| CPC H04L 63/1483 (2013.01) [G06F 16/9035 (2019.01); G06Q 10/107 (2013.01); H04L 63/1416 (2013.01); H04L 63/1425 (2013.01)] | 20 Claims |
|
1. A method comprising:
determining that a first email is present in an abuse mailbox where emails of deemed suspicious are placed for analysis;
in response to determining that the first email is present in the abuse mailbox, determining whether the first email is representative of a threat to an enterprise based at least in part by applying a trained model to extract a plurality of characterizing features from the first email; and
in response to determining that the first email represents a threat to the enterprise:
generating a record of the threat by populating a data structure with the plurality of characterizing features determined from the first email, the plurality of characterizing features including at least an identified threat type and sender characteristics; and
applying the data structure including the characterizing features to inboxes of a plurality of employees of the enterprise by searching for other emails within the inboxes exhibiting a similarity to the characterizing features, thereby determining whether the first email is part of a campaign including the other emails, and in response to determining that the first email is part of the campaign, applying a filter derived from and associated with the data structure, the filter configured to identify matching emails exhibiting the characterizing features, to inbound emails addressed to employees of the enterprise.
|