Proofpoint, Inc.
Dynamically detecting abnormalities in otherwise legitimate emails containing uniform resource locators (URLs)

Abstract:

Dynamically detecting abnormalities in otherwise legitimate emails containing Uniform Resource Locators (URLs) is provided. An example method includes determining one or more rules defining normal patterns in a number of sending Top-Level Domains of previously received emails received via a computer network to a user or group of users; generating a trusted trends criteria for a received email, associated with the user or the group of users, by evaluating the received email against the one or more rules; determining whether the trusted trends criteria exceeds a predetermined threshold; in response to exceeding the predetermined threshold, generating a second URL and applying it to the received email by replacing a first URL of the received email with the second URL; and redetermining the one or more rules defining normal patterns in the number of sending Top-Level Domains based on the previously received emails and the received email.