Abstract: A domain processing system receives or collects raw data containing sample domains each having a known class identity indicating whether a domain is conducting an email campaign. The domain processing system extracts features from each of the sample domains and selects features of interest from the features, including at least a feature particular to a seed domain and features particular to email activities over a time line that includes days before and after a domain creation date. The features of interest are used to create feature vectors which, in turn, are used to train a machine learning model, the training including optimizing a neural network structure iteratively until stopping criteria are satisfied. The trained model functions as an email campaign domain classifier operable to classify candidate domains with unknown class identities such that each of the candidate domain is classified as conducting or not conducting an email campaign.

Abstract: Aspects of the disclosure relate to providing secure shortened URLs in character-limited messages. A computing platform may receive one or more character-limited messages sent to a user device. The computing platform may detect a URL within the one or more character-limited messages for replacement and generate a shortened URL corresponding to the detected URL, wherein a domain of the shortened URL is hosted by the message security system. The computing platform may then modify the one or more character-limited messages by replacing the URL with the shortened URL, and then cause transmission of the modified one or more character-limited messages to the user device. Next, the computing platform may receive, from the user device, a request to access the shortened URL, and redirect the user device to the detected URL corresponding to the shortened URL.

Abstract: Aspects of the disclosure relate to data loss prevention. A computing platform may detect input of a first target recipient domain into a first email message. The computing platform may identify, in real time and prior to sending the first email message, that the first target recipient domain is an unintended recipient domain instead of an intended recipient domain. The computing platform may identify, in real time and prior to sending the first email message, that the first email message violates one or more data loss prevention rules. Based on identifying the violation, the computing platform may send a notification that the first target recipient domain is flagged as an unintended recipient domain and one or more commands directing a user device of the message sender to display the notification.

Abstract: A URL velocity monitor is integrated with a message-hold decision maker of an electronic mail processing system that processes electronic messages for a protected computer network. The URL velocity monitor receives or obtains a URL, decomposes the URL into URL features based on logical boundaries, and determines features of interest from the URL features for velocity tracking. Examples of URL features can include a randomized URL segment. The velocity of each feature of interest is tracked over a period of time using a counting algorithm that employs a slow counter or a fast counter. The two different counters track two types of velocities which represent different domain behaviors targeting the protected computer network. The URL velocity monitor determines whether the velocity of a feature of interest is accelerating within the time period. If so, the URL is placed in a queue or a sandbox.

Abstract: Automatically triaging network events such as data loss prevention (DLP) incidents is disclosed. A system can automatically triage or classify an incident using a prediction model. The prediction model can determine the classification based on similar incidents that were previously classified. Similar incidents are those incidents having profiles that match a profile of the incident. The profile can include one or more attributes that are representative of an incident. The system can arrive at a specific classification for the incident based on a classification of the similar incidents if the similar incidents satisfy one or more conditions.

Abstract: To find enriching contextual information for an abbreviated domain name, a data enrichment engine can comb through web content source code corresponding to the abbreviated domain name. From textual content in the web content source code, the data enrichment engine can identify words with initial characters that match characters of the abbreviated domain name to thereby establish a relationship there-between. This relationship can facilitate more accurate and efficient domain name classification. The data enrichment engine can query a WHOIS server to find out if candidate domains having initial characters that match the characters of the abbreviated domain name are registered to the same entity. If so, keywords can be extracted from the candidate domains and used to find more relevant domains for domain risk analysis and detection. Candidate domains determined by the data enrichment engine can be provided to a downstream computing facility such as a domain filter.

Abstract: Disclosed is a domain engineering analysis solution that determines relevance of a domain name to a brand name in which a domain name, brand name, and identification of a substring of the domain name may be provided to or obtained by a computer embodying a domain engineering analyzer. A list of features may be determined. The list of features may include a lexicon, or a set of key-value pairs that encode information about terms included as substrings in the domain name. Determining the features may include obtaining a language model for each term, analyzing a cluster of language models closest to the obtained language model, and determining and scoring a relevance of each term to the brand name. The determined relevance and score of each term may be provided to a client. This relevance analysis can be dynamically applied in an online process or proactively applied in an offline process.

Abstract: Threat detection systems and methods in which feature syntax language (FSL) statements are used to define functions that generate features corresponding to detected text within textual non-attachment, non-URL input data. Generated features are aggregated in a core object, and classification rules are applied to the core object to determine a threat classification and theme associated with the input data. Using FSL statements and classification rules enable the system to rapidly generate thematic threat classifications identifying socially engineered attacks. A user interface enables users to rapidly update the FSL statements that define the functions used to generate the features, as well as the threat classification rules that are applied to the features in the core object to classify the input data. The modified statements and rules can be immediately used by the system.

Abstract: Aspects of the disclosure relate to data loss prevention. A computing platform may detect input of a first target recipient domain into a first email message. The computing platform may identify, in real time and prior to sending the first email message, that the first target recipient domain comprises an unintended recipient domain instead of an intended recipient domain. The computing platform may send, based on the identification of the unintended recipient domain and to a user device, a notification that the first target recipient domain is flagged as an unintended recipient domain and one or more commands directing the user device to display the notification.

Abstract: Aspects of the disclosure relate to detecting and preventing transmission of spam messages using modified source numbers. A computing platform may detect that a first message, sent to a recipient device from a sender device, includes suspicious content. Subsequently, the computing platform may receive, from the recipient device, user interaction information indicating that a user of the recipient device has sent a reply message in response to the first message. Then, the computing platform may generate a modified message by modifying a first source number corresponding to the reply message. Next, the computing platform may cause transmission of the modified message with the modified first source number to the sender device. Thereafter, the computing platform may intercept one or more additional messages between the sender device and the modified first source number and redirect the one or more additional messages.

Abstract: Aspects of the disclosure relate to identifying domain name lookalikes. A computing platform may generate a plurality of lookalike domain names for an input domain name. The computing platform may generate, by applying a hash algorithm to the plurality of lookalike domain names, a dictionary index. The computing platform may identify a first domain name. The computing platform may identify, by performing a lookup function in the dictionary index using the first domain name, that the first domain name is a lookalike domain name corresponding to the input domain name. The computing platform may send, to a user device, one or more commands directing the user device to display a user interface that includes the lookalike domain name, which may cause the user device to display the user interface.

Abstract: Aspects of the disclosure relate to providing commercial and/or spam messaging detection and enforcement. A computing platform may receive a plurality of text messages from a sender. It may then tokenize the plurality of text messages to yield a plurality of tokens. The computing platform may then match one or more tokens of the plurality of tokens in the plurality of text messages to one or more bulk string tokens. Next, it may detect one or more homoglyphs in the plurality of text messages, and then detect one or more URLs in the plurality of text messages. The computing platform may flag the sender based at least on the one or more matching tokens, the one or more detected homoglyphs, and the one or more detected URLs. Based on flagging the sender, the computing platform may block one or more messages from the sender.

Abstract: Aspects of the disclosure relate to dynamically generating simulated attack messages configured for annotation by users as part of cybersecurity training. A computing platform may generate a simulated attack message including a plurality of elements and send the simulated attack message to an enterprise user device. Subsequently, the computing platform may receive, from the enterprise user device, user selections annotating selected elements of the plurality of elements of the simulated attack message. The computing platform may thereafter identify one or more training areas for the user based on the user selections received from the enterprise user device, generate a customized training module specific to the identified one or more training areas, and send the customized training module to the enterprise user device. Sending the customized training module to the enterprise user device may cause the enterprise user device to display the customized training module.

Abstract: Aspects of the disclosure relate to URL classification. A computing platform may receive, from an enterprise user device, a request to evaluate a URL. The computing platform may execute one or more feature enrichment actions on the URL to identify one or more data points corresponding to the URL, which may include crawling the URL to extract metadata for the URL. The computing platform may input, into a URL classification model, the one or more data points corresponding to the URL, which may cause the URL classification model to output a maliciousness score indicative of a degree to which the URL is malicious. The computing platform may send, to the enterprise user device, a malicious score notification and one or more commands directing the enterprise user device to display the malicious score notification, which may cause the enterprise user device to display the malicious score notification.

Abstract: Aspects of the disclosure relate to message verification. A computing platform may generate a cryptographic key pair comprising a public key and a private key. The computing platform may publish, to a server, the public key. The computing platform may generate a short message service (SMS) message. The computing platform may sign, using the private key, the SMS message, which may include computing a cryptographic hash of the SMS message using the private key and embedding the cryptographic hash in an SMPP field of the SMS message. The computing platform may send, to a downstream computing system, the signed SMS message, where the downstream computing system may be configured to validate the signed SMS message using the cryptographic hash embedded in the SMPP field of the SMS message and by accessing the public key.

Abstract: A system and method monitors access of an external storage device connected to a target device. A notification of a connection of the external storage device to the target device is received, a notification of an external file access on the external storage device is received, and activity of a user on the target device is monitored to detect a user operation accessing a source file stored on the target device. Events are logged based upon the connection, the user operation, and the external file access. Two or more of the events are associated with a copy of the source file to the external connected storage device and the source file history. An alert regarding the association is forwarded to a monitor application in communication with the target device.

Abstract: Aspects of the disclosure relate to detecting and identifying malicious sites using machine learning. A computing platform may receive image data of a graphical rendering of a resource available at a uniform resource locator (URL). The computing platform may compute a computer vision vector representation of the image data. The computing platform may compare the computer vision vector representation of the image data to stored numeric vectors representing page elements, resulting in a feature indicating whether the computer vision vector representation of the image data is visually similar to a known page element, and may input the feature to a classifier. The computing platform may receive, from the classifier, a phish classification score indicating a likelihood that the URL is malicious. In response to determining that the phish classification score exceeds a first phish classification threshold, the computing platform may cause a cybersecurity server to perform a first action.

Abstract: Aspects of the disclosure relate to providing training and information based on simulated cybersecurity attack difficulty. A computing platform may retrieve data associated with a plurality of attack templates for simulating cybersecurity attacks. Subsequently, the computing platform may use one or more models to compute a predicted failure rate for each template of the plurality of attack templates in order to yield a plurality of predicted failure rates for an organization. Based on the plurality of predicted failure rates, the computing platform may use one or more of the plurality of attack templates to configure a simulated cybersecurity attack on the organization. Then, the computing platform may send, via the communication interface, to an administrator user device associated with the organization, information about the simulated cybersecurity attack and may execute the simulated cybersecurity attack.

Abstract: A computer-based method includes monitoring user activities at an endpoint device on a computer network, determining if one of the user activities at the endpoint device presents a potential threat to network security, creating an alert of the potential threat, and providing, with the alert, a redacted version of a screenshot from the endpoint device. One or more open windows that appeared on the screen of the endpoint device are obscured or removed in the redacted version of the screenshot of the endpoint device.

Abstract: Aspects of the disclosure relate to dynamically controlling access to linked content in electronic communications. A computing platform may receive, from a user computing device, a request for a uniform resource locator associated with an email message and may evaluate the request using one or more isolation criteria. Based on evaluating the request, the computing platform may identify that the request meets at least one isolation condition associated with the one or more isolation criteria. In response to identifying that the request meets the at least one isolation condition associated with the one or more isolation criteria, the computing platform may initiate a browser mirroring session with the user computing device to provide the user computing device with limited access to a resource corresponding to the uniform resource locator associated with the email message.