| CPC H04L 63/0236 (2013.01) [H04L 63/1408 (2013.01); H04L 63/1483 (2013.01)] | 20 Claims |
|
1. A method for an email-security system to detect malicious emails, the method comprising:
obtaining, at an email-security system, an email sent from a sending device to a receiving device;
extracting, from the email, first data representing a from field of the email, second data representing a Uniform Resource Locator (URL) in the email, and third data representing a reply-to address;
identifying, using the first data, that a display name in the from field represents a brand name and that a from address domain in the from field does not represent the brand name;
determining, based at least in part on the display name representing the brand name and the from address domain not representing the brand name, a first probability value indicating a first likelihood that the from field of the email is impersonating the brand name;
determining, using the second data, whether a URL domain in the URL matches to the from address domain in the from field;
determining, based on whether the URL domain matches to the from address domain, a second probability value indicating a second likelihood that the URL in the email is impersonating the brand name;
determining, using the third data, whether a reply-to domain of the reply-to address corresponds to a free email service domain;
determining, based at least in part on whether the reply-to domain corresponds to the free email service domain, a third probability value indicating a third likelihood that the reply-to address in the email is impersonating the brand name; and
determining, using the first probability value, the second probability value, and the third probability value, an overall probability value indicating an overall likelihood that the email is a malicious email that is impersonating the brand name.
|