Abstract: According to examples, an apparatus may include a processor and a memory on which is stored machine-readable instructions that may cause the processor to determine a code fingerprint of a document containing a macro, in which the code fingerprint corresponds to a functionality of the macro. The processor may also determine whether the code fingerprint of the document matches a cluster code fingerprint associated with a cluster of documents. Based on a determination that the code fingerprint matches the cluster code fingerprint associated with the cluster of documents, the processor may determine whether the cluster of documents has been identified as being malicious or benign. In addition, based on a determination that the cluster of documents has been identified as being malicious or benign, the processor may handle the document as being malicious or benign while preventing the document from being sent to a sandbox environment for detonation of the document.

Abstract: According to examples, an apparatus may include a processor may identify features in a plurality of data items, determine similarities and/or patterns in the identified features, and group the plurality of data items into a plurality of clusters of data items based on the determined similarities and/or patterns in the identified features in the plurality of data items. The processor may also evaluate the plurality of clusters to identify a potentially malicious pattern among the data items in the plurality of clusters. In addition, the processor may, based on a potentially malicious pattern being identified in a generated cluster of the generated clusters, execute an action with regard to the data items in the generated cluster.

Abstract: According to examples, an apparatus may include a processor and a memory on which is stored machine-readable instructions that may cause the processor to determine a code fingerprint of a document containing a macro, in which the code fingerprint corresponds to a functionality of the macro. The processor may also determine whether the code fingerprint of the document matches a cluster code fingerprint associated with a cluster of documents. Based on a determination that the code fingerprint matches the cluster code fingerprint associated with the cluster of documents, the processor may determine whether the cluster of documents has been identified as being malicious or benign. In addition, based on a determination that the cluster of documents has been identified as being malicious or benign, the processor may handle the document as being malicious or benign while preventing the document from being sent to a sandbox environment for detonation of the document.

Abstract: Efficient and effectiveness malware and phishing detection methods select specific objects of a document based on an analysis of associated graphical elements of a document rendering. A received document may include a number of blobs, which can include URLs or code that generates URLs that can present potential risks. The system can score and/or rank each blob and its corresponding URLs based on a size, shape, position, and/or other characteristics of a visual element associated with each blob. The score or rank can be increased for visual elements that are most likely to be selected by a user, such as large visual elements positioned near the center of a document. The system can then test individual URLs selected based a corresponding rank or score. The test can efficiently reveal the presence of malware or phishing tactics by forgoing tests on URLs that are not likely to be selected.

Abstract: According to examples, an apparatus may include a processor may identify features in a plurality of data items, determine similarities and/or patterns in the identified features, and group the plurality of data items into a plurality of clusters of data items based on the determined similarities and/or patterns in the identified features in the plurality of data items. The processor may also evaluate the plurality of clusters to identify a potentially malicious pattern among the data items in the plurality of clusters. In addition, the processor may, based on a potentially malicious pattern being identified in a generated cluster of the generated clusters, execute an action with regard to the data items in the generated cluster.

Abstract: Cybersecurity enhancements help avoid malicious Uniform Resource Locators (URLs). Embodiments may reduce or eliminate reliance on subjective analysis or detonation virtual machines. URL substrings are automatically analyzed for maliciousness using malice patterns. Patterns may test counts, lengths, rarity, encodings, and other inherent aspects of URLs. URLs may be analyzed individually, or in groups to detect shared portions, or both. URL analysis may use or avoid machine learning, and may use or avoid lookups. Malice patterns may be used individually or in combinations to detect malicious URLs. Analysis results may enhance security through blocking use of suspect URLs, flagging them for further analysis, or allowing their validated use, for instance. Analysis results may also be fed back to further train a machine learning model or a statistical model.

Abstract: A target system is verified against one or more security threats. A selection of a threat type for an attack vector for verifying defensive capabilities of a target system is received via a user interface. A selection of one or more selectable parameters for delivery of the threat type to the target system is received via the user interface. In response to selection of the threat type and the selected parameters, a base binary executable and a library comprising functions for generating attack vectors is accessed. One or more functions from the library are added to the base binary executable based on the selected threat type and the selected parameters. A payload is generated that implements the selected threat type and the selected parameters in a delivery format based on the selected parameters.

Abstract: Efficient and effectiveness malware and phishing detection methods select specific objects of a document based on an analysis of associated graphical elements of a document rendering. A received document may include a number of blobs, which can include URLs or code that generates URLs that can present potential risks. The system can score and/or rank each blob and its corresponding URLs based on a size, shape, position, and/or other characteristics of a visual element associated with each blob. The score or rank can be increased for visual elements that are most likely to be selected by a user, such as large visual elements positioned near the center of a document. The system can then test individual URLs selected based a corresponding rank or score. The test can efficiently reveal the presence of malware or phishing tactics by forgoing tests on URLs that are not likely to be selected.

Abstract: Cybersecurity enhancements help avoid malicious Uniform Resource Locators (URLs). Embodiments may reduce or eliminate reliance on subjective analysis or detonation virtual machines. URL substrings are automatically analyzed for maliciousness using malice patterns. Patterns may test counts, lengths, rarity, encodings, and other inherent aspects of URLs. URLs may be analyzed individually, or in groups to detect shared portions, or both. URL analysis may use or avoid machine learning, and may use or avoid lookups. Malice patterns may be used individually or in combinations to detect malicious URLs. Analysis results may enhance security through blocking use of suspect URLs, flagging them for further analysis, or allowing their validated use, for instance. Analysis results may also be fed back to further train a machine learning model or a statistical model.