| CPC H04L 63/1483 (2013.01) | 20 Claims |
|
1. A method, comprising:
installing, via a processor of a first compute device associated with a user, a browser extension for a browser at the first compute device, the browser extension associated with an identifier that uniquely identifies a combination of the browser and at least one of the first compute device or the user;
for each site visited via the browser, analyzing, via the processor, a respective site via the browser extension to determine whether the respective site is at least one of a phishing site or a suspected phishing site; and
for each request to a software as a service (SaaS) application at a second compute device via the browser,
updating, via the processor, a user-agent header associated with that request to include the identifier, and
sending, via the processor, the user-agent header to the second compute device to cause a third compute device to (1) receive the identifier from the second compute device, (2) receive an audit log indicating a set of activities performed at the SaaS application, (3) identify a subset of activities that is from the set of activities and that is performed via the browser using the identifier, (4) determine based on the subset of activities that the SaaS application is the at least one of the phishing site or the suspected phishing site, and (5) perform a remedial action in response to determining that the SaaS application is the at least one of the phishing site or the suspected phishing site.
|