Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .


DETAILED ACTION

EXAMINER’S AMENDMENT
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner’s amendment was given in an interview with James Denaro on June 04, 2021.

In the claims:
(amended) 1. A computerized method for suspicious message processing and incident response, comprising: providing computer-executable instructions for a messaging client, the computer-executable instructions for: receiving a user interface action by a user indicating that a message delivered in an account associated with an individual has been identified by the user as a potential security threat; determining whether the delivered message is a known simulated phishing attack based on an identifier or other message characteristic of the delivered message; if the delivered message is determined to be a known simulated phishing attack based upon the identifier or other message characteristic of the delivered message, then providing a graphically displayed feedback confirming that the delivered message was a simulated phishing attack; and if the delivered message is determined not to be a known simulated phishing attack based upon the identifier or other message characteristic of the delivered message, then transmitting a copy of the delivered message to a detection platform; providing computer-executable instructions for a threat detection platform, the computer-executable instructions for: receiving the transmitted copy of the message at the threat detection platform; electronically storing a pattern as a rule for determining whether a body of the received message or an attachment of the received message ; and further comprising removing one or more previously delivered messages from messaging accounts associated with multiple users based on a matching of at least a portion of header information of the delivered message or at least a portion of metadata of the delivered message with the one or more previously delivered messages from the messaging accounts associated with the multiple users.
2. The method of claim 1, further comprising enabling access to a message server for removing messages from messaging accounts associated with multiple users.
3. The method of claim 2, further comprising generating a command to remove the received message from a user inbox.
 (cancelled) 4. 
5. The method of claim 1, further comprising executing a remedial action on a network device based on the comparison of the delivered message against stored rules for determining whether message or attachment data contains a pre-defined textual or a pre-defined binary pattern.
6. The method of claim 1, further comprising configuring an inbound mail sever to generate a command to remove one or more messages to render the delivered message inaccessible to the user.
7. The method of claim 1, further comprising performing an operation on one or more messages in the message group, wherein the operation comprises one of deleting the message from a user inbox, quarantining the message from a user inbox, classifying the message, and responding to the message.
8. The method of claim 1, wherein each message group is displayed as an active link which, when selected, displays additional information about the selected message group.
9. The method of claim 1, wherein the delivered message is classified as malicious if the delivered message is assigned to a message group having a threshold number of messages.
10. The method of claim 1, wherein the delivered message is classified as non-malicious based on a determination that the message group to which the delivered message is assigned is non-malicious.
11. The method of claim 1, further comprising executing an integration, wherein the integration comprises one or more of opening a link contained in the delivered message data in a simulated environment, opening attachment data in a simulated environment, and scanning the delivered message for malicious content, and querying a database of known threat activity with data extracted from the delivered message.
12. The method of claim 1, wherein at least a portion of a message body of the delivered message or at least a portion of header information of the delivered message or at least a portion of metadata of the delivered message is communicated for threat processing.
13. The method of claim 1, further comprising providing an interface for creating a set of executable instructions based on at least one characteristic of at least one message from a corresponding message group.
14. The method of claim 1, further comprising providing an interface for specifying one or more rules for automatically responding to a notification by a pre-configured response message.
15. The method of claim 1, wherein if the delivered message is determined to be a known simulated phishing attack, providing feedback to the individual confirming that the delivered message was a simulated phishing attack.
16. The method of claim 1, further comprising: labeling as suspicious messages that are not cleared by initial rules pattern matching processing; and grouping the messages labeled as suspicious in a group of suspicious messages.
17. The method of claim 1, further comprising automatically responding to a user with a message indicating that the delivered message is legitimate, and removing the delivered message from display in a management console.
18. The method of claim 1, wherein the at least one characteristic in common with the delivered message includes a domain of a Uniform Resource Locator in the body of the received message or a hash of an attachment to received message.
(amended) 19. A computerized system for suspicious message processing and incident response, comprising: a processor configured for executing instructions at a messaging client, the computer-executable instructions for: receiving a user interface action by a user indicating that a message delivered in an account associated with an individual has been identified by the user as a potential security threat; determining whether the delivered message is a known simulated phishing attack based on an identifier or other message characteristic of the delivered message; if the delivered message is determined to be a known simulated phishing attack based upon the identifier or other message characteristic of the delivered message, then providing a graphically feedback confirming that the delivered message was a simulated phishing attack; and if the ; and further comprising removing one or more previously delivered messages from messaging accounts associated with multiple users based on a matching of at least a portion of header information of the delivered message or at least a portion of metadata of the delivered message with the one or more previously delivered messages from the messaging accounts associated with the multiple users.
20. The system of claim 19, further comprising enabling access to a message server for removing messages from messaging accounts associated with multiple users.
21. The system of claim 20, further comprising generating a command to remove the received message from a user inbox.
(cancelled) 22. 
23. The system of claim 19, further comprising executing a remedial action on a network device based on the comparison of the delivered message against stored rules for determining whether message or attachment data contains a pre-defined textual or a pre-defined binary pattern.
24. The system of claim 19, further comprising configuring an inbound mail sever to generate a command to remove one or more messages to render the delivered message inaccessible to the user.
25. The system of claim 19, further comprising performing an operation on one or more messages in the message group, wherein the operation comprises one of deleting the message from a user inbox, quarantining the message from a user inbox, classifying the message, and responding to the message.
26. The system of claim 19, wherein each message group is displayed as an active link which, when selected, displays additional information about the selected message group.
27. The system of claim 19, wherein the delivered message is classified as malicious if the delivered message is assigned to a message group having a threshold number of messages.
28. The system of claim 19, wherein the delivered message is classified as non-malicious based on a determination that the message group to which the delivered message is assigned is non-malicious.
29. The system of claim 19, further comprising executing an integration, wherein the integration comprises one or more of opening a link contained in the delivered message data in a simulated environment, opening attachment data in a simulated environment, and scanning the delivered message for malicious content, and querying a database of known threat activity with data extracted from the delivered message.
30. The system of claim 19, wherein at least a portion of a message body of the delivered message or at least a portion of header information of the delivered message or at least a portion of metadata of the delivered message is communicated for threat processing.

Reasons For Allowance

Claims 1 – 3, 5 – 21 and 23 – 30 are allowable and all previous rejections are withdrawn.
The following is an examiner’s statement of reasons for allowance: 
Claims 1 – 3, 5 – 21 and 23 – 30 are allowable over the prior art since the prior art references, taken individually or in combination fail to particularly disclose, fairly suggest, or render obvious Applicant’s independent claims. 
The Examiner asserts the prior art of record does not reasonably suggest Applicant’s innovative concept and independent claim language, including the whole, of if the delivered message is determined not to be a known simulated phishing attack based upon the identifier or other message characteristic of the delivered message, then transmitting a copy of the delivered message to a detection platform and removing one or more previously delivered messages from messaging accounts associated with multiple users based on a matching of at least a portion of 
McAfee (McAfee SaaS Email Protection, 2014) is relied upon to teach reporting a malicious message and the message being sent to the McAfee Threat Center for content and origin analysis and then developing filtering rules (see McAfee pages 1 – 3); however, McAfee does not teach Applicant’s independent claim language. 
Higbee (US Pub. No. 2014/0230030 A1) is relied upon to teach determining whether the message is a simulated phishing attack by examining identifying characteristics of the message and after determining it is not, processing the message accordingly (see Higbee para 0033 – 0034 and Figure 6 blocks 52 and 58); however, integrating the teachings of Higbee do not remedy the deficiencies of the prior art of record. 
Glass (US Pub. No. 2005/0060643 A1) is relied upon to teach receiving a new message and classifying that message into a group based on characteristics of the message (see Glass Figure 2 and Figure 9); however, integrating the teachings of Glass do not remedy the deficiencies of the prior art of record.
Accordingly, the prior art of record does not suggest Applicant's independent claim language.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Brian Shaw whose telephone number is (571) 270-5191.  The examiner can normally be reached M-TH 6am-3:30pm.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/BRIAN F SHAW/Primary Examiner, Art Unit 2491