DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Status of Claims
The amendment filed 03/16/2022 has been entered. Claims 1, 4, 10-11, 14, 20 are currently amended. Claims 1-20 are pending in the application.
The objection of claims 1, 4, 10-11, 14, 20 due to informalities has been withdrawn in light of applicant’s amendment to the claims. 
The nonstatutory double patenting rejection is kept as record below in response to applicant’s request to hold the rejection in abeyance until subject matter is identified as allowed in the instant application.
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 3/16/2022 have been considered. The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, initialed and dated copy of Applicant’s IDS form 1449 filed as stated above are attached to the instant Office Action.
Response to Arguments
Applicant’s arguments, see pg. 5-10 of the Remarks filed 3/16/2022 regarding claim rejection under 35 USC 103 over prior arts of record have been fully considered and asserted not persuasive due to following reason. 
Regarding independent claim 1, similarly claim 11, applicant argued the combination of Chapman and Arshad fails to teach or suggest each and every elements of the claimed invention. In particular, applicant argued the combination of Chapman and Arshad does not teach both (i) create a simulated phishing email addressed to one or more non-recipient users and (ii) communicated a command to exclude the one or more non-recipient users from receiving the simulated phishing email. See page 5-9 of the Remarks. 
Examiner respectively disagrees with applicant. 
Regarding item (i) above, as it has been shown in the Office Action mailed 1/5/2022, the examiner interprets the limitation “creating, …, a simulated phishing email addressed via one or more address fields to a recipient user and one or more non-recipient users” as creating email (that is used as testing to employees of a corporation against phishing), addressed to both recipient user and non-recipient users, i.e. any users since the recipient and non-recipient users do not limit creating the simulated email, and email is “addressed to”, not sent to. Chapman teaches creating phishing email messages to be sent to company’s employees (recipient and non-recipients) for training the employees. 
Regarding item (ii) above, applicant further argued Chapman does not teach the first command and second command to “exclude the one or more non-recipient users from receiving the simulated phishing email”. See pages 6-7 of the Remarks. Examiner asserts applicant’s argument is not persuasive since examiner indicated in the Office Action (see page 9) that although Chapman teaches commands “upload e-mail address” and “execute campaign”, the Office Action relies on Arshad’s teachings to suggest the simulated phishing email is excluded from being sent to the non-recipient users.
Regarding the teachings of Arshad, applicant argued “nothing in the paragraph of Arshad above, or elsewhere, suggest a command to exclude one or more users from receiving a simulated phishing email to whom the same simulated phishing email is addressed. See pages 7-8 of the Remark. Examiner respectively disagrees. Arshad’s paragraph [28] states: “Embodiments of the present invention can comprise SMTP commands such as, but not limited to, MAIL (e.g., sender/from information), RCPT (e.g., recipient/addressee information) and DATA (e.g., initiates transfer/exchange of mail). In the example, the RCPT command can process include participant(s) and the DATA command can limit sending of an e-mail toward the include participant(s) while current participants' associated mail servers can receive participant notifications to indicate the include participant(s)”. It is known for one ordinary skilled in the art that with SMTP protocol, RCPT (RCTP TO) command can be used to include email address(es) as participants for email content, and DATA command can be used to limit sending the email content only to the email address(es) associated with RCTP command, i.e. the non-recipient with email address that is not been associated with RCTP command will not receive the email, meaning, the non-recipients excluded from receiving the phishing email. Therefore, it is obvious to one ordinary skilled in the art to understand that phishing email can be generated to include recipient and non-recipient addresses as participants but the phishing email can be sent only to recipient’s address with only recipient address(s) included with RCPT command. For the above reasons, examiner asserts applicant’s argument is not convincing.
Applicant’s further argument on the respective dependent claims is also not persuasive since the argument is based on assumption that their respective independent claims are patentable.
Applicant is suggested to further incorporate innovative features into independent claims to advance the case.
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

Claims 11-20 are rejected under 35 USC § 101 because the claimed invention is directed to non-statutory subject matter. Independent claim 11 is not statutory as it is drawn as a whole to a software per se. The claim does not fall within at least one of the four categories of patent eligible subject matter because the claim is directed to a "A system comprising: one or more processors, configured to: …". Under the broadest reasonable interpretation (BRI) of the claim, the one or more processors can be software per se since applicant’s specification (e.g. para [91]) does not explicitly suggest processor(s) may be hardware processor(s). To overcome the above rejection, applicant is suggested to include hardware components such as memory. One example of suggested amendment: A system comprising: a memory storing instructions and one or more processors coupled to the memory, the one or more processors are configured to execute the instructions to: ..., or specifying the one or more processors are hardware processors.
Dependent claims 12-20 fail to cure the deficiency of claim 11 therefore are also rejected under 35 USC 101 shown above.
Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159.  See MPEP §§ 706.02(l)(1) - 706.02(l)(3) for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1-20 are rejected on the ground of nonstatutory double patenting as being anticipated by corresponding claims of US Patent No. 11,108,821 B2 (hereinafter, “’821”).
Claim 1 (or claim 7) of ‘821 discloses all of the limitations recited in claim 1 (similarly claim 11) of the instant application, as seen in the table below. Although the claim limitations are not identical but they are not patentably distinct.
Dependent claims 2-10 and 12-20 are also rejected by the corresponding claims of ‘821 as seen in the table below.
Claims Comparison Table
Instant Application 17/461,551
US Patent No. 11,108,821 B2
Claim 1 (similarly claim 11). 
A method comprising: 

creating, by one or more processors, a simulated phishing email addressed via one or more address fields to a recipient user and one or more non-recipient users; 





See above i.e. … one or more address fields…







communicating, by the one or more processors, to a mail system a first command of a mail transfer protocol to include the recipient user as a recipient of the simulated phishing email and to exclude the one or more non-recipient users from receiving the simulated phishing email; 

and communicating, by the one or more processors to the mail system, a second command of the mail transfer protocol that identifies one or more email addresses of the one or more non-recipient users with content of the simulated phishing email to the recipient user to cause displaying of the simulated phishing email to the recipient user to appear that the simulated phishing email was communicated to the one or more non-recipient users that were excluded from the first command.
Claim 1 (or claim 7). 
A method comprising: 

(a) generating, by a server for a recipient user of an entity to be targeted with a simulated phishing email, one or more email addresses of one or more non-recipient users to be displayed as recipients of the simulated phishing email when received by the recipient user;  

(b) generating, by the server, the simulated phishing email addressed via one or more address fields to the recipient user and the one or more non-recipient users;  

(c) initiating, by the server, transmission of the simulated phishing email to a mail server of the entity;  

(d) communicating, by the server, a RCPT TO command of a simple mail transfer protocol (SMTP) to the mail server to include the recipient user as the recipient of the simulated phishing email and to exclude the one or more non-recipient users as recipients of the simulated phishing email;  

and (e) communicating, by the server, via a DATA command of the SMTP with the mail server, the one or more email addresses of the one or more non-recipient users with content of the simulated phishing email to the recipient user to cause the simulated phishing email to be displayed to the recipient user with the one or more email addresses of the one or more non-recipient users as recipients of the simulated phishing email in order to give appearance to the recipient user that the simulated phishing email was communicated to the one or more non-recipient users that were excluded from the RCPT TO command.
Claim 2 (similarly claim 12). 
The method of claim 1, wherein the first command is a RCPT TO command of the mail transfer protocol comprising a simple mail transfer protocol (SMTP).
Claim 1 (d) above.
Claim 3 (similarly claim 13). 
The method of claim 1, wherein the second command is a DATA command of the mail transfer protocol comprising a simple mail transfer protocol (SMTP).
Claim 1 (e) above.
Claim 4 (similarly claim 12). 
The method of claim 1, further comprising identifying, by the one or more processors, for the recipient user the one or more email addresses of one or more non-recipient users to be displayed as a recipient of the simulated phishing email when received by the recipient user.
Claim 1 (a) above.
Claim 5 (similarly claim 15). 
The method of claim 4, further comprising identifying a valid email address for the one or more non-recipient users.
Claim 2. 
The method of claim 1, wherein (a) further comprises generating, by the server, the one or more email addresses as real email addresses of the one or more non-recipient users of the entity.
Claim 6 (similarly claim 16). 
The method of claim 4, further comprising generating a fake email address for the one or more non-recipient users.
Claim 3. 
The method of claim 1, wherein (a) further comprises generating, by the server the one or more email addresses as fake email addresses with a display name of the one or more non-recipient users.
Claim 7 (similarly claim 17). 
The method of claim 1, further comprising initiating, by the one or more processors, transmission of the simulated phishing email to the mail system.
Claim 1 (c) above.
Claim 8 (similarly claim 18). 
The method of claim 1, wherein the simulated phishing email is displayed to the recipient user with the one or more email addresses of the one or more non-recipient users as recipients of the simulated phishing email.
Claim 1 (a) above.
Claim 9 (similarly claim 19). 
The method of claim 1, further comprising receiving, by the one or more processors, an indication that the recipient user interacted with the simulated phishing email.
Claim 6. 
The method of claim 1, further comprising identifying, by the server, whether the recipient user interacted with the simulated phishing email …
Claim 10 (similarly claim 20). The method of claim 9, further comprising identifying, by the one or more processors based at least on the indication, training for the recipient user.
Claim 6. 
The method of claim 1, further comprising identifying, by the server, whether the recipient user interacted with the simulated phishing email and responsive to the identifying that the recipient user interacted with the simulated phishing email, determine a training module for the recipient user.


Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1-3, 7, 9, 11-13, 17, 19 are rejected under 35 U.S.C. 103 as being unpatentable over Chapman et al (US20130198846A1-IDS by applicant, hereinafter, “Chapman”), in view Arshad et al (US20180077098A1-IDS by applicant, hereinafter, “Arshad”).
Regarding claim 1, Chapman teaches:
A method comprising: 
creating, by one or more processors, a simulated phishing email addressed via one or more address fields to a recipient user and one or more non-recipient users (Chapman, discloses system and method of testing employees to determine their potential susceptibility to phishing scams, see [Abstract]. In particular, [0011] The susceptibility of individuals in an organization to e-mail and Internet cybercrimes such as phishing discussed above are addressed by the present invention. And [0012] one or more phishing e-mail messages to be sent to the company's employees are customized. And [0015] an e-mail manager module that is arranged and configured to facilitate the creation by the information technology administrator of at least one phishing e-mail. Also see Fig. 1 processor 88); Examiner notes, simulated email is addressed to recipient user and non-recipient user suggests the simulated email is addressed to any users, i.e. recipient and non-recipient users do not limit the creating a simulated email.
communicating, by the one or more processors, to a mail system (Chapman, [0023] FIG. 4 is a somewhat schematic block diagram showing the operation of the e-mail template manager and e-mail server manager modules of FIG. 1 to prepare e-mails to be sent to employees of the client organization) a first command (Chapman, for instance step 134 of Fig. 2, i.e. upload e-mail addresses) [of a mail transfer protocol to include the recipient user as a recipient of the simulated phishing email and to exclude the one or more non-recipient users from receiving the simulated phishing email]; (See Arshad below for limitation(s) in bracket)
and communicating, by the one or more processors to the mail system, a second command (Chapman, for instance step 148 of Fig. 2, i.e. execute campaign) [of the mail transfer protocol that identifies one or more email addresses of the one or more non-recipient users with content of the simulated phishing email to the recipient user to cause displaying of the simulated phishing email to the recipient user to appear that the simulated phishing email was communicated to the one or more non-recipient users that were excluded from the first command]. (See Arshad below for limitation(s) in bracket)
While Chapman teaches the main concept of the invention of creating phishing e-mail and display each of target emails in the customized message with email content (Chapman, as shown in Fig. 10 as example), but does not explicitly teach using a mail transfer protocol to include the recipient user as a recipient of the simulated phishing email and to exclude the one or more non-recipient users from receiving the simulated phishing email and identify one or more email addresses of the one or more non-recipient users with content of the simulated phishing email to the recipient user to cause displaying of the simulated phishing email to the recipient user to appear that the simulated phishing email was communicated to the one or more non-recipient users that were excluded from the first command, however in the same field of endeavor Arshad teaches:
[communicating, by the one or more processors, to a mail system a first command] (see Chapman above) of a mail transfer protocol to include the recipient user as a recipient of the simulated phishing email and to exclude the one or more non-recipient users from receiving the simulated phishing email (Arshad, discloses email-chain manager managing participants associated with e-mail chain, see [Abstract]. In particular, [0028] it should be noted that inclusion of a visible text string would not initiate a broadcast of the e-mail chain toward current participants but rather would be visible when a participant first interacts with an e-mail chain after an include participant is added. In an example of Simple Mail Transfer Protocol (SMTP) (i.e. mail transfer protocol) implementation, the SMTP can operate mail functions such as, … session initiation, sending, ...Embodiments of the present invention can comprise SMTP commands such as, …, RCPT (i.e. first command) (e.g., recipient/addressee information) … In the example, the RCPT command can process include participant(s)); Examiner notes RCPT command is used in SMTP to specify include participants, i.e. recipients only, since email addresses without being “include participants” is excluded, i.e. non-recipients.
[and communicating, by the one or more processors to the mail system, a second command ] (see Chapman above) of the mail transfer protocol that identifies one or more email addresses of the one or more non-recipient users with content of the simulated phishing email to the recipient user to cause displaying of the simulated phishing email to the recipient user to appear that the simulated phishing email was communicated to the one or more non-recipient users that were excluded from the first command (Arshad, [0028] In an example of Simple Mail Transfer Protocol (SMTP) (i.e. the mail transfer protocol) implementation, the SMTP can operate mail functions such as, … session initiation, sending, ...Embodiments of the present invention can comprise SMTP commands such as, …, RCPT (e.g., recipient/addressee information) (i.e. first command) and DATA (i.e. second command) (e.g., initiates transfer/exchange of mail).  In the example, the RCPT command can process include participant(s) and the DATA command can limit sending of an e-mail toward the include participant(s) while current participants' associated mail servers can receive participant notifications to indicate the include participant(s)). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Arshad in the system of facilitating organizational testing of employee’s susceptibility to phishing emails of Chapman by using RCPT and DATA commands in the SMTP implementation to selectively send the email chain to intended participants only. This would have been obvious because the person having ordinary skill in the art would have been motivated to use the RCPT and DATA commands with SMTP protocol to not send the phishing email of Chapman to the non-recipients (Arshad, [Abstract], [0028], [0030]) even though the customized message is shown to address to each target emails as displayed.

Regarding claim 11, Chapman-Arshad combination teaches:
A system comprising: one or more processors, (Chapman, see Fig. 1 processor 88 and memory 106) and configured to: perform method steps substantially similar to the method steps of claim 1, therefore is rejected with same rational set forth as rejection of claim 1 above.

Regarding claim 2, similarly claim 12, Chapman-Arshad combination further teaches:
The method of claim 1, the system of claim 11, wherein the first command is a RCPT TO command of the mail transfer protocol comprising a simple mail transfer protocol (SMTP) (Arshad, [0018] E-MAIL SERVER 122 can manage e-mail processing such as, but not limited to, sending and/or receiving messages using an e-mail protocol such as, … and SMTP over NETWORK 140. And [0028] Embodiments of the present invention can comprise SMTP commands such as, but not limited to, … RCPT…).  

Regarding claim 3, similarly claim 13, Chapman-Arshad combination further teaches:
The method of claim 1, the system of claim 11, wherein the second command is a DATA command of the mail transfer protocol comprising a simple mail transfer protocol (SMTP) (Arshad, [0018] E-MAIL SERVER 122 can manage e-mail processing such as, but not limited to, sending and/or receiving messages using an e-mail protocol such as, … and SMTP over NETWORK 140. And [0028] Embodiments of the present invention can comprise SMTP commands such as, but not limited to, … and DATA …).  

Regarding claim 7, similarly claim 17, Chapman-Arshad combination further teaches:
The method of claim 1, the system of claim 11, further comprising initiating, by the one or more processors, transmission of the simulated phishing email to the mail system (Chapman, Fig. 4 shows generating and executing campaign processes and step 202 shows Select E-mail server (i.e. mail system)).  

Regarding claim 9, similarly claim 19, Chapman-Arshad combination further teaches:
The method of claim 1, the system of claim 11, further comprising receiving, by the one or more processors, an indication that the recipient user interacted with the simulated phishing email (Chapman, [0076] Referring now to the bottom level of FIG. 7, if the user 294 accepts the invitation 280 by interacting with it (e.g., clicking on a link, etc.) in a user interacts with the invitation step 308, probe data 310 will be generated).  

Claims 4, 6, 14, 16 are rejected under 35 U.S.C. 103 as being unpatentable over Chapman-Arshad combination as applied above, further in view of Matzkel et al (US 20130067012A1-IDs by applicant, hereinafter, “Matzkel”).
Regarding claim 4, similarly claim 14, Chapman-Arshad combination teaches:
The method of claim 1, the system of claim 11,
While the combination of Chapman-Arshad does not explicitly teach but in the similar field of endeavor Matzkel teaches:
further comprising identifying, by the one or more processors, for the recipient user the one or more email addresses of one or more non-recipient users to be displayed as a recipient of the simulated phishing email when received by the recipient user (Matzkel, [0025] to increase security of information related to the intended recipients, processing of the intended recipients may include at least one of …(b) generating fake recipient addresses (i.e. non-recipients) that can be identified as fake by an outgoing communication module but not necessarily by other parties, (c) placing processed recipients (i.e. such as the fake addresses in b)) in another message part such as the message body (i.e. content) or subject).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Matzkel in the system of facilitating organizational testing of employee’s susceptibility to phishing emails of Chapman-Arshad by generating fake recipient addresses in the content of message body as display to the recipient user. This would have been obvious because the person having ordinary skill in the art would have been motivated to generate and use fake recipient addresses in the message body that cannot be identified by other parties (Matzkel, [0025]).

Regarding claim 6, similarly claim 16, Chapman-Arshad-Matzkel combination further teaches:
The method of claim 4, the system of claim 14, further comprising generating a fake email address for the one or more non-recipient users (Matzkel, [0025] to increase security of information related to the intended recipients, processing of the intended recipients may include at least one of …(b) generating fake recipient addresses…).

Claims 5, 15 are rejected under 35 U.S.C. 103 as being unpatentable over Chapman-Arshad-Matzkel combination as applied above, further in view of Shraim et al (US20070299777, hereinafter, “Shraim”).
Regarding claim 5, similarly claim 15, Chapman-Arshad-Matzkel combination teaches:
The method of claim 4, the system of claim 14,
While the combination of Chapman-Arshad-Matzkel does not explicitly teach but in the same field of endeavor Shraim teaches:
further comprising identifying a valid email address for the one or more non-recipient users (Shraim, the method 800 can include identifying the requirements for a valid email address (e.g., user@domain.tld). And referring to Fig. 11B step 1198, [0206] the analysis of the messages, etc. can include identifying the intended recipient of the messages (block 1198)).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Shraim in the system of facilitating organizational testing of employee’s susceptibility to phishing emails of Chapman-Arshad-Matzkel by identifying whether the intended recipient of message has valid address. This would have been obvious because the person having ordinary skill in the art would have been motivated to detect, prevent and response to online fraud (Shraim, [Abstract], [0004]-[0005]).  

Claims 8, 18 are rejected under 35 U.S.C. 103 as being unpatentable over Chapman-Arshad combination as applied above to claims 1 and 11 respectively, further in view of Eisen (US 20180295153A1, hereinafter, “Eisen”).
Regarding claim 8, similarly claim 18, Chapman-Arshad combination teaches:
The method of claim 1, the system of claim 11,
While the combination of Chapman-Arshad does not explicitly teach but in the same field of endeavor Eisen teaches:
wherein the simulated phishing email is displayed to the recipient user with the one or more email addresses of the one or more non-recipient users as recipients of the simulated phishing email (Eisen, [0035] An online communication, such as an email, can involve a sender and at least one recipient. When a recipient receives an online communication from a sender, the recipient may typically be provided with information such as: …, a name and/or address of other recipients (e.g., including recipients receiving a carbon copy (Cc)), a name (or display name) of the intended recipient, an address (e.g., email address) of the recipient).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Eisen in the system of facilitating organizational testing of employee’s susceptibility to phishing emails of Chapman-Arshad by displaying all intended recipient name/email addresses in the email content. This would have been obvious because the person having ordinary skill in the art would have been motivated to use the well-known method indicated by Eisen (Eisen, [0035]) to allow the recipient user to see the recipient names or email addresses to believe all other intended recipients displayed in email are real recipients.  

Claims 10, 20 are rejected under 35 U.S.C. 103 as being unpatentable over Chapman-Arshad combination as applied above, further in view of Bloxham et al (US 20180041537A1-IDs by applicant, hereinafter, “Bloxham”).
Regarding claim 10, similarly claim 20, Chapman-Arshad combination teaches:
The method of claim 9, the system of claim 19,
While the combination of Chapman-Arshad does not explicitly teach but in the same field of endeavor Bloxham teaches:
further comprising identifying, by the one or more processors based at least on the indication, training for the recipient user (Bloxham, discloses identifying and remediating phishing security weaknesses, see [Title]. And [0004] Based on whether the user fails to respond appropriately to the simulated phishing threat, the threat management facility may implement one or more prophylactic measures to remediate the security weakness exposed by the user's failure to respond appropriately to the simulated phishing threat… Additionally, or alternatively, the user may be enrolled in training…).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Bloxham in the system of facilitating organizational testing of employee’s susceptibility to phishing emails of Chapman-Arshad by measuring the recipient user’s interaction with the simulated phishing threat and directing user for training to remediate the security weakness. This would have been obvious because the person having ordinary skill in the art would have been motivated to have the threat management facility to implement preventive measure to remediate the security weakness to reduce the likelihood the user will be the victim of an actual phishing attack (Bloxham, [Abstract]).
Citation of References
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. The following references are cited but not been replied upon for this office action:
Bordia (US20050117715A1) discloses method involving displaying an exclude user input field within a graphical user interface window, and inputting a set of exclude set of recipient entities from an exclude user input field. A message is sent to destinations indicated by the recipient entities within an include set of recipient entities, but not to destinations indicated by the recipient entities within the exclude set of recipient entities.
Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL M LEE whose telephone number is (571)272-1975.  The examiner can normally be reached on M-F: 8:30AM - 5:30PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, Applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Shewaye Gelagay can be reached on (571) 272-4219.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/MICHAEL M LEE/Examiner, Art Unit 2436  

/TRONG H NGUYEN/Primary Examiner, Art Unit 2436