DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 04/15/2021 was in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the Examiner.

Response to Arguments
Applicant’s claim amendments with respect to claim 13 previously objected to for informalities, and claim 1 previously rejected under 35 U.S.C. 112(b) for insufficient antecedent basis for “the network request” have been fully considered and are persuasive.  The objection and rejection has been withdrawn. 

Applicant's arguments filed 07/06/2021 have been fully considered but they are not persuasive.

Claims 2-4, 6, and 11-20 were previously rejected under 35 U.S.C. 112(b) as being indefinite for reciting relative terminology.  It is noted that Applicant has not amended these claims.  Furthermore, Applicant’s sole argument regarding rejections under 35 U.S.C. 112 (although, it is unclear which of the multiple rejections under 35 U.S.C. 112 are being addressed) is “As illustrated in the specification (e.g., in ¶ [0083] - [0085]), confidence levels are determined according to assigned thresholds” (Remarks, p. 7).  Examiner submits that the cited portions of the Specification do not provide the necessary objective boundaries for what constitutes “high” or “low” confidence, and at best merely describe different schemes for representing high/low confidence, e.g., by using color (“green, yellow, and/or red”, Specification, ¶[0084]), or a numerical scheme (“scoring mechanisms…integer or floating point score, a percentage 

Regarding claims 11-17 rejected under 35 U.S.C. 112(b) as being indefinite as interpreted under 35 U.S.C. 112(f) (see Office Action filed 03/30/2021 for claim interpretation), Applicant appears to not provide any claim amendments or remarks regarding this issue.  Examiner reasserts that the claimed “modules” are non-structural and are not clearly linked to any structure in the disclosure.  Therefore, the claims are indefinite.  Accordingly, the rejection is maintained.

Regarding claims 1, 5-7, 9-13, and 18-20 rejected under 35 U.S.C. 102(a)(1) as being anticipated by Himler et al. (U.S. Pat. 9,781,149), Applicant’s sole assertion is that “While Himler appears to teach several ‘notifications,’ none of these are shown to be push notifications, nor has the Examiner provided a definition of ‘push notification’ that would read on Himler” (Remarks, p. 8, emphasis added).
Examiner first notes that “a push notification” as argued by Applicant to be present in independent claim 1 and similarly in the other independent claims (i.e., claims 11 and 18) is in fact not recited in all independent claims.  Of claims 1, 11, and 18, a “push notification” is recited only in independent claim 1.
Second, Examiner agrees with Applicant that Himler teaches several notifications.  As cited in the previous rejection, Himler most notably disclosed “it may output a prompt to the user, such as by displaying a message confirming that the reported message is from a non-malicious or trusted sender” (Himler, col. 7, lines 54-59, emphasis added), and “presenting a prompt to the user 210 after the system analyzes a message” (Himler, col. 15, lines 1-2, emphasis added).  Additionally, Himler disclosed “If the system determines that the reported message is not from a trusted sender, it may send the user a notification” (Himler, col 6, line 66 through col. 7, line 1, emphasis added).  Examiner submits that the various messages/prompts/notifications sent by a system to a user as disclosed by Himler read on the claimed “push notification”.  As is understood by one of ordinary skill in the art, the broad definition of a push notification is a communication that is sent from a source to a destination.  Clearly, the various 
Third, while Applicant notes that “The use of push notifications is taught throughout the specification, such as in paragraph [0039], and elsewhere”, Examiner notes that the cited portion of the Specification merely states “The user may then receive a pop-up or a ‘push’ notification on her device indicating whether the e-mail is good or whether it is a phishing e-mail” (Specification, ¶[0039]), which a) does not provide a special definition of a push notification, b) suggests it is equivalent to a “pop-up” notification, and c) suggests it is received on a user’s device.  Regarding point a), absent a special definition of “push notification”, Examiner reasserts that the portions of Himler above read on “push notification” as broadly claimed.  Regarding point b), Examiner submits that the disclosed “prompts” of Himler inter alia could be interpreted as similar to the described “pop-up”, although a “pop-up” is irrelevant as it is not a claimed feature.  Regarding point c), Examiner again notes that Himler clearly disclosed displaying such communications to the user, i.e., on a user’s device, as detailed in the above discussion.  Therefore, Examiner submits that Hilmer clearly reads on the claimed “push notification”, and the rejection is thus maintained.
Regarding claim 2 rejected under 35 U.S.C. 103 as being unpatentable over Himler, Mesdaq et al. (U.S. Pat. 10,601,865), and Edwards (U.S. Pat. App. Pub. 2019/0020682), claim 3 rejected under 35 U.S.C. 103 as being unpatentable over Himler and Egilmez et al. (U.S. Pat. App. Pub. 2017/0034091), claims 4 and 15 rejected under 35 U.S.C. 103 as being unpatentable over Himler Kumar et al. (U.S. Pat. App. Pub. 2020/0145458), claim 8 rejected under 35 U.S.C. 103 as being unpatentable over Himler and Mesdaq (U.S. Pat. 10,601,865), claim 14 rejected under 35 U.S.C. 103 as being unpatentable over Himler and Makavy (U.S. Pat. App. Pub. 2018/0219892), claim 16 rejected under 35 U.S.C. 103 as being unpatentable over Himler and Olenoski (U.S. Pat. App. Pub. 2019/0325159), and claim 17 rejected under 35 U.S.C. 103 as being unpatentable over Himler, Olenoski, and Auerbach et al. (U.S. Pat. App. Pub. 2005/0223061), as Applicant traverses these rejections for the same reason regarding claim 1 above, Examiner maintains these rejections under the same rationale above.

Claim Rejections - 35 USC § 112

(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 2-4, 6, and 11-20 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.

The terms "high" in claims 2, 3, 6, and 14 and “low” in claims 4, 11, 16, and 18 are relative terms that render the claims indefinite.  The terms "high" and “low” in the context they are recited (regarding “confidence”, “overhead”, “threshold”, accordingly) are not defined by the claims, the specification does not provide a standard for ascertaining the requisite degree, and one of ordinary skill in the art would not be reasonably apprised of the scope of the invention.  While the Specification discloses the various “high”/”low” elements of the claim, there is no clear objective boundaries for what constitutes “high” or “low”.  One of ordinary skill in the art would not be able to ascertain what is meant by these terms, and the claims are therefore indefinite.  Claims 2-4, 6, and 11-20 are thus rejected.

Claim limitations “a receiver module to receive…” (claim 11, line 7), “an extraction module to extract…” (claim 11, line 9), “a request module to request…” (claim 11, line 11), “a response module to provide…” (claim 11, line 14), “a receiver module to receive…” (claim 11, line 19), “an analysis module to analyze…” (claim 11, line 20), “a response module to provide…” (claim 11, line 22), and “a module to remotely instruct…” (claim 14, line 2) invoke 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. However, the written description fails to disclose the corresponding structure, material, or acts for performing the entire claimed functions and to clearly link the structure, material, or acts to the functions.  “Module” is a non-structural term, and the claims do not modify the term with any structure.  The Specification further does not disclose any structure corresponding to the claimed “modules”.  Therefore, 
Applicant may:
(a)        Amend the claim so that the claim limitation will no longer be interpreted as a limitation under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph; 
(b)        Amend the written description of the specification such that it expressly recites what structure, material, or acts perform the entire claimed function, without introducing any new matter (35 U.S.C. 132(a)); or 
(c)        Amend the written description of the specification such that it clearly links the structure, material, or acts disclosed therein to the function recited in the claim, without introducing any new matter (35 U.S.C. 132(a)).
If applicant is of the opinion that the written description of the specification already implicitly or inherently discloses the corresponding structure, material, or acts and clearly links them to the function so that one of ordinary skill in the art would recognize what structure, material, or acts perform the claimed function, applicant should clarify the record by either: 
(a)        Amending the written description of the specification such that it expressly recites the corresponding structure, material, or acts for performing the claimed function and clearly links or associates the structure, material, or acts to the claimed function, without introducing any new matter (35 U.S.C. 132(a)); or 
(b)        Stating on the record what the corresponding structure, material, or acts, which are implicitly or inherently set forth in the written description of the specification, perform the claimed function. For more information, see 37 CFR 1.75(d) and MPEP §§ 608.01(o) and 2181.

Claim Rejections - 35 USC § 102
The text of those sections of Title 35, U.S. Code not included in this action can be found in a prior Office action.

Claims 1, 5-7, 9-13, and 18-20 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Himler et al. (U.S. Pat. 9,781,149), hereafter Himler.

Regarding claim 1, Himler disclosed a computing apparatus (cybersecurity analyzer server, col. 5, line 25), comprising:
	a hardware platform comprising a processor and a memory (CPU, col. 15, line 63; memory, col. 16, line 2);
	a network interface (communication port, col. 16, line 32); and
	instructions encoded within the memory (instructions, col. 16, line 15) to instruct the processor to:
		receive via the network interface a validation request from a mobile computing device (client computing device, i.e., mobile computing device, col. 5, line 24; e.g., portable electronic devices/smartphones, col. 3, line 28; client computing device using a reporting function for reporting, i.e., validation request, a potentially malicious message to the cybersecurity analyzer server, col. 6, lines 22-25), the validation request comprising an e-mail payload (reporting function forwarding the potentially malicious message, i.e., e-mail payload, to the cybersecurity analyzer server, col. 6, lines 26-29 and 44-46, col. 15, lines 29-32);
		query a cloud phishing reputation service for a reputation, the query comprising information from the e-mail payload (accessing, i.e., querying, reference data, i.e., a cloud phishing reputation service, for reputation information, i.e., a reputation, regarding the message, col. 5, lines 56-60, col. 7, lines 26-29);
		receive from the cloud phishing reputation service reputation data for the e-mail payload (determining a trust score/reputation for the message, col. 12, line 13); and
		provide a push notification to the mobile computing device, the push notification comprising a reputation notice for the e-mail payload (outputting feedback, e.g., a message/prompt/notification, i.e., push notification/reputation notice, col. 6, lines 55-58, col. 7, lines 54-59, col. 9, line 63, col. 11, lines 14-15, col. 15, lines 1-2).



	Regarding claim 6, Himler disclosed the computing apparatus wherein the reputation notice for the e-mail payload comprises a not-safe reputation if at least one link has a high-confidence reputation for being a phishing link (flagging a message as malicious, i.e., a not-safe reputation, when a link, e.g., has 4 levels of re-direction, i.e., a high-confidence reputation for being a phishing link, col. 13, lines 16-18).

	Regarding claim 7, Himler disclosed the computing apparatus wherein the instructions are further to provide information from an attachment of the e-mail payload to the cloud reputation service, and wherein the reputation data comprise reputation data for the attachment (distinguishing between malicious messages and legitimate message by identifying malicious attachments, col. 8, lines 19-20; reference data including malware signatures, i.e., reputation data for the attachment, col. 7, lines 29-30).

	Regarding claim 9, Himler disclosed the computing apparatus wherein the validation request comprises a forwarded e-mail (reporting function forwarding the potentially malicious message, i.e., e-mail payload, to the cybersecurity analyzer server, col. 6, lines 26-29 and 44-46, col. 15, lines 29-32).

	Regarding claim 10, Himler disclosed the computing apparatus wherein the validation request comprises a one-click reputation request from the mobile computing device (reporting button, i.e., one-click reputation request, col. 6, lines 30, 40-46, col. 9, lines 58-61).

	Regarding claim 11, Himler disclosed a phishing mitigation ecosystem, comprising:

		an e-mail client (messaging client, col. 5, line 66) including a user interface (user interface, col. 6, line 2) to provide a low-overhead user interaction to provide a phishing analysis request for an e-mail (messaging client including a reporting button, i.e., low-overhead user interaction, for reporting and forwarding a malicious email to a cybersecurity analyzer server, col. 6, lines 30 and 40-46, col. 9, lines 58-61);
	a phishing analysis server (cybersecurity analyzer server, col. 5, line 25), comprising:
		a receiver module to receive the phishing analysis request from the user endpoint device (client computing device using a reporting function for reporting, i.e., validation request, a potentially malicious message to the cybersecurity analyzer server, col. 6, lines 22-25);
		an extraction module to extract analysis data from the phishing analysis request (extracting portions of the message, col. 13, lines 44-46);
		a request module to request a reputation (accessing, i.e., requesting, reference data for reputation information, i.e., a reputation, col. 5, lines 56-60, col. 7, lines 26-29), and to receive a reputation response comprising a reputation associated with the request for a reputation (determining a trust score/reputation for the message, col. 12, line 13); and
		a response module to provide a response to the user endpoint device comprising a safety indicator for the phishing analysis request (outputting feedback, e.g., a message/prompt/notification, i.e., response/safety indicator, col. 6, lines 55-58, col. 7, lines 54-59, col. 9, line 63, col. 11, lines 14-15, col. 15, lines 1-2); and
	a cloud reputation service (reference data, col. 5, lines 56-60, col. 7, lines 26-29), comprising:
a reputation store (reference data, col. 5, lines 56-60, col. 7, lines 26-29);
		a receiver module to receive the request for a reputation (accessing, i.e., requesting, the reference data for reputation information, i.e., a reputation, col. 5, lines 56-60, col. 7, lines 26-29);
		an analysis module to analyze the request for a reputation and to assign a reputation from the reputation store (determining a trust score/reputation for the message, col. 12, line 13); and


	Regarding claim 12, Himler disclosed the phishing mitigation ecosystem wherein the user endpoint device is a smart phone or tablet (smartphone, tablet computer, col. 3, lines 28-29).

	Regarding claim 13, Himler disclosed the phishing mitigation ecosystem wherein the response to the user endpoint device comprises a push notification (outputting feedback, e.g., a message/prompt/notification, i.e., push notification, col. 6, lines 55-58, col. 7, lines 54-59, col. 9, line 63, col. 11, lines 14-15, col. 15, lines 1-2).

	Regarding claim 18, Himler disclosed a method of detecting phishing or malicious e-mail content, comprising:
	conditioning an end user operating an endpoint device (end user, col. 6, line 10; client computing device, i.e., endpoint device, col. 5, line 24) to identify an e-mail as suspicious (training, i.e., conditioning, end users, e.g., employees, to recognize malicious/phishing emails, i.e., emails as suspicious, col. 9, lines 21-35) with a low threshold for suspiciousness (e.g., a message appearing to originate from a known or official entity, col. 4, lines 3-6), wherein the threshold for suspiciousness includes any e-mail that may potentially collect personal, enterprise, or financial information (messages performing malicious actions, e.g., transmitting stored data, making data accessible to a third party, or inviting a recipient to entered login credentials or disclose sensitive information, col. 4, line 55 through col. 5, line 8);
	receiving from the end user a request to verify a suspicious e-mail (client computing device, i.e., end user, col. 5, line 24; e.g., portable electronic devices/smartphones, col. 3, line 28; client computing device using a reporting function for reporting, i.e., validation request, a potentially malicious message to the cybersecurity analyzer server, col. 6, lines 22-25);
	extracting content from the suspicious e-mail (extracting portions of the message, col. 13, lines 44-46);

	receiving from the public cloud reputation service a reputation for the extracted content (determining a trust score/reputation for the message, col. 12, line 13); and
	providing to the endpoint device a reputation for the suspicious e-mail (outputting feedback, e.g., a message/prompt/notification, i.e., reputation, regarding the message, col. 6, lines 55-58, col. 7, lines 54-59, col. 9, line 63, col. 11, lines 14-15, col. 15, lines 1-2).

	Regarding claim 19, Himler disclosed the method wherein providing the reputation for the suspicious e-mail comprises providing a push notification to the endpoint device (outputting feedback, e.g., a message/prompt/notification, i.e., push notification, col. 6, lines 55-58, col. 7, lines 54-59, col. 9, line 63, col. 11, lines 14-15, col. 15, lines 1-2).

	Regarding claim 20, Himler disclosed the method wherein providing the reputation for the suspicious e-mail comprises providing electronic information regarding the reputation for the suspicious e-mail (presenting a prompt including specific information about the message as to why the message is trusted/untrusted, col. 15, lines 1-7).

Claim Rejections - 35 USC § 103
The text of those sections of Title 35, U.S. Code not included in this action can be found in a prior Office action.

Claim 2 is rejected under 35 U.S.C. 103 as being unpatentable over Himler (U.S. Pat. 9,781,149) as applied to claim 1 above, in view of Mesdaq et al. (U.S. Pat. 10,601,865), hereinafter Mesdaq, and further in view of Edwards et al. (U.S. Pat. App. Pub. 2019/0020682), hereinafter Edwards.

Regarding claim 2, Himler disclosed the computing apparatus as detailed above.  Himler did not disclose the computing apparatus wherein the reputation notice comprises a high-confidence reputation that the e-mail payload includes phishing content, and wherein the push notification includes an instruction not to open the e-mail payload.
Mesdaq	 disclosed:
wherein the reputation notice comprises a high-confidence reputation that the e-mail payload includes phishing content (generating a score indicating a level of confidence that an email is associated with a phishing attack, i.e., reputation, including, e.g., the category “malicious”, i.e., high-confidence, col. 4, lines 5-11, col. 11, lines 36-37, col. 15, lines 55-57; providing an alert, i.e., reputation notice, to a user of an endpoint, col. 4, lines 32-35).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify reputation notice of Himler to include a high-confidence reputation that the e-mail payload includes phishing content as claimed, because doing so would have provided more detailed information regarding the safety of e-mail.  Additionally, it would have been applying a known technique (i.e., high-confidence reputations) to a known device/method/product ready for improvement (i.e., providing reputation notices regarding e-mail/phishing content) to yield predictable results (i.e., a reputation notice comprising a high-confidence reputation as claimed).
Himler and Mesdaq did not disclose:
wherein the push notification includes an instruction not to open the e-mail payload.
Edwards disclosed:
wherein the push notification includes an instruction not to open the e-mail payload (notifying, i.e., instructing, a user that a phishing e-mail should not be opened, ¶[0124]).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the push notification of Himler and Mesdaq wherein the push notification includes an instruction not to open the e-mail payload as claimed, because doing so would make it less likely that a user would interact with a malicious e-mail (Edwards, ¶0005]).

Claim 3 is rejected under 35 U.S.C. 103 as being unpatentable over Himler (U.S. Pat. 9,781,149) as applied to claim 1 above, and further in view of Egilmez et al. (U.S. Pat. App. Pub. 2017/0034091), hereinafter Egilmez.

	Regarding claim 3, Himler disclosed the computing apparatus as detailed above.  Himler did not disclose the computing apparatus wherein the reputation notice comprises a high-confidence reputation that the e-mail payload is non-malicious, and wherein the push notification includes an instruction that the e-mail payload can be safely opened.
	Mesdaq disclosed:
wherein the reputation notice comprises a high-confidence reputation that the e-mail payload is non-malicious
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify reputation notice of Himler to include a high-confidence reputation that the e-mail payload is non-malicious as claimed, because doing so would have provided more detailed information regarding the safety of e-mail.  Additionally, it would have been applying a known technique (i.e., high-confidence reputations) to a known device/method/product ready for improvement (i.e., providing reputation notices regarding e-mail/phishing content) to yield predictable results (i.e., a reputation notice comprising a high-confidence reputation as claimed).
Himler and Mesdaq did not disclose:
wherein the push notification includes an instruction that the e-mail payload can be safely opened.
Egilmez disclosed:
wherein the push notification includes an instruction that the e-mail payload can be safely opened (a certificate, i.e., instruction, indicating that an e-mail is safe to open, col. 4, lines 10-13).

Claims 4 and 15 are rejected under 35 U.S.C. 103 as being unpatentable over Himler (U.S. Pat. 9,781,149) as applied to claims 1 and 11 above, respectively, and further in view of Kumar et al. (U.S. Pat. App. Pub. 2020/0145458), hereinafter Kumar.

	Regarding claim 4, Himler disclosed the computing apparatus as detailed above.  Himler did not disclose the computing apparatus wherein the reputation notice comprises a low-confidence reputation, and wherein the push notification comprises a warning that a reliable reputation for the e-mail payload could not be computed.
	Kumar disclosed:
wherein the reputation notice comprises a low-confidence reputation (an e-mail flag indicating an “unsure” risk level, ¶[0031]), and wherein the push notification comprises a warning that a reliable reputation for the e-mail payload could not be computed (displaying that a service has no opinion regarding the risk level of the e-mail, ¶[0034]).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the apparatus of Himler wherein the reputation notice comprises a low-confidence reputation, and wherein the push notification comprises a warning that a reliable reputation for the e-mail payload could not be computed as claimed, because such flags diminished the risk of a successful phish attack and promoted early caution (Kumar, ¶[0025]).

	Regarding claim 15, Himler disclosed the phishing mitigation ecosystem as detailed above.  Himler did not disclose the phishing mitigation ecosystem wherein the response to the user endpoint device comprises an e-mail flag indicating that an e-mail is green (safe), red (unsafe), or yellow (reputation not determined with confidence above a threshold).
	Kumar disclosed an e-mail flag indicating that an e-mail is green (safe), red (unsafe), or yellow (reputation not determined with confidence above a threshold) (e-mail flags indicating risk level of an e-mail, ¶[0023]-[0025]; indicating the e-mail is trusted, i.e., safe, using a green check mark, ¶[0029]; a red flag to indicate a risk level of “phish”, i.e., unsafe, ¶[0040]; using yellow to indicate “unsure”, i.e., reputation not determined with confidence above a threshold, ¶[0031]).
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the system of Himler to include an e-mail flag indicating that an e-mail is green (safe), red (unsafe), or yellow (reputation not determined with confidence above a threshold) as claimed, .

Claim 8 is rejected under 35 U.S.C. 103 as being unpatentable over Himler (U.S. Pat. 9,781,149) as applied to claim 1 above, and further in view of Mesdaq (U.S. Pat. 10,601,865).

	Regarding claim 8, Himler disclosed the computing apparatus as detailed above.  Himler did not disclose the computing apparatus wherein the instructions are further to provide a screenshot image of the e-mail payload, and wherein the reputation data comprise reputation data based on a visual analysis of the e-mail payload.
	Mesdaq disclosed:
	wherein the instructions are further to provide a screenshot image of the e-mail payload, and wherein the reputation data comprise reputation data based on a visual analysis of the e-mail payload (extracting visual content, i.e., a screenshot image, attributed with an e-mail to perform screen shot analysis, i.e., visual analysis, to determine a phishing attack, col. 12, line 45-65).
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the computing apparatus of Mesdaq wherein the instructions are further to provide a screenshot image of the e-mail payload, and wherein the reputation data comprise reputation data based on a visual analysis of the e-mail payload as claimed, because doing so would have been applying a known technique (i.e., screenshot/visual analysis) to a known device/method/product ready for improvement (i.e., the phishing detection system of Himler) to yield predictable results (i.e., an e-mail system providing a screenshot image for visual analysis as claimed).

Claim 14 is rejected under 35 U.S.C. 103 as being unpatentable over Himler (U.S. Pat. 9,781,149) as applied to claim 11 above, and further in view of Makavy (U.S. Pat. App. Pub. 2018/0219892).

Regarding claim 14, Himler disclosed the phishing mitigation ecosystem as detailed above.  Himler did not disclose the phishing mitigation ecosystem wherein the phishing analysis server further comprises a module to remotely instruct the user endpoint device to delete or quarantine an e-mail after determining with high confidence that the e-mail is a malicious phishing e-mail.
	Makavy disclosed:
a module to remotely instruct the user endpoint device to delete or quarantine an e-mail after determining with high confidence that the e-mail is a malicious phishing e-mail (email monitoring system, i.e., module, instructing a user at a second device, i.e., remotely, to segregate, i.e., quarantine, or delete and e-mail identified as malicious, ¶[0063]).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the system of Himler to further comprise a module to remotely instruct the user endpoint device to delete or quarantine an e-mail after determining with high confidence that the e-mail is a malicious phishing e-mail as claimed, because doing so would have aided users in avoiding opening malicious e-mails and prevented cyberattacks (Makavy, ¶[0003]).

Claim 16 is rejected under 35 U.S.C. 103 as being unpatentable over Himler (U.S. Pat. 9,781,149) as applied to claim 11 above, and further in view of Olenoski et al. (U.S. Pat. App. Pub. 2019/0325159), hereinafter Olenoski.

	Regarding claim 16, Himler disclosed the phishing mitigation ecosystem as detailed above.  Himler did not disclose the phishing mitigation ecosystem wherein the low-overhead user interaction comprises providing authentication credentials to the phishing analysis server for a user's web e-mail.
	Olenoski disclosed a user interaction providing authentication credentials to a server for a user's web e-mail (sending a request, i.e., user interaction, including email login credentials, i.e., authentication credentials, to a server that allow the server to access a user’s e-mail account, i.e., user’s web e-mail, ¶[0021]).
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the low-overhead user interaction of Himler to include providing authentication .

Claim 17 is rejected under 35 U.S.C. 103 as being unpatentable over Himler (U.S. Pat. 9,781,149) and Olenoski (U.S. Pat. App. Pub. 2019/0325159) as applied to claim 16 above, and further in view of Auerbach et al. (U.S. Pat. App. Pub. 2005/0223061), hereinafter Auerbach.

	Regarding claim 17, Himler and Olenoski disclosed the phishing analysis mitigation ecosystem as detailed above.  Himler and Olenoski did not disclose the phishing analysis mitigation ecosystem wherein receiving the request for a reputation comprises retrieving the user's incoming mail via post office protocol (POP) or internet message access protocol (IMAP) without deleting the incoming mail or marking the incoming mail as read.
	Auerbach disclosed:
retrieving the user's incoming mail via post office protocol (POP) or internet message access protocol (IMAP) without deleting the incoming mail or marking the incoming mail as read (retrieving new mail, i.e., incoming mail, from a server using IMAP or POP without removing it, i.e., deleting, or marking it as read, ¶[0046]).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the system of Himler and Olenoski wherein receiving the request for a reputation comprises retrieving the user's incoming mail via post office protocol (POP) or internet message access protocol (IMAP) without deleting the incoming mail or marking the incoming mail as read as claimed, because doing so would have been a faster way to identify new mail (Auerbach, ¶[0046]).

Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JOSEPH R MANIWANG whose telephone number is (571)270-7257.  The examiner can normally be reached on 8:30AM - 4:30PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Wing F Chan can be reached on (571) 272-7493.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/JOSEPH R MANIWANG/Examiner, Art Unit 2441                                                                                                                                                                                                        
/WING F CHAN/Supervisory Patent Examiner, Art Unit 2441