Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Priority 
This application is a continuation-in-part of co-pending U.S. patent application Ser. No. 15/453,737 entitled MITIGATING COMMUNICATION RISK BY DETECTING SIMILARITY TO A TRUSTED MESSAGE CONTACT filed Mar. 8, 2017, which claims priority to U.S. Provisional Patent Application No. 62/399,821 entitled MITIGATING COMMUNICATION RISK filed Sep. 26, 2016 both of which are incorporated herein by reference for all purposes. This application claims priority to U.S. Provisional Patent Application No. 62/412,196 entitled ADDRESSING SOPHISTICATED COMMUNICATION ATTACKS filed Oct. 24, 2016 which is incorporated herein by reference for all purposes.
DETAILED ACTION
This Office Action is in response to an amendment application received on 11/18/2021. In the amendment, applicant has amended claims 1, 7 and 19-20. Claims 3, 6 and 10-11 remain cancelled. Claims 2, 4-5, 8-9, 12-18 and 21-24 remain original. No new claim has been added. 
For this Office Action, claims 1-2, 4-5, 7-9 and 12-24 have been received for consideration and have been examined. 




Response to Arguments
Claim Rejections - 35 USC § 112
	Applicant’s remarks with respect to rejection of dependent claim 23 and 24 under 35 U.S.C. § 112(b) have been reviewed and found to be persuasive. Therefore, this rejection has been withdrawn in this Office Action. 
Claim Rejection under 35 U.S.C. § 103
Applicant’s arguments, filed 11/18/2021, with respect to the rejection(s) of claims under 35 U.S.C. § 103 have been fully considered and are persuasive. Therefore, the rejection has been withdrawn. However, upon further consideration, a new grounds of rejection is made in view of new amendments to the claims.

Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

Claim 7 is rejected under 35 U.S.C. 112(a), as failing to comply with the written description requirement. The claims contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, at the time the application was filed, had possession of the claimed invention.
7 recites “wherein determining that the potential security threat has been detected comprises: determining that the initial risk meets a first risk threshold but fails to meet a second risk threshold, wherein the initial risk meeting the first risk threshold indicates that the electronic message is not a near-certainty benevolent electronic message, and wherein the initial risk meeting the second threshold indicates that the electronic message is a near-certainty malice electronic message”.
Examiner consulted instant specification and found that paragraph [0022] recites “Messages with a risk score corresponding to near-certainty malice (e.g., those containing known malware attachments) are blocked, and messages with a risk score corresponding to a near-certainty benevolence (e.g., messages from trusted parties, with no risky contents) are delivered”. The cited section recites that ‘electronic message is a near-certainty benevolent electronic message’ instead of claimed ‘electronic message is not a near-certainty benevolent electronic message’. Therefore, examiner finds that instant specification does not have support for the amended claim 7 language. 
For the sake of examination, amended wherein clause will be interpreted as “wherein the initial risk meeting the first risk threshold indicates that the electronic message is [not] a near-certainty benevolent electronic message”.





Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 4, 12, 14 and 18-19 are rejected under 35 U.S.C. 103 as being unpatentable over O’Sullivan et al., (US20110061089A1) e.f.d. of 09/09/2009 in view of LeVasseur et al., (US20120198017A1) e.f.d. of 07/01/2005.
Regarding claim 1, O’Sullivan discloses:
	A method, comprising:
using a processor to determine an initial risk of an electronic message ([0021] determine a security risk for a user based on the activities of the user and set a security policy for the user based on the security risk), comprising:
determining the initial risk based on scores associated with one or more of the following: trust (see [0021] i.e. activities of the user), reputation, authenticity, and/or risk, wherein [0021] an electronic system comprising an email system will be used … where it is desired to determine a security risk for a user based on the activities of the user and set a security policy for the user based on the security risk; [0022] According to embodiments of the present invention, when a user sends or receives a message, a server or system may scan the message, analyze the result of the scan, and use the analysis to help build a security score for the user.
Examiner Note: based on claim language, examiner has considered only one risk factor [trust] in order to determine initial risk score):
a score associated with the trust (see [0022] i.e. variables such as the number of confidential messages, a relationship of the user to persons that have a high security score is construed as score associated with trust) is determined based on a number of messages sent between an apparent sender and a recipient ([0022] when a user sends or receives a message, a server or system may scan the message, analyze the result of the scan, and use the analysis to help build a security score for the user. The score may be based on any of many different variables such as, for example, the number of confidential messages, a relationship of the user to persons that have a high security score, a linguistic analysis of the message, keyword matching, roll and level of the user within the organization, a degree of personal activity overlap of the user on company devices and/or time, etc. If a user contacts or has a relationship with a person that is an employee of the company, the employee may have a low security score. In contrast, if the person is employed by another company or a competitor, the person may have a high security score. Communications and relationships of the user with this person having a high security score increases the security score of the user);
a number of electronic messages received by the intended recipient, a reaction of the intended recipient to a received electronic message, or both ([0018] According to embodiments of the present invention, aggregated scoring is provided that allows a security policy for a user to be changed if the security risk of the user is deemed to have exceeded a predetermined level …  The security risk may be based on many different variables such as, for example, a rank of the user in the organization, who the user communicates with, patterns of behavior of the user, a number and level of confidential interactions of the user, etc; [0022] The score may be based on any of many different variables such as, for example, the number of confidential messages).
O’Sullivan fails to disclose:
based on the initial risk, determining whether to modify the electronic message; and in an event it is determined to modify the electronic message: modifying the electronic message, comprising: dynamically determining a modification to be made based at least in part on a first risk profile of the intended recipient or a second risk profile of the intended recipient; allowing the modified electronic message to be delivered to the intended recipient of the electronic message; after the modified electronic message is delivered to the intended recipient, automatically performing a secondary computer security risk assessment of the electronic message, wherein the secondary computer security risk assessment includes an anti-virus test, a malware test, or both; and based on the secondary computer security risk assessment, updating the modified message.
However, LeVasseur discloses:
i.e. security aspects of incoming message as disclosed in FIG. 24; See [0694]), determining whether to modify the electronic message (i.e. email message has been modified/converted as “eMail2 Access Message” as described in light of FIG. 16); and 
in an event it is determined to modify the electronic message: 
modifying the electronic message, comprising: dynamically determining (i.e. as disclosed in FIG. 24; delivery of the messages can be automatically selected based on preselected preferences) a modification to be made (i.e., modification/conversion of original message into “Access Message”) based at least in part on a first risk profile (i.e. the Security Preferences [risk profile] created by the administrator as depicted in FIG. 24) of the intended recipient (i.e. security aspects of incoming message as disclosed in FIG. 24 such as receive message with All Service/Trusted Services, Messages with Attachments/Messages with No Attachments); [0061] FIG. 24 is an example of the Incoming Message Preferences dialog inserted into Microsoft Outlook with a plug-in; [0693] Incoming Message Options; [0694] The “Incoming Message Options” deal with all aspects of incoming messaging. They are defined by the user from the eMail2 client plug-in Options or Preferences menu, and affect the local security and preferences for a single installation of the eMail2 client plug-in (FIG. 1, 108)); 
allowing the modified electronic message (i.e., Access Message as depicted in FIG. 16 & FIG. 17) to be delivered to the intended recipient of the electronic message ([0054] FIG. 17 is an example of an eMail2 Introductory Message, viewed through the preview pane in Microsoft Outlook; [0094] The access message acts in part as a notification to the recipient that there is an eMail2 message on the eMail2 service 110 waiting to be retrieved; [0095] the access message) transmitted to the recipient's computing device 100 [0271] The recipient's e-mail client 101 receives the introductory message from the sender; [0272] If the recipient does have the eMail2 client plug-in 108 installed, the client plug-in 108 automatically retrieves the access message from service 110 onto the recipient's computing device 100; [0346] Event C: The access message informs the recipient that they have a new incoming eMail2 message waiting to be retrieved (see example access message in FIG. 18));
after the modified electronic message is delivered [after the message is delivered to the recipients] to the intended recipient ([0267] The eMail2 service 110 can perform additional virus and spam scanning processes on the eMail2 message using scanning module 102. While this scanning process preferably occurs after the access message is produced and delivered to the recipients), 
automatically performing a secondary computer security risk assessment of the electronic message, wherein the secondary computer security risk assessment includes an anti-virus test, a malware test, or both ([0267] In addition, if a virus is detected by module 102, service 110 may update all of the recipients via an updated access message. If new information becomes available, service 110 may automatically update the access message and display a warning message alerting the recipient of new and critical information).
It would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to modify the Sullivan reference and include an email scanning system which is able to modify the original e-mail message, deliver the modified message and able to perform additional virus and spam scanning on the original email, as disclosed by LeVasseur.
See LeVasseur: [0115]).
Regarding claim 4, the combination of O’Sullivan and LeVasseur discloses:
The method of claim 1, wherein determining the initial risk of the electronic message includes determining whether a sender of the electronic message is a trusted sender (LeVasseur: [0249] Trusted: The flagged user is on the conferring user's trusted list. This may result in special treatment of the flagged user by the conferring user's client plug-in. For example, a user may choose to always retrieve all messages received from contacts on his or her trusted list).
Regarding claim 12, the combination of O’Sullivan and LeVasseur discloses:
The method of claim 1, wherein allowing the modified electronic message to be delivered to the intended recipient of the electronic message includes allowing the intended recipient to access the modified electronic message in a message repository of the intended recipient prior to a completion of the secondary computer security risk assessment (LeVassuer: [0054] FIG. 17 is an example of an eMail2 Introductory Message, viewed through the preview pane in Microsoft Outlook; [0094] The access message acts in part as a notification to the recipient that there is an eMail2 message on the eMail2 service 110 waiting to be retrieved; [0095] the access message) transmitted to the recipient's computing device 100 [0271] The recipient's e-mail client 101 receives the introductory message from the sender; [0272] If the recipient does have the eMail2 client plug-in 108 installed, the client plug-in 108 automatically retrieves the access message from service 110 onto the recipient's computing device 100; [0346] Event C: The access message informs the recipient that they have a new incoming eMail2 message waiting to be retrieved (see example access message in FIG. 18)).
Regarding claim 14, the combination of O’Sullivan and LeVasseur discloses:
The method of claim 1, wherein performing the secondary computer security risk assessment is based on the determined initial risk (LeVasseur: [0267] In addition, if a virus is detected by module 102, service 110 may update all of the recipients via an updated access message. If new information becomes available, service 110 may automatically update the access message and display a warning message alerting the recipient of new and critical information).
Regarding claim 18, the combination of O’Sullivan and LeVasseur discloses:
The method of claim 1, wherein updating the modified message based on the secondary computer security risk assessment includes determining whether a result of the secondary computer security risk assessment indicates a sufficient detected security threat for the electronic message, and in an event the result of the secondary computer security risk assessment does indicate the sufficient detected security threat, performing one or more of the following:
moving the modified message from a message inbox to another message folder; removing the modified message from a message inbox; modifying, removing or replacing at least one message attachment; modifying, removing or replacing at least one content location identifier; modifying, removing or replacing at least one contact identifier; and not allowing the intended recipient to fully access the electronic message (LeVasseur: [0054] FIG. 17 is an example of an eMail2 Introductory Message, viewed through the preview pane in Microsoft Outlook; [0094] The access message acts in part as a notification to the recipient that there is an eMail2 message on the eMail2 service 110 waiting to be retrieved; [0095] the access message) transmitted to the recipient's computing device 100 [0271] The recipient's e-mail client 101 receives the introductory message from the sender; [0272] If the recipient does have the eMail2 client plug-in 108 installed, the client plug-in 108 automatically retrieves the access message from service 110 onto the recipient's computing device 100; [0346] Event C: The access message informs the recipient that they have a new incoming eMail2 message waiting to be retrieved (see example access message in FIG. 18)).
Regarding claim 19, O’Sullivan discloses:
A system, comprising: a processor configured to:
a processor configured to:
determine an initial risk of an electronic message ([0021] determine a security risk for a user based on the activities of the user and set a security policy for the user based on the security risk), comprising:
determine the initial risk based on scores associated with one or more of the following: trust (see [0021] i.e. activities of the user), reputation, authenticity, and/or risk, wherein ([0021] an electronic system comprising an email system will be used … where it is desired to determine a security risk for a user based on the activities of the user and set a security policy for the user based on the security risk; [0022] According to embodiments of the present invention, when a user sends or receives a message, a server or system may scan the message, analyze the result of the scan, and use the analysis to help build a security score for the user.
Examiner Note: based on claim language, examiner has considered only one risk factor [trust] in order to determine initial risk score):
a score associated with the trust (see [0022] i.e. variables such as the number of confidential messages, a relationship of the user to persons that have a high security score is construed as score associated with trust) is determined based on a number of messages sent between an apparent sender and a recipient ([0022] when a user sends or receives a message, a server or system may scan the message, analyze the result of the scan, and use the analysis to help build a security score for the user. The score may be based on any of many different variables such as, for example, the number of confidential messages, a relationship of the user to persons that have a high security score, a linguistic analysis of the message, keyword matching, roll and level of the user within the organization, a degree of personal activity overlap of the user on company devices and/or time, etc. If a user contacts or has a relationship with a person that is an employee of the company, the employee may have a low security score. In contrast, if the person is employed by another company or a competitor, the person may have a high security score. Communications and relationships of the user with this person having a high security score increases the security score of the user);
determining a risk profile of an intended recipient of the electronic message based on a number of electronic messages received by the intended recipient, a reaction of the intended recipient to a received electronic message, or both ([0018] According to embodiments of the present invention, aggregated scoring is provided that allows a security policy for a user to be changed if the security risk of the user is deemed to have exceeded a predetermined level …  The security risk may be based on many different variables such as, for example, a rank of the user in the organization, who the user communicates with, patterns of behavior of the user, a number and level of confidential interactions of the user, etc; [0022] The score may be based on any of many different variables such as, for example, the number of confidential messages).
O’Sullivan fails to disclose:
based on the initial risk, determining whether to modify the electronic message; and in an event it is determined to modify the electronic message: modifying the electronic message, comprising: dynamically determining a modification to be made based at least in part on a first risk profile of the intended recipient or a second risk profile of the intended recipient; allowing the modified electronic message to be delivered to the intended recipient of the electronic message; after the modified electronic message is delivered to the intended recipient, automatically performing a secondary computer security risk assessment of the electronic message, wherein the secondary computer security risk assessment includes an anti-virus test, a malware test, or both; and based on the secondary computer security risk assessment, updating the modified message.
However, LeVasseur discloses:
	based on the initial risk (i.e. security aspects of incoming message as disclosed in FIG. 24; See [0694]), determining whether to modify the electronic message (i.e. email message has been modified/converted as “eMail2 Access Message” as described in light of FIG. 16); and 
in an event it is determined to modify the electronic message: 
modifying the electronic message, comprising: dynamically determining (i.e. as disclosed in FIG. 24; delivery of the messages can be automatically selected based on preselected preferences) a modification to be made (i.e., modification/conversion of original message into “Access Message”) based at least in part on a first risk profile (i.e. the Security Preferences [risk profile] created by the administrator as depicted in FIG. 24) of the intended recipient (i.e. security aspects of incoming message as disclosed in FIG. 24 such as receive message with All Service/Trusted Services, Messages with Attachments/Messages with No Attachments); [0061] FIG. 24 is an example of the Incoming Message Preferences dialog inserted into Microsoft Outlook with a plug-in; [0693] Incoming Message Options; [0694] The “Incoming Message Options” deal with all aspects of incoming messaging. They are defined by the user from the eMail2 client plug-in Options or Preferences menu, and affect the local security and preferences for a single installation of the eMail2 client plug-in (FIG. 1, 108)); 
allowing the modified electronic message (i.e., Access Message as depicted in FIG. 16 & FIG. 17) to be delivered to the intended recipient of the electronic message ([0054] FIG. 17 is an example of an eMail2 Introductory Message, viewed through the preview pane in Microsoft Outlook; [0094] The access message acts in part as a notification to the recipient that there is an eMail2 message on the eMail2 service 110 waiting to be retrieved; [0095] the access message) transmitted to the recipient's computing device 100 [0271] The recipient's e-mail client 101 receives the introductory message from the sender; [0272] If the recipient does have the eMail2 client plug-in 108 installed, the client plug-in 108 automatically retrieves the access message from service 110 onto the recipient's computing device 100; [0346] Event C: The access message informs the recipient that they have a new incoming eMail2 message waiting to be retrieved (see example access message in FIG. 18));
[after the message is delivered to the recipients] to the intended recipient ([0267] The eMail2 service 110 can perform additional virus and spam scanning processes on the eMail2 message using scanning module 102. While this scanning process preferably occurs after the access message is produced and delivered to the recipients), 
automatically performing a secondary computer security risk assessment of the electronic message, wherein the secondary computer security risk assessment includes an anti-virus test, a malware test, or both ([0267] In addition, if a virus is detected by module 102, service 110 may update all of the recipients via an updated access message. If new information becomes available, service 110 may automatically update the access message and display a warning message alerting the recipient of new and critical information).
It would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to modify the Sullivan reference and include an email scanning system which is able to modify the original e-mail message, deliver the modified message and able to perform additional virus and spam scanning on the original email, as disclosed by LeVasseur.
The motivation to include the email scanning system which can modify the original message and perform additional virus and spam scanning on the email is to further enhance email security in the enterprise and increase endpoint security (See LeVasseur: [0115]).


s 2, 7, 9, 17 and 23 are rejected under 35 U.S.C. 103 as being unpatentable over O’Sullivan et al., (US20110061089A1) e.f.d. of 09/09/2009 in view of LeVasseur et al., (US20120198017A1) e.f.d. of 07/01/2005 and further in view of Liao et al., (US20060101334A1) e.f.d. of 10/21/2004.
 Regarding claim 2, the combination of O’Sullivan and LeVasseur fails to disclose:
The method of claim 1, wherein determining the initial risk of the electronic message includes determining whether the electronic message includes an attachment or a macro.
However, Liao discloses:
wherein determining the initial risk of the electronic message includes determining whether the electronic message includes an attachment or a macro ([0057] At this point it is instructive to review the various types of phishing e-mail messages … A second type of phishing e-mail message includes a hostile attachment, and the body of the message attempts to trick the user into executing the attachment).
It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the O’Sullivan and LeVasseur references and include a system which is able to detect if electronic message contains any attachments, as disclosed by Liao.
The motivation to detect attachments in the electronic message is to determine if the attachment is malicious or not before it is delivered or retrieved by the end user (See Liao: [0057]). 
Regarding claim 7, the combination of O’Sullivan and LeVasseur fails to disclose:

However, Liao discloses:
wherein determining to modify the electronic message includes determining that a potential security threat that required further analysis has been detected for the electronic message ([0058] In step 408, in one of the embodiment, the message is parsed or otherwise analyzed to determine whether the message is a potential phishing e-mail message. Step 408 is primarily used to judge if a message needs to the further processing), 
wherein determining that the potential security threat has been detected comprises: 
determining that the initial risk meets a first risk threshold but fails to meet a second risk threshold, wherein the initial risk meeting the first risk threshold indicates that the electronic message is a near-certainty benevolent electronic message (Liao: [0060] If a link is not found, or if it is otherwise determined that the message is not a phishing e-mail message, then in step 412 it is determined that the message poses little risk of being a phishing e-mail message and in step 424 the original message (without modification) is delivered to the MTA or other indication is given indicating that the original message may be sent to the end user), and 
wherein the initial risk meeting the second threshold indicates that the electronic message is a near-certainty malice electronic message (Liao: [0060] Checking for an Internet link in an e-mail message to see if it is potentially a phishing e-mail message; [0061] In step 416, the message is further parsed and perhaps modified according to rule base 225 (see FIG. 9). Step 416 is optional but may be used in cases where the Internet scammer has modified the message or is using a new technique to fool an end user. This step provides the flexibility needed to modify a message in such a situation i.e., it is used to enhance the flexibility of phishing e-mail handling).
Regarding claim 9, the combination of O’Sullivan and LeVasseur discloses:
The method of claim 1, wherein modifying the electronic message includes adding a warning to one or more of the following parts of the electronic message: a message sender display name, a message subject, a message body, an attachment name, and an attachment content.
However, Liao discloses:
wherein modifying the electronic message includes adding a warning to one or more of the following parts of the electronic message: a message sender display name, a message subject, a message body, an attachment name, and an attachment content (Liao: [0069] In step 430 of FIG. 10, the process begins by replacing the message body 506 of e-mail message 502 with new plain text 557 that provides a warning that a phishing scam might be underway, or an explanation regarding any modifications to the e-mail message that have been performed).
Regarding claim 17, the combination of O’Sullivan LeVasseur discloses:
The method of claim 1, wherein updating the modified message based on the secondary computer security risk assessment includes determining whether a result of the secondary computer security risk assessment indicates a sufficient detected security threat for the electronic message, and in an event the result of the secondary computer security risk assessment does not indicate the sufficient detected security threat, allowing the intended 
However, Liao discloses:
wherein updating the modified message based on the secondary computer security risk assessment includes determining whether a result of the secondary computer security risk assessment indicates a sufficient detected security threat for the electronic message, and in an event the result of the secondary computer security risk assessment does not indicate the sufficient detected security threat, allowing the intended recipient to fully access the electronic message without at least a portion of a modification made in the modified electronic message ([0060] If a link is not found, or if it is otherwise determined that the message is not a phishing e-mail message, then in step 412 it is determined that the message poses little risk of being a phishing e-mail message and in step 424 the original message (without modification) is delivered to the MTA or other indication is given indicating that the original message may be sent to the end user).
Regarding claim 23, the combination of O’Sullivan, LeVasseur and Liao discloses:
The method of claim 1, wherein the determining of the initial risk is based on scores associated with two or more of the following: trust, reputation, authenticity, and/or risk, wherein: 
a score associated with the trust is determined based on a number of messages sent between an apparent sender and a recipient (O’Sullivan: [0018] According to embodiments of the present invention, aggregated scoring is provided that allows a security policy for a user to be changed if the security risk of the user is deemed to have exceeded a predetermined level …  The security risk may be based on many different variables such as, for example, a rank of the user in the organization, who the user communicates with, patterns of behavior of the user, a number and level of confidential interactions of the user, etc; [0022] The score may be based on any of many different variables such as, for example, the number of confidential message); 
a score associated with the authenticity is determined based on whether the electronic message has a valid digital signature (Liao: [0010] Companies who are vulnerable to phishing attacks would send their e-mail messages with a digital signature attached. If a message arrives for a user that is either not signed or the signature cannot be verified, the user would know that it is not a genuine message from the sending bank or e-commerce provider. The digitally signed e-mail with gateway verification approach uses the S/MIME standard for e-mail that is widely available today. Instead of relying on the end user's e-mail client to verify the signature on the message, a gateway server at the mail relay level would verify the signatures before they were even received by the receiver's e-mail server).  

Claims 21 and 22 are rejected under 35 U.S.C. 103 as being unpatentable over O’Sullivan et al., (US20110061089A1) e.f.d. of 09/09/2009 in view of LeVasseur et al., (US20120198017A1) e.f.d. of 07/01/2005 and further in view of Berman., (US20070136806A1) e.f.d. of 12/14/2005.
Regarding claim 21, the combination of O’Sullivan and LeVasseur fails to disclose:
The method of claim 1, wherein determining the initial risk of the electronic message includes determining whether the electronic message includes a hyperlink to a content not known to be trusted.
However, Berman discloses:
[0024] the present invention is directed to a system for blocking phishing of an email message to be displayed by an email client, comprising: a phishing inspection utility; a utility for sending a URL reference of an activated hyperlink of an email message to the phishing inspection utility instead of directing a browser to the URL).
It would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to modify the references of O’Sullivan and include phishing inspection utility to inspect e-mail messages for malicious URLs, as disclosed by Berman. 
The motivation to inspect e-mail messages with disclosed phishing inspection utility is to scan and detect malicious URLs in the e-mail messages and block potential phishing attempt (See Berman: [0021]).
Regarding claim 22, the combination of O’Sullivan and LeVasseur fails to disclose:
The method of claim 1, wherein modifying the electronic message includes replacing a hyperlink or an attachment included in the message with a proxy hyperlink.
However, Berman discloses:
wherein modifying the electronic message includes replacing a hyperlink or an attachment included in the message with a proxy hyperlink. ([0022] According to a preferred embodiment of the invention, the sending operation includes the steps of: replacing the original URL reference of the hyperlink with a URL reference of the phishing inspection utility; [0023] the present invention is directed to a method for blocking phishing, the method comprising the steps of: at a point in a path of an email message from a sender thereof to a recipient thereof: replacing an original URL reference of a hyperlink within the email message with a URL reference of a phishing inspection utility).

Claims 5 and 15 are rejected under 35 U.S.C. 103 as being unpatentable over O’Sullivan et al., (US20110061089A1) e.f.d. of 09/09/2009 in view of LeVasseur /et al., (US20120198017A1) e.f.d. of 07/01/2005 and further in view of McDougal et al., (US20160269437A1) e.f.d. of 03/12/2015.
Regarding claim 5, the combination of O’Sullivan and LeVasseur fails to disclose:
The method of claim 1, wherein determining the initial risk of the electronic message includes determining whether the electronic message passes Sender Policy Framework (SPF) validation, passes DomainKeys Identified Mail (DKIM) validation, or has been sent from a trusted sender.
However, McDougal discloses:
	wherein determining the initial risk of the electronic message includes determining whether the electronic message passes Sender Policy Framework (SPF) validation, passes DomainKeys Identified Mail (DKIM) validation, or has been sent from a trusted sender ([0013] The context of a file is often left out of malware analysis consideration when using a passive approach to malware analysis. For example, consider an example in which the data stream is not copied and data that corresponds to data to be analyzed for malware is pulled out of the stream of network traffic. The context of the data in this example is often left out of the malware analysis because it is much simpler to just pull the content of the file and not pull the context data from the stream; [0014] Context data as used herein means data corresponding to a sender address, a recipient address, a send port/IP address, a receive port/IP address, a sender identity, a recipient identity, a time of transmission, a copy contact, a blind copy contact, a subject line content, a content of the message of the email, an author, time of creation, program used to create the content, attachment(s), server(s) involved in transmission, message identification (ID), domain key identified mail (DKIM) information, character set used, multipurpose internet mail extensions (MIME) information, or other context).
It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the references of O’Sullivan and LeVasseur and include malware analysis module, as disclosed by McDougal. 
The motivation to include malware analysis module is to extract network traffic and perform one or more of a signature analysis, a heuristic analysis, a behavioral analysis, and/or a hash analysis on the data received (See McDougal [0017]).
Regarding claim 15, the combination of O’Sullivan and LeVasseur fails to disclose:
The method of claim 1, wherein performing the secondary computer security risk assessment includes performing a more computationally intensive analysis of content included in or referenced by the electronic message as compared to an analysis performed to determine the initial risk.
However, McDougal discloses:
wherein performing the secondary computer security risk assessment includes performing a more computationally intensive analysis of content included in or referenced by the electronic message as compared to an analysis performed to determine the initial risk (McDougal: [0037] the malware analysis module 110 can perform a malware analysis on data from the carver module 122 and/or the file/context database 108. The malware analysis module 110 can receive data in a specified format, such as a sendmail queue format. The malware analysis module 110 can perform one or more of a signature analysis, a heuristic analysis, a behavioral analysis, and/or a hash analysis on the data received).
It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the references of O’Sullivan and LeVasseur and include malware analysis module, as disclosed by McDougal. 
The motivation to include malware analysis module is to extract network traffic and perform one or more of a signature analysis, a heuristic analysis, a behavioral analysis, and/or a hash analysis on the data received (See McDougal [0017]).

Claims 8 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over O’Sullivan et al., (US20110061089A1) in view of LeVasseur et al., (US20160269437A1) and further in view of Emigh et al., (US20150288714A1).
Regarding claim 8, the combination of O’Sullivan and LeVasseur fails to disclose:
The method of claim 1, wherein the determination of whether to modify the electronic message is made based on one or more comparisons of one or more scores calculated during an initial analysis with one or more corresponding threshold values.
However, Emigh discloses:
([0064] The suspicion level may be compared with a threshold (216). In some embodiments, a comparison may be performed after calculating a suspicion level. An example of calculating a suspicion level is to scoreboard one or more factors enumerated in an enumeration-based suspicion level).
	It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the references of O’Sullivan and LeVasseur and determine the initial risk of the electronic message includes determining whether sender of the electronic message is to be trusted or not, as taught by Emigh.
	The motivation to check the sender of the electronic message is to reduce the deceptiveness of electronic interaction, and for protecting legitimate communications (See Emigh: [0002]).
Regarding claim 16, the combination of O’Sullivan and LeVasseur fails to disclose:
The method of claim 1, wherein performing the secondary computer security risk assessment includes automatically generating a security inquiry and sending the security inquiry to a sender of the electronic message.
However, Emigh discloses:
	wherein performing the secondary computer security risk assessment includes automatically generating a security inquiry and sending the security inquiry to a sender of the electronic message ([0128] Examples of sender verification include presence of a digital signature demonstrating an identity matching the stated identity of the sender, proof that the sender is a preferred sender by reason of membership in an organization that is trusted to certify trustworthy senders, message transmission via a secure protocol that authenticates the sender, a digital signature proving that a message originated with the domain that is shown as its originator (such as Domain Keys), and validation by a technique such as SPF, Sender-ID or Caller ID for Email, which ensures that transmitting servers are authorized to handle messages from the address for which they are distributing a message). 
	It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the references of O’Sullivan and McDougal and determine the initial risk of the electronic message includes determining whether sender of the electronic message is to be trusted or not, as taught by Emigh.
	The motivation to check the sender of the electronic message is to reduce the deceptiveness of electronic interaction, and for protecting legitimate communications (See Emigh: [0002]).

Claim 24 are rejected under 35 U.S.C. 103 as being unpatentable over O’Sullivan et al., (US20110061089A1) e.f.d. of 09/09/2009 in view of LeVasseur et al., (US20120198017A1) e.f.d. of 07/01/2005 in view of Liao et al., (US20060101334A1) e.f.d. of 10/21/2004 and further in view of McDougal et al., (US20160269437A1) e.f.d. of 03/12/2015.
Regarding claim 24, the combination of O’Sullivan and LeVasseur discloses:
The method of claim 1, wherein the determining of the initial risk is based on scores associated with trust, reputation, authenticity, and risk, wherein:
O’Sullivan: [0018] aggregated scoring is provided that allows a security policy for a user to be changed if the security risk of the user is deemed to have exceeded a predetermined level. In embodiments according to the present invention, a security policy may be modified, for example, to change password strength, a frequency of virus scans, a window for applying patches, to require that a laptop must remain on site, a sleep time between interactions, etc. The security risk may be based on many different variables such as, for example, a rank of the user in the organization, who the user communicates with, patterns of behavior of the user, a number and level of confidential interactions of the user, etc.).
The combination of O’Sullivan and LeVasseur fails to disclose:
a score associated with the authenticity is determined based on an analysis of a header of the electronic message, determining whether an originating server is associated with an IP address that has been previously utilized by a sender of the electronic message, whether the electronic message has a valid digital signature, or any combination thereof; and a score associated with the risk is determined based on a heuristically computed score that depends on whether a sender has a Domain-based Message Authentication, Reporting & Conformance (DMARC) reject policy, whether message contents of the electronic message includes a uniform resource locator (URL), whether message contents of the electronic message include a potentially executable attachment, whether message contents of the electronic message include keywords associated with high risk, or any combination thereof.
However, Liao discloses:
[0010] Companies who are vulnerable to phishing attacks would send their e-mail messages with a digital signature attached. If a message arrives for a user that is either not signed or the signature cannot be verified, the user would know that it is not a genuine message from the sending bank or e-commerce provider. The digitally signed e-mail with gateway verification approach uses the S/MIME standard for e-mail that is widely available today. Instead of relying on the end user's e-mail client to verify the signature on the message, a gateway server at the mail relay level would verify the signatures before they were even received by the receiver's e-mail server).
It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the O’Sullivan and LeVasseur references and have a message transfer agent (MTA) which modifies the potential malicious email message before delivering it to the intended recipient, as disclosed by Liao.
	The motivation to have message transfer agent (MTA) which modifies the potential malicious email message before delivering it to the intended recipient is to protect the malicious content from executing on the intended recipient computer.
The combination of O’Sullivan, LeVasseur and Liao fails to disclose:
a score associated with the risk is determined based on a heuristically computed score that depends on whether a sender has a Domain-based Message Authentication, Reporting & 
However, McDougal discloses:
a score associated with the risk is determined based on a heuristically computed score that depends on whether a sender has a Domain-based Message Authentication, Reporting & Conformance (DMARC) reject policy, whether message contents of the electronic message includes a uniform resource locator (URL), whether message contents of the electronic message include a potentially executable attachment, whether message contents of the electronic message include keywords associated with high risk, or any combination thereof (McDougal: [0068] Example 2 can include or use, or can optionally be combined with the subject matter of Example 1, to include or use, wherein the specified property is data indicating that the application layer data traffic is one or more of electronic mail (email) traffic that includes an attachment, a file, and an executable).
It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the references of O’Sullivan, LeVasseur and Liao and include malware analysis module, as disclosed by McDougal. 
The motivation to include malware analysis module is to extract network traffic and perform one or more of a signature analysis, a heuristic analysis, a behavioral analysis, and/or a hash analysis on the data received (See McDougal [0017]).
13 are rejected under 35 U.S.C. 103 as being unpatentable over O’Sullivan et al., (US20110061089A1) e.f.d. of 09/09/2009 in view of LeVasseur et al., (US20160269437A1) e.f.d. of 07/01/2005 and further in view of Vaidya et al., (US7797752B1).
Regarding claim 13, the combination of O’Sullivan and LeVasseur fails to disclose:
The method of claim 1, wherein the secondary computer security risk assessment is held and not performed until a resource availability criteria has been met.
However, Vaidya discloses:
	wherein the secondary computer security risk assessment is held and not performed until a resource availability criteria has been met (Col. 8, Lines 47-59; the periodic scanner has a variable scanning interval. The interval, in one embodiment, has a default setting of XXX. However, an administrator may alter the interval. In one embodiment, a user may also alter the interval for scanning. In one embodiment, the interval for scanning defines a “next scan” based the “date and time of last scan” information. In one embodiment, the “next scan” is defined as a date and time. When the date and time is reached, the periodic scanner is automatically initiated. In one embodiment, the periodic scanner may be delayed temporarily by a user, for example if the user is in the middle of a complex process, and needs the processing power otherwise diverted to the scanner. Once the scan is initiated, the process described above is followed).
	It would have been obvious to one of ordinary skill in the art at the time of the invention to modify the references of O’Sullivan and LeVasseur, to provide wherein the secondary computer security risk assessment is held and not performed until a resource availability 
	The motivation to check hyperlinks in an email message is to provide a more secure system and protecting users from malicious electronic messages (See Vaidya: Col. 8, Lines 47-59).

Claim 20 is rejected under 35 U.S.C. 103 as being unpatentable over McDougal et al., (US20160269437A1) in view of Cohen et al., (US20100235636A1) and further in view of O’Sullivan et al., (US20110061089A1).
Regarding claim 20, McDougal discloses:
	A method, comprising:
identifying that an electronic message includes an encrypted message content item ([0030] The decrypt module 128 can decrypt data, such as SSL or TLS data, such as to help determine if the traffic includes a specified property which is being monitored by the detect module 130. The decrypt module 128 can determine if data is encrypted and a type of encryption of the data);
analyzing a computer security threat of the encrypted message content item prior to allowing the user access to decrypted content of the encrypted message content item ([0044] The network data from the client 104B is copied by the copy module 126, decrypted by the decrypt module 128 (if necessary), and analyzed by the detect module 130 before forwarding to the client 104B, gateway 102, or the client 104A. If the detect module 130 identifies that the network traffic data includes a specified property, that data corresponding to the property can be removed from the network data stream without being forwarded to the client 104A-B);
McDougal fails to disclose:
generating a wrapped version of the encrypted message content item and modifying the electronic message to include the wrapped version of the encrypted message content item instead of the original encrypted message content item; and allowing the electronic message with the wrapped version of the encrypted message content item to be delivered; wherein, in response to a user attempting to access content of the wrapped version of the encrypted message content item after the electronic message with the wrapped version of the encrypted message content item is delivered, the user is provided a request for a decryption password by a wrapper program of the wrapped version and the decryption password is utilized. 
However, Cohen discloses:
	generating a wrapped version of the encrypted message content item and modifying the electronic message to include the wrapped version of the encrypted message content item instead of the original encrypted message content item; and allowing the electronic message with the wrapped version of the encrypted message content item to be delivered ([0050] FIG. 2 is a flowchart illustrating the method of transmitting and accessing enhanced content for correct rendering by the recipient system; [0058] The method, comprises transforming (step b) the electronic message including the embedded instructions 24 into transformed content, i.e. data 26, essentially alphanumeric text. The transforming may include encrypting, encoding or compressing); 
([0058] The transforming may include encrypting, encoding or compressing. Then the data 26 is transmitted (step c) to the recipient terminal 18 for review by the recipient, where the data 26 is received (step d) by the recipient terminal 18; [0059] the recipient may be prompted (step f) to supply a password or decryption key to effect the transformation. Furthermore, the received data may be validated (step e) by checking the internal integrity of the embedded instructions 24, or by checking a digital signature of the message 14, or the received data 26).
	It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the reference of McDougal and include the method of encrypting the attachment in the message either with a user supplied password or decryption key, as disclosed by Cohen.
	The motivation to combine the two references is to be able to identify security threat in the email attachment and prevent the distribution of the encrypted malicious content in the email. 
The combination of McDougal and Cohen fails to disclose:
	determining the initial risk based on scores associated with one or more of the following: trust, reputation, authenticity, and/or risk, wherein a score associated with the trust; determining a risk profile of an intended recipient of the electronic message based on a number 
However, O’Sullivan discloses:
	determining the initial risk based on scores associated with one or more of the following: trust (see [0021] i.e. activities of the user), reputation, authenticity, and/or risk, wherein ([0021] an electronic system comprising an email system will be used … where it is desired to determine a security risk for a user based on the activities of the user and set a security policy for the user based on the security risk; [0022] According to embodiments of the present invention, when a user sends or receives a message, a server or system may scan the message, analyze the result of the scan, and use the analysis to help build a security score for the user.
Examiner Note: based on claim language, examiner has considered only one risk factor in order to determine initial risk score):
a score associated with the trust (see [0022] i.e. variables such as the number of confidential messages, a relationship of the user to persons that have a high security score is construed as score associated with trust) is determined based on a number of messages sent between an apparent sender and a recipient ([0022] when a user sends or receives a message, a server or system may scan the message, analyze the result of the scan, and use the analysis to help build a security score for the user. The score may be based on any of many different variables such as, for example, the number of confidential messages, a relationship of the user to persons that have a high security score, a linguistic analysis of the message, keyword matching, roll and level of the user within the organization, a degree of personal activity overlap of the user on company devices and/or time, etc. If a user contacts or has a relationship with a person that is an employee of the company, the employee may have a low security score. In contrast, if the person is employed by another company or a competitor, the person may have a high security score. Communications and relationships of the user with this person having a high security score increases the security score of the user);
determining a risk profile of an intended recipient of the electronic message based on a number of electronic messages received by the intended recipient, a reaction of the intended recipient to a received electronic message, or both ([0018] According to embodiments of the present invention, aggregated scoring is provided that allows a security policy for a user to be changed if the security risk of the user is deemed to have exceeded a predetermined level …  The security risk may be based on many different variables such as, for example, a rank of the user in the organization, who the user communicates with, patterns of behavior of the user, a number and level of confidential interactions of the user, etc; [0022] The score may be based on any of many different variables such as, for example, the number of confidential messages).
	It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the McDougal and Cohen references and include a system and method to determine a security risk for the user of an email system based on predetermined security policies, as disclosed by O’Sullivan.
See O’Sullivan: Abstract).


Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SYED M AHSAN whose telephone number is (571)272-5018. The examiner can normally be reached 8:30 AM - 6:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is 
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffery L. Nickerson can be reached on 469-295-9235. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/S.M.A./Patent Examiner, Art Unit 2432                                                                                                                                                                                                        
/SYED A ZAIDI/Primary Examiner, Art Unit 2432