Abstract: Systems and methods, disclosed herein, of a campaign controller that stores information to a database about execution of multiple simulated phishing campaigns for multiple users, where each of the simulated phishing campaigns use one or more models for communicating simulated phishing communications. Based on this information, the campaign controller may determine a rate of success of the model, in causing a user to interact with a link in one of the simulated phishing campaigns, and may display the model's rate of success via a user interface.

Abstract: Systems and methods are described for determination of indicators of malicious elements within messages. A report of a malicious message is received from a user of an organization, the malicious message having traversed an endpoint security system of the organization. After receiving the report of the malicious message, one or more indicators of one or more malicious elements of the malicious message are identified. Further, an identification of the endpoint security system and a dangerousness score of the malicious message are determined. The one or more indicators, the identification of the endpoint security system, and the dangerousness score are stored into a threat database that is able to be queried to generate an endpoint-specific threat data set.

Abstract: The present disclosure describes systems and methods for efficient reporting of data which includes personally identifiable information (PII) and which is collected and processed by a security awareness system. The data may be stored in a data storage system. The data may include a time stamp and queries of an historical nature may be supported. In the event that PII is removed from the data storage system, then the removal may propagate through all aspects of the data storage system, including the historical data.

Abstract: Systems and methods are described for generating a risk score of a user based at least on groups of events related to security. In an example, a method is described that includes receiving data associated with a plurality of events, identifying a plurality of buckets, assigning each event to a bucket based at least on a type associated with the event, and computing a risk score for a user based at least on a function of the weight assigned to each bucket and a quantity of events in each bucket. In some examples, systems and methods also include providing a graphical user interface to display the risk score.

Abstract: Systems and methods for prioritization of reported messages and rewarding reporting users are disclosed. The systems and methods leverage knowledge and security awareness of the most informed users in an organization to protect an organization from serious harm from new malicious messages, give credit to the most informed users, and optimize threat triage and analysis. The system converts a reported malicious message to a defanged message. The system communicates the defanged message to a plurality of users. The system determines an impact score for the user based on interactions with the defanged message by the plurality of users, and with the impact score gives credit to the reporter and optimizes threat triage and analysis.

Abstract: Systems and methods are described for contextualizing a simulated phishing communication based at least on one of language and locale. Initially, a template for a simulated phishing communication is created with content in a source language. Then one or more contextual parameters for a user are identified. The one or more contextual parameters identify at least one of a target language and a target locale. The content of the simulated phishing communication is modified according to at least one of the target language and the target locale and the simulated phishing communication is communicated to one or more devices of the user with the content modified for at least one of the target language and the target locale.

Abstract: The present disclosure describes systems and methods for determining a subsequent action of a simulated phishing campaign. A campaign controller identifies a starting action for a simulated phishing campaign directed to a user of a plurality of users. The simulated phishing campaign includes a plurality of actions, one or more of the plurality of actions to be determined during execution of the simulated phishing campaign The campaign controller responsive to the starting action, communicates a simulated phishing communication to one or more devices of a user. The campaign controller determines a subsequent action of the plurality of actions of the simulated phishing campaign based at least on one of a response to the simulated phishing communication received by the campaign controller or a lack of response within a predetermined time period and initiating, responsive to the determination, the subsequent action of the simulated phishing campaign.

Abstract: Systems and methods are described for mitigating false positives in a simulated phishing campaign. A simulated phishing message reported to second security awareness system by a user as suspicious is received by first security awareness system. The reported message includes a link that has been followed. Link data of followed link of the reported message is held in click cache having predetermined delay. Post the predetermined delay, whether the link was followed by second security awareness system instead of being clicked by user responsive to identifying that link data in click cache corresponds to link data in link cache or internet protocol (IP) address of an entity that follows a link corresponds to IP address stored in IP cache known to be associated with second security awareness system. Responsive to determination, second security awareness system's following of link of the reported message is excluded as interaction of the user.

Abstract: A system and method is described that sends multiple simulated phishing emails, text messages, and/or phone calls (e.g., via VoIP) varying the quantity, frequency, type, sophistication, and combination using machine learning algorithms or other forms of artificial intelligence. In some implementations, some or all messages (email, text messages, VoIP calls) in a campaign after the first simulated phishing email, text message, or call may be used to direct the user to open the first simulated phishing email or text message, or to open the latest simulated phishing email or text message. In some implementations, simulated phishing emails, text messages, or phone calls of a campaign may be intended to lure the user to perform a different requested action, such as selecting a hyperlink in an email or text message, or returning a voice call.

Abstract: Systems and methods are described for recommendation of one or more security awareness workflows are described. One or more security awareness workflows may be deployed to deliver one or more remedial responses to one or more users in response to detection of one or more actions of the one or more users. An effectiveness of the one or more security awareness workflows are assessed and based at least on the assessment, one or more effectiveness metrics for the one or more security awareness workflows are determined. The one or more effectiveness metrics may represent the effectiveness of the one or more security awareness workflows. Based at least on the one or more effectiveness metrics, a recommendation of one or more security awareness workflow configurations may be identified.

Abstract: Systems and methods are described herein for global blocklist curation based on crowdsourced indicators of compromise (IoC). One or more servers store the messages reported as suspicious into a message collection system. The server(s) classify he messages as one of clean, spam or threat. The server(s)) tag the messages responsive to the classification and determine a plurality of IoC from the messages classified and tagged as a threat. The server(s) determine one or more metrics for each of the plurality of IoC and selected, based at least on the one or more metrics, one or more of the plurality of IoC as blocklist entry (BLE) candidates.

Abstract: Systems and methods for performing a simulated phishing attack are provided. A simulated attack server can send a simulated attack email including a unique identifier to a target. The simulated attack server can receive a reply email including the unique identifier from the target. The simulated attack server can extract the unique identifier from the reply email. The simulated attack server can determine a match between the unique identifier and an identity of the target. The simulated attack server can record a target failure, responsive to determining the match between the unique identifier and the identity of the target.

Abstract: Described herein are systems and methods for correcting one or more user aliases. One or more alias identifiers are identified by type based at least on one or more user aliases stored in an alias store, the one or more user aliases mapping the one or more alias identifiers to one or more users. Each of the one or more alias identifiers are assigned to one or more rules of a same type as the one or more alias identifiers. The one or more rules are executed against one or more user records in a user metadata store to establish a results table identifying one or more aliases by type found in the user metadata store. An alias correction table is established that identifies one or more aliases of the results table that do not match one or more user aliases and to one of flag, remove, or correct.

Abstract: Embodiments disclosed describe a security awareness system may adaptively learn the best design of a simulated phishing campaign to get a user to perform the requested actions, such as clicking a hyperlink or opening a file. In some implementations, the system may adapt an ongoing campaign based on user's responses to messages in the campaign, along with the system's learned awareness. The learning process implemented by the security awareness system can be trained by observing the behavior of other users in the same company, other users in the same industry, other users that share similar attributes, all other users of the system, or users that have user attributes that match criteria set by the system, or that match attributes of a subset of other users in the system.

Abstract: Systems and methods are described for security event association rule refresh. One or more rules are executed against one or more user records in a user metadata store. The one or more rules may be configured to match a security event of one or more security events with a user of one or more users using user metadata. A count is determined of a number of times a rule of the one or more rules identifies a plurality of different users. It is further determined that one of the count exceeds a first threshold or a number of the plurality of different users exceeds a second threshold. Responsive to the determination, the rule via a user interface may display a prompt to take an action to one or more of review, remove or modify the rule by a system administrator.

Abstract: Described herein are systems and methods to provide for blocklist recommendations based on reported threats. In an example embodiment, a method is described for receiving a selection of one or more messages from a plurality of messages identified as threats and identifying, based at least on the one or more messages, one or more candidate blocklist entries (BLEs). The method further includes determining, based at least on the one or more candidate BLEs, a recommendation of one or more BLEs to add to a blocklist. The method includes adding, by the one or more servers, the one or more BLEs to the blocklist, where the blocklist is used by an email system to block messages that match at least the one or more BLEs on the blocklist.

Abstract: Systems and methods for performing a simulated phishing attack are provided. A simulated attack server can send a simulated attack email including a unique identifier to a target. The simulated attack server can receive a reply email including the unique identifier from the target. The simulated attack server can extract the unique identifier from the reply email. The simulated attack server can determine a match between the unique identifier and an identity of the target. The simulated attack server can record a target failure, responsive to determining the match between the unique identifier and the identity of the target.

Abstract: Systems and methods are described for modifying one or more advertisements of a webpage or a social media feed to create a simulated cybersecurity attack. Initially, content responsive to a request by a user via a user device to access a webpage or social media feed with one or more advertisements is received. One or more advertisements are detected within the content. An advertisement of the one or more advertisements is modified or replaced with simulated cybersecurity attack advertisements. The webpage or social media feed with the modified advertisement is displayed to the user device. User interactions with the simulated cybersecurity attack content are tracked and training is provided based on user interactions.

Abstract: The present disclosure describes systems and methods for efficient reporting of data which includes personally identifiable information (PII) and which is collected and processed by a security awareness system. The data may be stored in a data storage system. The data may include a time stamp and queries of an historical nature may be supported.

Abstract: Systems and methods are described for using secured groups for simulated phishing campaigns to obfuscate data for levels of privacy based on protected criteria classes. Initially, a group to resolve members of the group based on multiple users matching one or more group criteria is established. It is then determined that at least one criteria of the one or more criteria has been configured as one of multiple protected criteria classes. Responsive to the determination, the group is identified as a secured group. A query of the group is then executed to identify one or more users of the multiple users as members of the group based on the users matching the criteria of the secured group at the time of execution of the group and information of the one or more users resulting from the execution of the secured group is obfuscated in accordance with the protected criteria class.