Abstract: A security application provides a prompt and content that includes text and one or more images as input to a multimodal large language model (LLM). The security application receives, from the multimodal LLM and responsive to providing the prompt and the content, a summary report of the content, the summary report including a text summary of the content. The security application extracts features from the summary report. The security application provides the extracted features as input to one or more pre-trained lightweight machine-learning models. The security application receives, from the one or more lightweight machine-learning models, a classification of the content, wherein the classification indicates whether the content is suspicious.

Abstract: A computer-implemented method includes sending email scan requests to an email scanner. The method further includes receiving, from the email scanner, a verdict of suspicion and one or more data fragments. The method further includes storing the one or more data fragments for each email of the plurality of emails in a datastore. The method further includes receiving a new email. The method further includes deriving one or more new keys for the new email. The method further includes retrieving one or more matching data fragments from the datastore by matching the one or more new keys with the one or more keys stored in the datastore. The method further includes providing, to the email scanner, the new email and the one or more matching data fragments. The method further includes receiving a new verdict of suspicion and one or more new data fragments.

Abstract: A computer-implemented method includes receiving an email message to be processed by a plurality of computing systems, where the plurality of computing systems each provide a different service for emails. The method further includes generating a first request for a first computing system of the plurality of computing systems to process the email message. The method further includes adding the first request for the first computing system to a first request queue. The method further includes responsive to determining that a predetermined event has occurred for the first request queue, performing a skip action and removing the first request from the first request queue.

Abstract: A computer-implemented method includes sending email scan requests to an email scanner. The method further includes receiving, from the email scanner, a verdict of suspicion and one or more data fragments. The method further includes storing the one or more data fragments for each email of the plurality of emails in a datastore. The method further includes receiving a new email. The method further includes deriving one or more new keys for the new email. The method further includes retrieving one or more matching data fragments from the datastore by matching the one or more new keys with the one or more keys stored in the datastore. The method further includes providing, to the email scanner, the new email and the one or more matching data fragments. The method further includes receiving a new verdict of suspicion and one or more new data fragments.

Abstract: A computer-implemented method includes implementing, at a first computing system, a configuration of a routing journal rule and a connector to configure the first computing system to automatically send copies of inbound emails received at the first computing system to a second computing system that is distinct from the first computing system, wherein the second computing system includes a set of scanners operable to analyze the copies of the inbound emails to detect suspicious content. The method further includes receiving a notification of the suspicious content in a first email of the copies of inbound emails from the second computing system, wherein the notification is generated responsive to one or more of the set of scanners detecting at least the first email as including suspicious content.

Abstract: A computer-implemented method includes receiving an email for processing. The method further includes prior to delivering the email, providing the email to a set of scanners, wherein one or more of the scanners are associated with a respective type of content and are configured to detect whether the email includes the respective type of content. The method further includes receiving, from the set of scanners, an identification of a plurality of types of content in the email. The method further includes for each type of content in the email providing the email to a user of a particular role, wherein users of the particular role are authorized to review the type of content and receiving, from the user, approval of the email for the type of content. The method further includes responsive to the email being approved for each type of content, delivering the email to a recipient.

Abstract: Systems and methods for processing an electronic communication. The method may include receiving an electronic message including a first location indicator of a network resource, wherein the first location indicator has a first length and includes an identifier of a recipient of the electronic message, wherein the identifier indicates an action allowed to be performed by the recipient, and transforming the first location indicator into a second location indicator of the network resource, wherein the second location indicator has a second length that is less than the first length. The method may further include storing the first location indicator in a network accessible storage location and forwarding the second location indicator of the resource to a recipient to allow the recipient to automatically access the network resource and perform the allowed action upon providing an input with respect to the second location indicator.

Abstract: A computer-implemented method includes generating behavior patterns based on historical behavior of a plurality of emails. The method further includes receiving an email message from a sender, wherein the email message is withheld from delivery to a recipient. The method further includes extracting a plurality of features from the email message. The method further includes determining whether content of the email message matches at least one criterion for suspicious content. The method further includes determining a reputation score associated with the sender based on a comparison of the extracted features with the behavior patterns, wherein the extracted features include an identity of the sender. The method further includes responsive to the content of the email message not matching the at least one criterion for suspicious content and the reputation score meeting a reputation threshold, delivering the email message to the recipient.

Abstract: A computer-implemented method includes sending email scan requests to an email scanner. The method further includes receiving, from the email scanner, a verdict of suspicion and one or more data fragments. The method further includes storing the one or more data fragments for each email of the plurality of emails in a datastore. The method further includes receiving a new email. The method further includes deriving one or more new keys for the new email. The method further includes retrieving one or more matching data fragments from the datastore by matching the one or more new keys with the one or more keys stored in the datastore. The method further includes providing, to the email scanner, the new email and the one or more matching data fragments. The method further includes receiving a new verdict of suspicion and one or more new data fragments.

Abstract: Remote services, such as security services, are onboarded for a tenant in a multi-tenant environment, such as a cloud-based electronic mail tenant, by configuring the tenant to permit remote access to local resources used at the tenant to facilitate the remote security services. As a significant advantage, this permits use of the remote security services with cloud-based enterprise resources hosted on the tenant, e.g., an enterprise mail server handling inbound and/or outbound electronic mail traffic, without requiring changes to the tenant's network configuration. As an additional advantage, security risks associated with the remote access may be confined to the specific tenant in the multi-tenant environment by creating a unique key for exchanging data between the tenant and the remote security services.

Abstract: Remote services, such as security services, are onboarded for a tenant in a multi-tenant environment, such as a cloud-based electronic mail tenant, by configuring the tenant to permit remote access to local resources used at the tenant to facilitate the remote security services. Mail flow rules associated with the multi-tenant environment govern how electronic mail is handled in the environment. For example, mail flow rules may be used to divert inbound and/or outbound electronic mail through a mail security service. Changes to the mail flow rules are monitored and analyzed to determine whether such changes are valid (e.g., not unsafe or tampered with) to support secure management of electronic mail traffic. If a change to a mail flow rule is determined to not be valid, an action may be performed, such as deleting, disabling, or reverting the change.

Abstract: A method for mitigating outbound electronic message spam includes determining whether an outbound electronic message to a recipient sent from an electronic messaging account of a sender has at least a predetermined number of indicators of compromise. The outbound electronic message is sent to the recipient using an IP address from a first pool of service delivery IP addresses based on a determination that the message has less than the predetermined number of indicators of compromise. The outbound electronic message is sent to the recipient using an IP address from a second pool of service delivery IP addresses based on a determination that the message has at least the predetermined number of indicators of compromise. The method may further include providing a notification of a possible compromise of the electronic messaging account and the notification may include a request to modify a security feature of the electronic messaging account.

Abstract: A computer-implemented method includes generating behavior patterns based on historical behavior of a plurality of emails. The method further includes receiving an email message from a sender, wherein the email message is withheld from delivery to a recipient. The method further includes extracting a plurality of features from the email message. The method further includes determining whether content of the email message matches at least one criterion for suspicious content. The method further includes determining a reputation score associated with the sender based on a comparison of the extracted features with the behavior patterns, wherein the extracted features include an identity of the sender. The method further includes responsive to the content of the email message not matching the at least one criterion for suspicious content and the reputation score meeting a reputation threshold, delivering the email message to the recipient.

Abstract: A technique implements an administrative user interface of a backend service used to manage and administer on-premises resources, such as storage nodes of a cluster, within a private customer network. The backend service includes a browser configured to issue cross-origin resource sharing (CORS) requests among target storage nodes and a publicly-hosted web application on remote computing systems accessed via a public computer network (i.e., internet) that can be loaded on the browser within the customer network to manage and administer the on-prem resources on the private network. The technique involves the use of CORS over HyperText Transfer Protocol to access an origin that is not reachable via the public internet from a predetermined location of the browser, e.g., within the same customer network as the target storage nodes, particularly to facilitate management of the nodes.

Abstract: A technique implements an administrative user interface of a backend service used to manage and administer on-premises resources, such as storage nodes of a cluster, within a private customer network. The backend service includes a browser configured to issue cross-origin resource sharing (CORS) requests among target storage nodes and a publicly-hosted web application on remote computing systems accessed via a public computer network (i.e., internet) that can be loaded on the browser within the customer network to manage and administer the on-prem resources on the private network. The technique involves the use of CORS over HyperText Transfer Protocol to access an origin that is not reachable via the public internet from a predetermined location of the browser, e.g., within the same customer network as the target storage nodes, particularly to facilitate management of the nodes.

Abstract: An optimistic and failsafe technique validates network configurations of storage and compute nodes deployed as a cluster. An optimistic aspect of the technique, saves an initial network configuration state of each node as a “failsafe” state and an expected network end-state is applied to each node. According to a validation aspect of the technique, each node employs a test to validate connectivity with other nodes in the cluster. In response to every validating node responding to a coordinating node that the validation test succeeded, an “all-clear” message is sent to all of the nodes instructing each node to maintain the applied expected network end-state. If any node is unreachable due to a configuration validation failure, then a failsafe aspect of the technique is invoked wherein the all-clear message is not sent and the remaining nodes of the cluster automatically “roll-back” to the initial failsafe network state after a timeout.

Abstract: An optimistic and failsafe technique validates network configurations of storage and compute nodes deployed as a cluster. An optimistic aspect of the technique, saves an initial network configuration state of each node as a “failsafe” state and an expected network end-stale is applied to each node. According to a validation aspect of the technique, each node employs a test to validate connectivity with other nodes in the cluster. In response to every validating node responding to a coordinating node that the validation test succeeded, an “all-clear” message is sent to all of the nodes instructing each node to maintain the applied expected network end-state. If any node is unreachable due to a configuration validation failure, then a failsafe aspect of the technique is invoked wherein the all-clear message is not sent and the remaining nodes of the cluster automatically “roll-hack” to the initial failsafe network state after a timeout.

Abstract: Techniques for managing authorization are disclosed. In one embodiment, the techniques may be realized as a method including receiving, from a centralized authorization service, authorization logic for an application; determining the identity of a user; and, based on the identity of the user, authorizing the use of a particular feature of the application using the received authorization logic.

Abstract: Out-of-band notifications are used to inform users of clients of security policy enforcement actions, such as enforcement of a data loss prevention (DLP) policy. Code for instantiating a notification agent at a client used by a user is inserted into network traffic inbound to the client. Outbound network traffic sent from the client to a server is monitored for compliance with one or more security policies. If it is determined that the network traffic violates a security policy, an enforcement action is taken. An out-of-band notification message describing the enforcement action is inserted into a response to the outbound network traffic and sent to the client. The notification agent at the client receives the notification message and presents the message to the user.

Abstract: Out-of-band notifications are used to inform users of clients of security policy enforcement actions, such as enforcement of a data loss prevention (DLP) policy. Code for instantiating a notification agent at a client used by a user is inserted into network traffic inbound to the client. Outbound network traffic sent from the client to a server is monitored for compliance with one or more security policies. If it is determined that the network traffic violates a security policy, an enforcement action is taken. An out-of-band notification message describing the enforcement action is inserted into a response to the outbound network traffic and sent to the client. The notification agent at the client receives the notification message and presents the message to the user.