Abstract: Systems and methods are described for contextualizing a simulated phishing communication based at least on one of language and locale. Initially, a template for a simulated phishing communication is created with content in a source language. Then one or more contextual parameters for a user are identified. The one or more contextual parameters identify at least one of a target language and a target locale. The content of the simulated phishing communication is modified according to at least one of the target language and the target locale and the simulated phishing communication is communicated to one or more devices of the user with the content modified for at least one of the target language and the target locale.

Abstract: The present disclosure describes systems and methods for determining a subsequent action of a simulated phishing campaign. A campaign controller identifies a starting action for a simulated phishing campaign directed to a user of a plurality of users. The simulated phishing campaign includes a plurality of actions, one or more of the plurality of actions to be determined during execution of the simulated phishing campaign The campaign controller responsive to the starting action, communicates a simulated phishing communication to one or more devices of a user. The campaign controller determines a subsequent action of the plurality of actions of the simulated phishing campaign based at least on one of a response to the simulated phishing communication received by the campaign controller or a lack of response within a predetermined time period and initiating, responsive to the determination, the subsequent action of the simulated phishing campaign.

Abstract: Systems and methods are described for mitigating false positives in a simulated phishing campaign. A simulated phishing message reported to second security awareness system by a user as suspicious is received by first security awareness system. The reported message includes a link that has been followed. Link data of followed link of the reported message is held in click cache having predetermined delay. Post the predetermined delay, whether the link was followed by second security awareness system instead of being clicked by user responsive to identifying that link data in click cache corresponds to link data in link cache or internet protocol (IP) address of an entity that follows a link corresponds to IP address stored in IP cache known to be associated with second security awareness system. Responsive to determination, second security awareness system's following of link of the reported message is excluded as interaction of the user.

Abstract: A system and method is described that sends multiple simulated phishing emails, text messages, and/or phone calls (e.g., via VoIP) varying the quantity, frequency, type, sophistication, and combination using machine learning algorithms or other forms of artificial intelligence. In some implementations, some or all messages (email, text messages, VoIP calls) in a campaign after the first simulated phishing email, text message, or call may be used to direct the user to open the first simulated phishing email or text message, or to open the latest simulated phishing email or text message. In some implementations, simulated phishing emails, text messages, or phone calls of a campaign may be intended to lure the user to perform a different requested action, such as selecting a hyperlink in an email or text message, or returning a voice call.

Abstract: Systems and methods are described herein for global blocklist curation based on crowdsourced indicators of compromise (IoC). One or more servers store the messages reported as suspicious into a message collection system. The server(s) classify he messages as one of clean, spam or threat. The server(s)) tag the messages responsive to the classification and determine a plurality of IoC from the messages classified and tagged as a threat. The server(s) determine one or more metrics for each of the plurality of IoC and selected, based at least on the one or more metrics, one or more of the plurality of IoC as blocklist entry (BLE) candidates.

Abstract: Systems and methods are described for recommendation of one or more security awareness workflows are described. One or more security awareness workflows may be deployed to deliver one or more remedial responses to one or more users in response to detection of one or more actions of the one or more users. An effectiveness of the one or more security awareness workflows are assessed and based at least on the assessment, one or more effectiveness metrics for the one or more security awareness workflows are determined. The one or more effectiveness metrics may represent the effectiveness of the one or more security awareness workflows. Based at least on the one or more effectiveness metrics, a recommendation of one or more security awareness workflow configurations may be identified.

Abstract: Systems and methods for performing a simulated phishing attack are provided. A simulated attack server can send a simulated attack email including a unique identifier to a target. The simulated attack server can receive a reply email including the unique identifier from the target. The simulated attack server can extract the unique identifier from the reply email. The simulated attack server can determine a match between the unique identifier and an identity of the target. The simulated attack server can record a target failure, responsive to determining the match between the unique identifier and the identity of the target.

Abstract: Described herein are systems and methods for correcting one or more user aliases. One or more alias identifiers are identified by type based at least on one or more user aliases stored in an alias store, the one or more user aliases mapping the one or more alias identifiers to one or more users. Each of the one or more alias identifiers are assigned to one or more rules of a same type as the one or more alias identifiers. The one or more rules are executed against one or more user records in a user metadata store to establish a results table identifying one or more aliases by type found in the user metadata store. An alias correction table is established that identifies one or more aliases of the results table that do not match one or more user aliases and to one of flag, remove, or correct.

Abstract: Embodiments disclosed describe a security awareness system may adaptively learn the best design of a simulated phishing campaign to get a user to perform the requested actions, such as clicking a hyperlink or opening a file. In some implementations, the system may adapt an ongoing campaign based on user's responses to messages in the campaign, along with the system's learned awareness. The learning process implemented by the security awareness system can be trained by observing the behavior of other users in the same company, other users in the same industry, other users that share similar attributes, all other users of the system, or users that have user attributes that match criteria set by the system, or that match attributes of a subset of other users in the system.

Abstract: Systems and methods are described for security event association rule refresh. One or more rules are executed against one or more user records in a user metadata store. The one or more rules may be configured to match a security event of one or more security events with a user of one or more users using user metadata. A count is determined of a number of times a rule of the one or more rules identifies a plurality of different users. It is further determined that one of the count exceeds a first threshold or a number of the plurality of different users exceeds a second threshold. Responsive to the determination, the rule via a user interface may display a prompt to take an action to one or more of review, remove or modify the rule by a system administrator.

Abstract: Described herein are systems and methods to provide for blocklist recommendations based on reported threats. In an example embodiment, a method is described for receiving a selection of one or more messages from a plurality of messages identified as threats and identifying, based at least on the one or more messages, one or more candidate blocklist entries (BLEs). The method further includes determining, based at least on the one or more candidate BLEs, a recommendation of one or more BLEs to add to a blocklist. The method includes adding, by the one or more servers, the one or more BLEs to the blocklist, where the blocklist is used by an email system to block messages that match at least the one or more BLEs on the blocklist.

Abstract: Systems and methods for performing a simulated phishing attack are provided. A simulated attack server can send a simulated attack email including a unique identifier to a target. The simulated attack server can receive a reply email including the unique identifier from the target. The simulated attack server can extract the unique identifier from the reply email. The simulated attack server can determine a match between the unique identifier and an identity of the target. The simulated attack server can record a target failure, responsive to determining the match between the unique identifier and the identity of the target.

Abstract: Systems and methods are described for modifying one or more advertisements of a webpage or a social media feed to create a simulated cybersecurity attack. Initially, content responsive to a request by a user via a user device to access a webpage or social media feed with one or more advertisements is received. One or more advertisements are detected within the content. An advertisement of the one or more advertisements is modified or replaced with simulated cybersecurity attack advertisements. The webpage or social media feed with the modified advertisement is displayed to the user device. User interactions with the simulated cybersecurity attack content are tracked and training is provided based on user interactions.

Abstract: The present disclosure describes systems and methods for efficient reporting of data which includes personally identifiable information (PII) and which is collected and processed by a security awareness system. The data may be stored in a data storage system. The data may include a time stamp and queries of an historical nature may be supported.

Abstract: Systems and methods are described for using secured groups for simulated phishing campaigns to obfuscate data for levels of privacy based on protected criteria classes. Initially, a group to resolve members of the group based on multiple users matching one or more group criteria is established. It is then determined that at least one criteria of the one or more criteria has been configured as one of multiple protected criteria classes. Responsive to the determination, the group is identified as a secured group. A query of the group is then executed to identify one or more users of the multiple users as members of the group based on the users matching the criteria of the secured group at the time of execution of the group and information of the one or more users resulting from the execution of the secured group is obfuscated in accordance with the protected criteria class.

Abstract: Systems and methods are provided for user feedback on receiving simulated phishing communications. A method is described that includes receiving feedback from one or more users that interacted with one or more simulated phishing communications. The feedback identifies one or more reasons that the one or more users interacted with the one or more simulated phishing communications. The method further includes categorizing the feedback into one or more categories of a plurality of categories and collating the categorized feedback into one or more classifications of a plurality of classifications. The method also includes communicating a second one or more simulated phishing communications to one or more users based at least on one of the categorized feedback or the one or more classifications.

Abstract: Systems and methods are provided for performing simulated phishing attacks using social engineering indicators. One or more failure indicators can be configured in a phishing email template, and each failure indicator can be assigned a description about that failure indicator through use of a markup tag. The phishing email template containing the markup tags corresponding to the failure indicators can be stored and can be used to generate a simulated phishing email in which the one or more markup tags are removed.

Abstract: Systems and methods are described for providing calendar-based simulated phishing attacks to users of an organization. Initially, a context is identified for a calendar-based simulated phishing attack directed towards a user. An electronic calendar invitation for the calendar-based simulated phishing attack is then generated using the context. Thereafter, the electronic calendar invitation may be communicated to an electronic calendar of the user.

Abstract: The present disclosure describes a system that notifies users regarding specific user decisions with respect to solution phishing emails. The system notifies users when users perform specific actions with respect to the untrusted phishing emails. The system pauses execution of these actions and prompts the user to confirm whether to take the actions or to revert back to review the actions. In contrast from anti-ransomware technologies which are entirely in control, the system gives the user autonomy in deciding actions relating to untrusted phishing emails. The system interrupts execution of actions related to untrusted phishing emails in order to give users a choice on whether to proceed with actions.

Abstract: Systems and methods are described for creating event-driven orchestrated workflows with automated actions in response to security incidents. In an example, a method is described that includes receiving an indication to create a workflow for automating a response to one or more users engaging in an action associated with a security incident and receiving a selection of the action associated with the security incident from a plurality of selectable actions. The selected action is configured into the workflow and configured to trigger execution of the workflow by a user of the one or more users taking the selected action.