Abstract: The email system utilizes statistical analysis to assign an importance score to each user within an organization based on their email activity. The score is continuously updated to reflect changes in email flow and user status. The system identifies high-profile individuals who are likely to be targeted by external actors and assigns them a higher importance score. It also adjusts the scores based on several dampening factors related to the user's email behavior. The system uses these scores to determine vip users and tailors its response to malicious emails accordingly. Vip-specific threat handling rules, which are less disruptive or intrusive, are applied when a malicious email targets a vip user. The system intelligently derives user importance information, allowing it to identify a larger subset of important users within an organization. This approach minimizes disruption, tailors actions to key stakeholders, and does not require significant manual tuning.

Abstract: A cyber-threat defense system for a network including its email domain protects this network from cyber threats. Modules utilize machine learning models as well communicate with a cyber threat module. Modules analyze the wide range of metadata from the observed email communications. The cyber threat module analyzes with the machine learning models trained on a normal behavior of email activity and user activity associated with the network and in its email domain in order to determine when a deviation from the normal behavior of email activity and user activity is occurring. A mass email association detector determines a similarity between highly similar emails being i) sent from or ii) received by a collection of two or more individual users in the email domain in a substantially simultaneous time frame. Mathematical models can be used to determine similarity weighing in order to derive a similarity score between compared emails.

Abstract: An endpoint agent extension of a cyber defense system for email that includes modules and machine learning models. An integration module integrates with an email client application to detect email cyber threats in emails in the email client application as well as regulate emails. An action module interfaces with the email client application to direct autonomous actions against an outbound email and/or its files when a cyber threat module determines the email and/or its files (a) to be a data exfiltration threat, (b) to be both malicious and anomalous behavior as compared to a user's modeled email behavior, and (c) any combination of these. The autonomous actions can include actions of logging a user off the email client application, preventing the sending of the email, stripping the attached files and/or disabling the link to the files from the email, and sending a notification to cyber security personnel regarding the email.

Abstract: A cyber security appliance to protect a domain associated with an organization or user and global domain intelligence data store for centralized storage of analytic results is described. The cyber security appliance features a communication module including one or more input/output (I/O) ports, an email module, and an autonomous response module. The email module comprises email report analytic logic to analyze content within an email authentication report, received via the one or more I/O ports, to detect an email suspected of being malicious when the email is directed to a computing device operating outside of the domain and a source address of the email falsely identifying the domain as part of the source email address. The autonomous response module is configured to cause a first set of autonomous actions to mitigate similar email dissemination over a network.

Abstract: The email campaign detector checks whether clustered emails with similar characteristics are part of a targeted campaign of malicious emails. An email similarity classifier analyzes a group of emails in order to cluster emails with similar characteristics in the group of emails. A targeted campaign classifier analyzes the clustered emails with similar characteristics to check whether the clustered emails with similar characteristics are a) coming from a same threat actor b) going to a same intended target, and c) any combination of both, as well as ii) verify whether the clustered emails with similar characteristics are deemed malicious. The email campaign detector uses this information from the email similarity classifier and the targeted campaign classifier to provide an early warning system of a targeted campaign of malicious emails is underway. The email campaign detector cooperates with one or more machine learning models to identify emails that are deemed malicious.

Abstract: A cyber-threat defense system for a network including its email domain protects this network from cyber threats. Modules utilize machine learning models as well communicate with a cyber threat module. Modules analyze the wide range of metadata from the observed email communications. The cyber threat module analyzes with the machine learning models trained on a normal behavior of email activity and user activity associated with the network and in its email domain in order to determine when a deviation from the normal behavior of email activity and user activity is occurring. A mass email association detector determines a similarity between highly similar emails being i) sent from or ii) received by a collection of two or more individual users in the email domain in a substantially simultaneous time frame. Mathematical models can be used to determine similarity weighing in order to derive a similarity score between compared emails.

Abstract: A cyber security appliance (CSA) configurable to protect a computer system from email cyber threat campaigns is disclosed. The CSA may comprise: an email module configured to process all incoming emails and log data and metadata; a cyber threat module coupled configured to assess a severity level of a cyber threat using one or more Artificial Intelligence (AI) models; an AI classifier configured to determine the likelihood of an email cyber threat campaign; an autonomous response module configured to act against emails determined to be threats; and a user interface module configured to generate a report, present data on a display, and show a graphical display of the system indicating the details of a cyber threat campaign.

Abstract: A cyber-threat defense system for a network including its email domain protects this network from cyber threats. Modules utilize machine learning models as well communicate with a cyber threat module. Modules analyze the wide range of metadata from the observed email communications. The cyber threat module analyzes with the machine learning models trained on a normal behavior of email activity and user activity associated with the network and in its email domain in order to determine when a deviation from the normal behavior of email activity and user activity is occurring. A mass email association detector determines a similarity between highly similar emails being i) sent from or ii) received by a collection of two or more individual users in the email domain in a substantially simultaneous time frame. Mathematical models can be used to determine similarity weighing in order to derive a similarity score between compared emails.

Abstract: An AI adversary red team configured to pentest email and/or network defenses implemented by a cyber threat defense system used to protect an organization and all its entities. AI model(s) trained with machine learning on contextual knowledge of the organization and configured to identify data points from the contextual knowledge including language-based data, email/network connectivity and behavior pattern data, and historic knowledgebase data. The trained AI models cooperate with an AI classifier in producing specific organization-based classifiers for the AI classifier. A phishing email generator generates automated phishing emails to pentest the defense systems, where the phishing email generator cooperates with the AI models to customize the automated phishing emails based on the identified data points of the organization and its entities. The customized phishing emails are then used to initiate one or more specific attacks on one or more specific users associated with the organization and its entities.

Abstract: A cyber-threat defense system for a network including its email domain protects this network from cyber threats. Modules utilize machine learning models as well communicate with a cyber threat module. Modules analyze the wide range of metadata from the observed email communications. The cyber threat module analyzes with the machine learning models trained on a normal behavior of email activity and user activity associated with the network and in its email domain in order to determine when a deviation from the normal behavior of email activity and user activity is occurring. A mass email association detector determines a similarity between highly similar emails being i) sent from or ii) received by a collection of two or more individual users in the email domain in a substantially simultaneous time frame. Mathematical models can be used to determine similarity weighing in order to derive a similarity score between compared emails.

Abstract: An endpoint agent extension of a cyber defense system for email that includes modules and machine learning models. An integration module integrates with an email client application to detect email cyber threats in emails in the email client application as well as regulate emails. An action module interfaces with the email client application to direct autonomous actions against an outbound email and/or its files when a cyber threat module determines the email and/or its files (a) to be a data exfiltration threat, (b) to be both malicious and anomalous behavior as compared to a user's modeled email behavior, and (c) any combination of these. The autonomous actions can include actions of logging a user off the email client application, preventing the sending of the email, stripping the attached files and/or disabling the link to the files from the email, and sending a notification to cyber security personnel regarding the email.