&#xfeff;<html>
  <head>
    <META http-equiv="Content-Type" content="text/html; charset=utf-8">
<link rel="stylesheet" type="text/css" href="html_style_eog.css"/>
<script type="text/javascript">
          function printpage()
          {
          window.print()
          }
        </script>
<script type="text/javascript" src="https://components.uspto.gov/js/ais/40-patentsgazette.js"></script></head>
  <body bgcolor='#FFFFFF' onload='javascript: if ((navigator.appName.indexOf("Netscape")!=-1) && parent.leftFrame!=null) parent.leftFrame.location.reload();'>
    <basefont face="Times New Roman, Times New Roman, Times New Roman " size="2">
      <div style="margin-left: +10pt">
        <table width="90%" border="0" rules="none" align="center">
          <tr align="center">
            <td width="20%" colspan="1" rowspan="2" align="left" valign="top"><a href="https://ppubs.uspto.gov/pubwebapp/external.html?q=11895151.pn.&amp;db=USPAT" target="popup"><input type="button" class="button" value="   Full Text   "></a></td>
            <td class="table_data"><b>US 11,895,151 B1</b></td>
            <td width="20%" colspan="1" rowspan="2" align="right" valign="top">
              <form><input type="button" value="Print this page" onclick="printpage()"></form>
            </td>
          </tr>
          <tr align="center">
            <td colspan="1" class="table_data" style="text-transform: uppercase"><b>Phishing email campaign identification</b></td>
          </tr>
          <tr align="center">
            <td colspan="3" class="table_data"><b> Javier Castro,  Kensington, MD (US)</b></td>
          </tr>
          <tr align="center">
            <td colspan="3" class="table_data"><b>Assigned to  CLOUDFLARE, INC.,  San Francisco, CA (US)</b></td>
          </tr>
          <tr align="center">
            <td colspan="3" class="table_data"><b>Filed by  CLOUDFLARE, INC.,  San Francisco, CA (US)</b></td>
          </tr>
          <tr align="center">
            <td colspan="3" class="table_data"><b>Filed on Jan.  12, 2022, as Appl. No. 17/574,443.</b></td>
          </tr>
          <tr align="center">
            <td colspan="3" class="table_data"><b>Int. Cl. </b><i><b>H04L 9/40</b></i> (2022.01); <i><b>H04L 51/212</b></i> (2022.01); <i><b>H04L 9/32</b></i> (2006.01); <i><b>H04L 9/08</b></i> (2006.01); <i><b>H04L 9/06</b></i> (2006.01)</td>
          </tr>
        </table>
        <table width="90%" border="0" rules="none" align="center">
          <colgroup>
            <col width="75%">
            <col width="15%">
          </colgroup>
          <tr align="left">
            <td class="table_data" align="left"><b>CPC </b><i><b>H04L 63/1483</b></i> (2013.01)&#xa0;[<i><b>H04L 51/212</b></i> (2022.05); <i><b>H04L 63/12</b></i> (2013.01); <i><b>H04L 63/123</b></i> (2013.01); <i><b>H04L 63/1416</b></i> (2013.01); <i><b>H04L 63/1425</b></i> (2013.01); <i>H04L 9/0643</i> (2013.01); <i>H04L 9/0894</i> (2013.01); <i>H04L 9/3239</i> (2013.01)]</td>
            <td class="table_data" align="right"><b>18 Claims</b></td>
          </tr>
        </table>
        <center><img src="US11895151-20240206-D00000.gif" alt="OG exemplary drawing"></center>
        <table width="90%" border="0" rules="none" align="center">
          <colgroup>
            <col width="90%">
          </colgroup>
          <tr>
            <td class="table_data" align="center">&#xa0;</td>
          </tr>
          <tr>
            <td valign="top" class="para_text">
              <div class="claim_text_root">1. A computer-implemented method executed by one or more email detection computers, the method comprising:<div class="claim_text">receiving, from a digital electronic computer network, a first email message that is directed to a first recipient account from a first sender account, the first email message being associated with a plurality of attributes;</div>
                <div class="claim_text">determining that the first email message is a phishing email;</div>
                <div class="claim_text">extracting, from the first email message, a subset of the plurality of attributes, the subset of the plurality of attributes comprising a plurality of fixed attributes and a plurality of transformable attributes, the plurality of fixed attributes of the first email message being two or more of a thread count; an attachment count; a TO recipient count; a CC recipient count; a number of URLs within a body of the first email message; a number of links within the body of the first email message; or a BCC recipient count;</div>
                <div class="claim_text">transforming each particular transformable attribute of the plurality of transformable attributes to a normalized representation of that particular transformable attribute;</div>
                <div class="claim_text">concatenating the plurality of fixed attributes and the normalized representations of the plurality of transformable attributes into a string representation;</div>
                <div class="claim_text">generating a hash representation of the subset of the plurality of attributes based on the string representation of the concatenated plurality of fixed attributes and the normalized representations of the plurality of transformable attributes;</div>
                <div class="claim_text">storing the hash representation of the subset of the plurality of attributes of the first email message in a database;</div>
                <div class="claim_text">receiving, from the digital electronic computer network, a second email message that is directed to a second recipient account from a second sender account;</div>
                <div class="claim_text">determining that the second email message is a phishing email based on the hash representation corresponding to the first email message.</div>
              </div>
            </td>
          </tr>
        </table>
      </div>
    
  </body>
</html>