Abstract: The technology disclosed includes a system to efficiently classify sensitivity of document generated by and downloaded from cloud-based provider services. The system monitors network traffic at a document-generation initiating endpoint and receives a web page identifying the document generated. The system parses the network traffic that selects the document for download, based on the user selecting a link, and intercepts a document handle in an API parameter string used to download the document. The system interprets the document handle to analyze sensitivity of the document to assign a sensitive classification to the document. The sensitivity classification is encoded into the document header metadata. The encoded sensitivity classification can be used to enhance security, for example, preventing data exfiltration.

Abstract: A method includes: accessing a corpus of emails sent from a email account prior to the initial time period; correlating sequences of words, in the corpus of emails, with language signals; aggregating the language signals into a sender model that represents combinations of language signals characteristic of language in emails sent from the email account; later, accessing a email outbound from the email account and directed to a recipient; scanning the email for the set of language signals; correlating sequences of words in the email with language signals; calculating a similarity score for the email based on the subset of language signals detected in the email and the sender model; and, in response to the similarity score falling below a threshold similarity, flagging the email as suspicious and redirecting the email away from the recipient.

Abstract: A method includes: receiving selection of a document; correlating sequences of words, in the document, with a set of language signals; generating a set of document tags representing the set of language signals; and retrieving a first data access policy: associated with a particular document tag in the set of document tags; and including a set of identities permitted to access a document associated with the particular document tag; receiving selection of a recipient account of the document; and in response to detecting the set of identities excluding the recipient account, restricting access to the document by the recipient account.

Abstract: A method includes: accessing a corpus of messages previously sent from a user account; correlating sequences of words, in the corpus of messages, with behavior signals; aggregating the behavior signals into a behavioral model representing combinations of behavior signals characteristic of behavior in messages sent from the user account; later, accessing a message outbound from the user account to a recipient account, the message including a document associated with a document tag; correlating sequences of words, in the message, with behavior signals; retrieving a data access policy including a threshold at which access to a document associated with the document tag is restricted; and in response to detecting a difference between the behavioral signals from the message and the behavioral model exceeding the threshold, restricting access, by the recipient account, to the document in the message.

Abstract: A method includes: accessing a corpus of messages previously sent from a user account; correlating sequences of words, in the corpus of messages, with behavior signals; aggregating the behavior signals into a behavioral model representing combinations of behavior signals characteristic of behavior in messages sent from the user account; later, accessing a message outbound from the user account to a recipient account, the message including a document associated with a document tag; correlating sequences of words, in the message, with behavior signals; retrieving a data access policy including a threshold at which access to a document associated with the document tag is restricted; and in response to detecting a difference between the behavioral signals from the message and the behavioral model exceeding the threshold, restricting access, by the recipient account, to the document in the message.

Abstract: A method includes: accessing a corpus of emails sent from a email account prior to the initial time period; correlating sequences of words, in the corpus of emails, with language signals; aggregating the language signals into a sender model that represents combinations of language signals characteristic of language in emails sent from the email account; later, accessing a email outbound from the email account and directed to a recipient; scanning the email for the set of language signals; correlating sequences of words in the email with language signals; calculating a similarity score for the email based on the subset of language signals detected in the email and the sender model; and, in response to the similarity score falling below a threshold similarity, flagging the email as suspicious and redirecting the email away from the recipient.

Abstract: A method includes: receiving selection of a document; correlating sequences of words, in the document, with a set of language signals; generating a set of document tags representing the set of language signals; and retrieving a first data access policy: associated with a particular document tag in the set of document tags; and including a set of identities permitted to access a document associated with the particular document tag; receiving selection of a recipient account of the document; and in response to detecting the set of identities excluding the recipient account, restricting access to the document by the recipient account.

Abstract: A method for detecting spoofed webpages includes: accessing an email; and scanning the email for links. The method also includes, in response to detecting a link in the email: accessing web content contained in a target webpage at the link; extracting target visual features from the web content; accessing a set of verified webpage templates, each verified webpage template in the set of verified webpage templates containing a set of verified features present in a verified webpage associated with a verified resource locator; identifying a particular verified webpage template, in the set of verified webpage templates, containing a particular set of verified features approximating the target visual features; characterizing a difference between the link and a particular verified resource locator associated with the particular verified webpage template; and, in response to the difference exceeding a threshold difference, flagging the email as malicious.

Abstract: A method for detecting spoofed webpages includes: accessing an email; and scanning the email for links. The method also includes, in response to detecting a link in the email: accessing web content contained in a target webpage at the link; extracting target visual features from the web content; accessing a set of verified webpage templates, each verified webpage template in the set of verified webpage templates containing a set of verified features present in a verified webpage associated with a verified resource locator; identifying a particular verified webpage template, in the set of verified webpage templates, containing a particular set of verified features approximating the target visual features; characterizing a difference between the link and a particular verified resource locator associated with the particular verified webpage template; and, in response to the difference exceeding a threshold difference, flagging the email as malicious.

Abstract: The technology disclosed includes a system to efficiently classify sensitivity of document generated by and downloaded from cloud-based provider services. The system monitors network traffic at a document-generation initiating endpoint and receives a web page identifying the document generated. The system parses the network traffic that selects the document for download, based on the user selecting a link, and intercepts a document handle in an API parameter string used to download the document. The system interprets the document handle to analyze sensitivity of the document to assign a sensitive classification to the document. The sensitivity classification is encoded into the document header metadata. The encoded sensitivity classification can be used to enhance security, for example, preventing data exfiltration.

Abstract: A method includes: receiving selection of a document; correlating sequences of words, in the document, with a set of language signals; generating a set of document tags representing the set of language signals; and retrieving a first data access policy: associated with a particular document tag in the set of document tags; and including a set of identities permitted to access a document associated with the particular document tag; receiving selection of a recipient account of the document; and in response to detecting the set of identities excluding the recipient account, restricting access to the document by the recipient account.

Abstract: A method includes: accessing a corpus of messages previously sent from a user account; correlating sequences of words, in the corpus of messages, with behavior signals; aggregating the behavior signals into a behavioral model representing combinations of behavior signals characteristic of behavior in messages sent from the user account; later, accessing a message outbound from the user account to a recipient account, the message including a document associated with a document tag; correlating sequences of words, in the message, with behavior signals; retrieving a data access policy including a threshold at which access to a document associated with the document tag is restricted; and in response to detecting a difference between the behavioral signals from the message and the behavioral model exceeding the threshold, restricting access, by the recipient account, to the document in the message.

Abstract: A method includes: accessing a corpus of emails sent from a email account prior to the initial time period; correlating sequences of words, in the corpus of emails, with language signals; aggregating the language signals into a sender model that represents combinations of language signals characteristic of language in emails sent from the email account; later, accessing a email outbound from the email account and directed to a recipient; scanning the email for the set of language signals; correlating sequences of words in the email with language signals; calculating a similarity score for the email based on the subset of language signals detected in the email and the sender model; and, in response to the similarity score falling below a threshold similarity, flagging the email as suspicious and redirecting the email away from the recipient.

Abstract: A cloud security service provides network security. The cloud security service receives, via a computer network, an electronic message sent by a sending user of an enterprise to a receiving user. The cloud security service analyzes the electronic message using a machine-learned user model describing the sending user's electronic messages, the user model generated based at least in part on previous electronic messages sent by the sending user. The cloud security service determines, based on the analysis, that the electronic message violates a security policy of the enterprise. The cloud security service performs a security action based on the determination that the electronic message violates the security policy.

Abstract: A method for detecting spoofed webpages includes: accessing an email; and scanning the email for links. The method also includes, in response to detecting a link in the email: accessing web content contained in a target webpage at the link; extracting target visual features from the web content; accessing a set of verified webpage templates, each verified webpage template in the set of verified webpage templates containing a set of verified features present in a verified webpage associated with a verified resource locator; identifying a particular verified webpage template, in the set of verified webpage templates, containing a particular set of verified features approximating the target visual features; characterizing a difference between the link and a particular verified resource locator associated with the particular verified webpage template; and, in response to the difference exceeding a threshold difference, flagging the email as malicious.

Abstract: A method for detecting financial attacks in emails includes: accessing an email inbound to a recipient address; scanning a body of the email for language signals; correlating a first sequence of words, in the email, with a financial signal; correlating a second sequence of words, in the email, with an action request signal; calculating a risk for the email representing a financial attack based on the financial signal and the action request signal detected in the email; and, in response to the risk exceeding a threshold risk, annotating the first sequence of words in the email according to a first visual highlighting scheme associated with the financial signal, annotating the second sequence of words in the email according to a second visual highlighting scheme—different from the first visual highlighting scheme—associated with the action request signal, and redirecting the email to a quarantine folder.

Abstract: The technology disclosed includes a system to efficiently classify sensitivity of document generated by and downloaded from cloud-based provider services. The system monitor's a user's network traffic at an endpoint that initiates generation of the document and receives a web page identifying the document generated. The system parses the user's network traffic that selects the document for download and intercepts a critical metadata in an API parameter string used to download the document. The system interprets the critical metadata to analyze sensitivity of the document to assign a sensitive classification to the document. Data exfiltration prevention measures are triggered upon detection of attempted exfiltration of the document based on the sensitivity classification.

Abstract: A cloud security service receives an electronic message sent by a purported sending user to a receiving user. The cloud security service retrieves a user model and a user identity associated with the purported sending user, the user identity including a set of feature values describing messages from the purported sending user. The cloud security service applies the user model to the received electronic message to identify a set of feature values describing the electronic message. The cloud security service compares the set of feature values describing the electronic message to the set of feature values describing messages from the purported sending user included in the user identity. The cloud security service determines, based on the comparison, whether the received electronic message was sent by the purported sending user. The cloud security service performs a security action based on the determination.

Abstract: A cloud security service provides network security. The cloud security service receives, via a computer network, an electronic message sent by a sending user of an enterprise to a receiving user. The cloud security service analyzes the electronic message using a machine-learned user model describing the sending user's electronic messages, the user model generated based at least in part on previous electronic messages sent by the sending user. The cloud security service determines, based on the analysis, that the electronic message violates a security policy of the enterprise. The cloud security service performs a security action based on the determination that the electronic message violates the security policy.

Abstract: The technology disclosed relates to method and system of monitoring and controlling exfiltration of enterprise data stored on the cloud computing service (CCS). The method and system includes using a cross-application monitor to detect a could service application programming interface (API) in use and a function or activity being performed via the CCS API. The method and system determines the function or activity by parsing a data stream based on the CCS API and identifies a content of the enterprise data subject to content control by the application of a content inspection rule data subject to content control. The method and system selects a security action being applied to the enterprise data to prevent exfiltration based on the classification of the inspected data and policies applicable to the content subject to content control.