiment of components of a system. Unit 1901 is a processing unit, in communication with a mail gateway or mail server 1902. Unit 1901 is also connected to a database 1903 containing signatures, at least some of which are represented in storage 1904 accessible from mail gateway or mail server 1902. Unit 1905 is used to determine when an email is deceptive, based, for example, on being spoofed, using display name deception, or using a look-alike domain. Unit 1906 determines whether an email is likely to be from a corrupted sender based on a database of corrupted accounts 1907 and logic unit 1908 used to determine whether the email is corrupted, using headers and historical headers of the sender stored in unit 1909. Unit 1910 evaluates a generated signature using a corpus of benevolent messages 1911 and a corpus of malicious messages 1912. Unit 1913 generates prospective signatures from an email, using logic identifying what makes the email different from other emails, using a database stored in 1914. Database 1914 is used to create signatures to be tested by unit 1910. If a signature passes the tests, it will be stored in database 1903. Based at least in part of the scores associated with a signature stored in database 1903, and a probabilistic selection performed by selection unit 1915, a collection of signatures will be selected and sent to database 1904, along with a list of what signatures to remove from database 1904. Mail gateway or mail server 1902 periodically updates unit 1901 with new scores based on what signatures are triggered by emails, and unit 1901 updates a centralized score kept in database 1903, and uses changes in scores to select new signatures to update, retire, and propagate. As a person skilled in the art will understand, unit 1901 is connected to a multiplicity of mail gateways and mail servers such as unit 1902, and interacts periodically with each one of these to receive statistics or update signature selections.
FIG. 20 is a block diagram illustrating an example of a message that includes a potentially executable or otherwise risky attachment. Email 2001 includes a potentially executable or otherwise risky attachment 2002. As this is processed by the system, such as in a mail gateway or mail server, or in a cloud server or appliance in connection with the gateway or mail server, the system replaces the attachment with a wrapped attachment. Thus, email 2001 with attachment 2002 is replaced with email 2003 with attachment 2004, where attachment 2004 wraps the risky element 2005, which corresponds to attachment 2002. Instead of delivering email 2001 with attachment 2002, the system delivers email 2003 with attachment 2004 containing risky element 2005. Alternatively, the system may inspect the inbox of a subscriber and replace the email 2001 with associated attachments with email 2003 with associated attachments. As a third option, the system may receive a copy of the potentially risky email 2001 containing attachment 2002 from the gateway or mail server, then issue a request to have email 2001 with attachment 2002 replaced by email 2003 with attachment 2004 containing risky element 2005. Here, the text part of email 2003 is preferably the same as email 2001, or contains an additional notification that the potentially risky attachment is considered safe to open.
Although the foregoing embodiments have been described in some detail for purposes of clarity of understanding, the invention is not limited to the details provided. There are many alternative ways of implementing the invention. The disclosed embodiments are illustrative and not restrictive.