US 11,811,793 B2
Targeted attack protection from malicious links in messages using predictive sandboxing
Steven Robert Sandke, Cupertino, CA (US); and Bryan Burns, Portland, OR (US)
Assigned to PROOFPOINT, INC., Sunnyvale, CA (US)
Filed by Proofpoint, Inc., Sunnyvale, CA (US)
Filed on Jan. 15, 2021, as Appl. No. 17/150,779.
Application 17/150,779 is a continuation of application No. 16/523,439, filed on Jul. 26, 2019, granted, now 10,911,467.
Application 16/523,439 is a continuation of application No. 15/986,558, filed on May 22, 2018, granted, now 10,419,464, issued on Sep. 17, 2019.
Application 15/986,558 is a continuation of application No. 15/667,430, filed on Aug. 2, 2017, granted, now 10,009,362, issued on Jun. 26, 2018.
Application 15/667,430 is a continuation of application No. 15/418,357, filed on Jan. 27, 2017, granted, now 9,762,609, issued on Sep. 12, 2017.
Application 15/418,357 is a continuation of application No. 14/625,240, filed on Feb. 18, 2015, granted, now 9,596,264, issued on Mar. 14, 2017.
Claims priority of provisional application 61/941,407, filed on Feb. 18, 2014.
Prior Publication US 2021/0136094 A1, May 6, 2021
This patent is subject to a terminal disclaimer.
Int. Cl. H04L 29/06 (2006.01); H04L 9/40 (2022.01); G06F 21/56 (2013.01); G06F 21/53 (2013.01)
CPC H04L 63/1416 (2013.01) [G06F 21/53 (2013.01); G06F 21/566 (2013.01); H04L 63/0236 (2013.01); H04L 63/101 (2013.01); H04L 63/1425 (2013.01); H04L 63/1441 (2013.01); H04L 63/1466 (2013.01); G06F 2221/034 (2013.01); H04L 63/145 (2013.01)] 19 Claims
OG exemplary drawing
 
1. A method for protecting users from malicious content, the method comprising:
retrieving, by a hardware processor of a server system, a Uniform Resource Locator (URL) link from an electronic message sent to a user in a user computer environment and intercepted by the server system, the URL link pointing at linked digital content residing at a resource location, the server system configured for intercepting messages before receipt by a mail server or a user;
determining, for the URL link retrieved from the electronic message, a plurality of selection criteria factors for determining whether to sandbox the URL link, each of the plurality of selection criteria factors having a respective factor threshold, wherein the plurality of selection criteria factors comprises a number of electronic messages that is tracked by the server system and that includes the URL link such that the method processes the URL link retrieved from the electronic message and not the linked digital content to which the URL link points;
for each of the plurality of selection criteria factors:
comparing the respective factor threshold of the selection criteria factor to a corresponding factor threshold previously established in the server system; and
based on the comparing, determining whether the respective factor threshold of the selection criteria factor exceeds the corresponding factor threshold previously established in the sever system; and
responsive to any of the respective factor threshold of the selection criteria factors exceeds the corresponding factor threshold previously established in the server system, automatically queuing the URL link for preemptive sandboxing the URL to prevent the user from clicking the linked digital content residing at the resource location, the sandboxing including analyzing behavior of the URL link in another computer environment separate from the user computer environment.