Abstract: A method for detecting spoofed webpages includes: accessing an email; and scanning the email for links. The method also includes, in response to detecting a link in the email: accessing web content contained in a target webpage at the link; extracting target visual features from the web content; accessing a set of verified webpage templates, each verified webpage template in the set of verified webpage templates containing a set of verified features present in a verified webpage associated with a verified resource locator; identifying a particular verified webpage template, in the set of verified webpage templates, containing a particular set of verified features approximating the target visual features; characterizing a difference between the link and a particular verified resource locator associated with the particular verified webpage template; and, in response to the difference exceeding a threshold difference, flagging the email as malicious.

Abstract: A method for detecting financial attacks in emails includes: accessing an email inbound to a recipient address; scanning a body of the email for language signals; correlating a first sequence of words, in the email, with a financial signal; correlating a second sequence of words, in the email, with an action request signal; calculating a risk for the email representing a financial attack based on the financial signal and the action request signal detected in the email; and, in response to the risk exceeding a threshold risk, annotating the first sequence of words in the email according to a first visual highlighting scheme associated with the financial signal, annotating the second sequence of words in the email according to a second visual highlighting scheme—different from the first visual highlighting scheme—associated with the action request signal, and redirecting the email to a quarantine folder.

Abstract: The technology disclosed includes a system to efficiently classify sensitivity of document generated by and downloaded from cloud-based provider services. The system monitor's a user's network traffic at an endpoint that initiates generation of the document and receives a web page identifying the document generated. The system parses the user's network traffic that selects the document for download and intercepts a critical metadata in an API parameter string used to download the document. The system interprets the critical metadata to analyze sensitivity of the document to assign a sensitive classification to the document. Data exfiltration prevention measures are triggered upon detection of attempted exfiltration of the document based on the sensitivity classification.

Abstract: A cloud security service receives an electronic message sent by a purported sending user to a receiving user. The cloud security service retrieves a user model and a user identity associated with the purported sending user, the user identity including a set of feature values describing messages from the purported sending user. The cloud security service applies the user model to the received electronic message to identify a set of feature values describing the electronic message. The cloud security service compares the set of feature values describing the electronic message to the set of feature values describing messages from the purported sending user included in the user identity. The cloud security service determines, based on the comparison, whether the received electronic message was sent by the purported sending user. The cloud security service performs a security action based on the determination.

Abstract: A cloud security service provides network security. The cloud security service receives, via a computer network, an electronic message sent by a sending user of an enterprise to a receiving user. The cloud security service analyzes the electronic message using a machine-learned user model describing the sending user's electronic messages, the user model generated based at least in part on previous electronic messages sent by the sending user. The cloud security service determines, based on the analysis, that the electronic message violates a security policy of the enterprise. The cloud security service performs a security action based on the determination that the electronic message violates the security policy.

Abstract: The technology disclosed relates to method and system of monitoring and controlling exfiltration of enterprise data stored on the cloud computing service (CCS). The method and system includes using a cross-application monitor to detect a could service application programming interface (API) in use and a function or activity being performed via the CCS API. The method and system determines the function or activity by parsing a data stream based on the CCS API and identifies a content of the enterprise data subject to content control by the application of a content inspection rule data subject to content control. The method and system selects a security action being applied to the enterprise data to prevent exfiltration based on the classification of the inspected data and policies applicable to the content subject to content control.

Abstract: The technology disclosed relates to securely encrypting a document. In particular, it relates to accessing a key-manager with a triplet of organization identifier, application identifier and region identifier and in response receiving a triplet-key and a triplet-key identifier that uniquely identifies the triplet-key. Also, for a document that has a document identifier (ID), the technology disclosed relates to deriving a per-document key from a combination of the triplet-key, the document ID and a salt. Further, the per-document key is used to encrypt the document.

Abstract: The technology disclosed includes a system to efficiently classify sensitivity of document generated by and downloaded from cloud-based provider services. The system monitor's a user's network traffic at an endpoint that initiates generation of the document and receives a web page identifying the document generated. The system parses the user's network traffic that selects the document for download and intercepts a critical metadata in an API parameter string used to download the document. The system interprets the critical metadata to analyze sensitivity of the document to assign a sensitive classification to the document. Data exfiltration prevention measures are triggered upon detection of attempted exfiltration of the document based on the sensitivity classification.

Abstract: A cloud security service receives an electronic message sent by a purported sending user to a receiving user. The cloud security service retrieves a user model and a user identity associated with the purported sending user, the user identity including a set of feature values describing messages from the purported sending user. The cloud security service applies the user model to the received electronic message to identify a set of feature values describing the electronic message. The cloud security service compares the set of feature values describing the electronic message to the set of feature values describing messages from the purported sending user included in the user identity. The cloud security service determines, based on the comparison, whether the received electronic message was sent by the purported sending user. The cloud security service performs a security action based on the determination.

Abstract: A cloud security service provides network security. The cloud security service receives, via a computer network, an electronic message sent by a sending user of an enterprise to a receiving user. The cloud security service analyzes the electronic message using a machine-learned user model describing the sending user's electronic messages, the user model generated based at least in part on previous electronic messages sent by the sending user. The cloud security service determines, based on the analysis, that the electronic message violates a security policy of the enterprise. The cloud security service performs a security action based on the determination that the electronic message violates the security policy.

Abstract: The technology disclosed relates to securely encrypting a document. In particular, it relates to accessing a key-manager with a triplet of organization identifier, application identifier and region identifier and in response receiving a triplet-key and a triplet-key identifier that uniquely identifies the triplet-key. Also, for a document that has a document identifier (ID), the technology disclosed relates to deriving a per-document key from a combination of the triplet-key, the document ID and a salt. Further, the per-document key is used to encrypt the document.

Abstract: The technology disclosed relates to securely encrypting a document. In particular, it relates to accessing a key-manager with a triplet of organization identifier, application identifier and region identifier and in response receiving a triplet-key and a triplet-key identifier that uniquely identifies the triplet-key. Also, for a document that has a document identifier (ID), the technology disclosed relates to deriving a per-document key from a combination of the triplet-key, the document ID and a salt. Further, the per-document key is used to encrypt the document.

Abstract: A computer-implemented method is described to monitor and control enterprise information stored on a cloud computing service (CCS). The method includes using a cross-application monitor to detect a cloud computing service (CCS) application programming interface (API) in use and a function or an activity being performed via the CCS API. The method also includes determining the function or the activity being performed via the CCS API by parsing a data stream based on the CCS API and identifying content being transmitted to the CCS. The method further includes applying a content inspection rule to find strings and interrelated strings in the content that are subject to content control and triggering a security action responsive to finding the strings and interrelated strings subject to content control in the parsed stream.

Abstract: A computer-implemented method is described to monitor and control enterprise information stored on a cloud computing service (CCS). The method includes using a cross-application monitor to detect a cloud computing service (CCS) application programming interface (API) in use and a function or an activity being performed via the CCS API. The method also includes determining the function or the activity being performed via the CCS API by parsing a data stream based on the CCS API and identifying content being transmitted to the CCS. The method further includes applying a content inspection rule to find strings and interrelated strings in the content that are subject to content control and triggering a security action responsive to finding the strings and interrelated strings subject to content control in the parsed stream.

Abstract: A computer-implemented method is described to monitor and control enterprise information stored on a cloud computing service (CCS). The method includes using a cross-application monitor to detect a cloud computing service (CCS) application programming interface (API) in use and a function or an activity being performed via the CCS API. The method also includes determining the function or the activity being performed via the CCS API by parsing a data stream based on the CCS API and identifying content being transmitted to the CCS. The method further includes applying a content inspection rule to find strings and interrelated strings in the content that are subject to content control and triggering a security action responsive to finding the strings and interrelated strings subject to content control in the parsed stream.

Abstract: The technology disclosed relates to securely encrypting a document. In particular, it relates to accessing a key-manager with a triplet of organization identifier, application identifier and region identifier and in response receiving a triplet-key and a triplet-key identifier that uniquely identifies the triplet-key. Also, for a document that has a document identifier (ID), the technology disclosed relates to deriving a per-document key from a combination of the triplet-key, the document ID and a salt. Further, the per-document key is used to encrypt the document.

Abstract: A system is configured to receive traffic being transported via a network; obtain, as a result of receiving the traffic, content from one or more packets associated with the traffic; analyze the content to identify one or more attributes associated with the content, where the one or more attributes correspond to at least one of: a network address, information associated with an application with which the traffic is associated, information associated with message content, or information associated with software content; determining that at least one attribute, of the one or more attributes, matches an attribute, of a set of attributes that are stored within a memory, where the set of attributes corresponds to a set of categories of traffic; identify a category, of the set of categories, that corresponds to the attribute; associate the category and the traffic; and process the traffic based on the associated category.

Abstract: A device is configured to receive a first request sent from a user device to a server. The first request may include a request to receive particular information from the server. The device receives a response to the first request sent from the server to the user device. The response includes the particular information. The device determines a potential request from the user device based on the particular information included in the response. The devices determines a policy associated with the potential request prior to a second request corresponding to the potential request being received. The device receives the second request from the user device. The device processes the second request based on the policy that was determined prior to the second request being received.

Abstract: A system is configured to receive traffic being transported via a network; obtain, as a result of receiving the traffic, content from one or more packets associated with the traffic; analyze the content to identify one or more attributes associated with the content, where the one or more attributes correspond to at least one of: a network address, information associated with an application with which the traffic is associated, information associated with message content, or information associated with software content; determining that at least one attribute, of the one or more attributes, matches an attribute, of a set of attributes that are stored within a memory, where the set of attributes corresponds to a set of categories of traffic; identify a category, of the set of categories, that corresponds to the attribute; associate the category and the traffic; and process the traffic based on the associated category.

Abstract: A system may identify one or more attributes associated with traffic. The system may then determine that at least one attribute, of the one or more attributes, matches an attribute of a set of attributes that correspond to a set of categories of traffic. Based on determining that the at least one attribute matches the attribute of the set of attributes, the system may identify a category, of the set of categories, that corresponds to the attribute. The system may associate the category with the traffic, and process the traffic based on the associated category.