CPC H04L 63/1425 (2013.01) [G06F 16/285 (2019.01); G06Q 40/12 (2013.12); H04L 63/145 (2013.01); H04L 63/1408 (2013.01)] | 21 Claims |
1. A computer-implemented method comprising:
by one or more hardware computer processors executing code:
communicating with one or more electronic data structures configured to store:
a data clustering strategy; and
a plurality of data items including at least:
a plurality of email data items, each of the plurality of email data items including at least a subject and a sender, each of the plurality of email data items potentially associated with phishing activity; and
a plurality of phishing-related data items related to a communications network of an organization, the plurality of phishing-related data items including at least one of: internal Internet Protocol addresses of the communications network, computerized devices of the communications network, users of particular computerized devices, organizational positions associated with users of particular computerized devices, or URLs and/or external domains visited by users of particular computerized devices;
accessing an email data item transmitted to one or more of the users of respective computerized devices within the network of the organization, the email data item including at least a subject and a sender, the email data item potentially associated with phishing activity;
designating the accessed email data item as a seed; and
generating a data item cluster based on the data clustering strategy by at least:
adding the seed to the data item cluster;
determining the subject and the sender associated with the seed;
identifying one or more of the plurality of email data items having a same subject as the determined subject or a same sender as the determined sender;
adding the identified one or more email data items to the data item cluster;
parsing one or more URLs from the email data items of the data item cluster;
adding the parsed URLs to the data item cluster;
identifying one or more users who are both recipients of at least one of the email data items of the data item cluster and visitors of one of the URLs of the data item cluster;
adding the identified one or more users, including data related to the one or more users, to the data item cluster;
identifying additional one or more data items associated with any data items of the data item cluster; and
adding, to the data item cluster, the additional one or more data items.
|