DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
Applicant's arguments filed 03/21/2022 have been fully considered but they are not persuasive.

Regarding claims 11, 14, 16, and 17 rejected under 35 U.S.C. 101, Examiner submits that the recitation of “a user endpoint device” and “a notification center of the endpoint device” recites more than software per se.  Accordingly, the rejection has been withdrawn.

Regarding claims 2-4 and 6 rejected under 35 U.S.C. 112(a) as failing to comply with the written description requirement, claims 16 and 17 rejected under 35 U.S.C. 112(b) as being indefinite, and claims 10 and 19 rejected under 35 U.S.C. 112(d) as failing to further limit the subject matter from which it depends, Examiner notes that no claim amendments or specific arguments have been made that address these rejections.  Accordingly, the rejections have been maintained below.

Applicant makes reference to the rejection of claims 1-12 and 14-20 under 35 U.S.C. 103 as being obvious over Gorsica et al. (U.S. Pat. App. Pub. 2020/0221400) in view of Moldavsky et al. (U.S. Pat. App. Pub. 2015/0080030).  However, Examiner notes that these references were not used in the previous rejection under 35 U.S.C. 103, or at any time during prosecution.  The remarks appear to be a typographical error, as the arguments are relevant to the pending claims.
Applicant asserts that the prior art of record does not teach the newly amended limitation “provide a push notification of the mobile computing device, the push notification comprising a reputation notice for the e-mail payload to be displayed on a notification center of the mobile device.”  Examiner disagrees.  Particularly with respect to Himler et al. (U.S. Pat. 9,781,149), which is relied upon again in the below rejection under 35 U.S.C. 103, Examiner reiterates the position set forth in the Non-Final Rejection filed 12/13/2021 that Himler teaches several notifications, where it was disclosed “it may output a prompt to the user, such as by displaying a message confirming that the reported message is from a non-malicious or trusted sender” (Himler, col. 7, lines 54-59, emphasis added), and “presenting a prompt to the user 210 after the system analyzes a message” (Hilmer, col. 15, lines 1-2, emphasis added).  Additionally, Himler disclosed “If the system determines that the reported message is not from a trusted sender, it may send the user a notification” (Himler, col. 6, line 66 through col. 7, line 1, emphasis added).  Examiner submits that the various messages/prompts/notifications sent by a system to a user as disclosed by Himler read on the claimed “push notification”.  As understood by one of ordinary skill in the art, the broad definition of a push notifiactoin is a communication that is sent from a source to a destination.  Here, Himler provides a notification sent from a system (i.e., source) to a user (i.e., destination), which clearly reads on a “push notification” as claimed.  Applicant’s Specification provides no special definition of a push notification, and the claims do not require any specific feature of a “push notification” that would distinguish it from the ordinary meaning of the term or from the teachings of Himler.  For these reasons, Himler is relied upon again in the rejection under 35 U.S.C 103 below.  Furthermore, the newly added limitation “to be displayed on a notification center of the mobile device” is taught by the prior art, as evidence by the teachings of Davison et al. (U.S. Pat. App. Pub. 2022/0078235), relied upon in the rejection under 35 U.S.C. 103 below.

Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

The following is a quotation of the first paragraph of pre-AIA  35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.

Claims 2-4 and 6 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA  35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention.
Claims 2, 3, and 6 recite “a high-confidence reputation, comprising a reputation above a high-confidence threshold”; claim 4 recites “a low-confidence reputation, comprising a confidence below a low-confidence threshold”.  The Specification does not disclose any of a “high-confidence threshold” or a “low-confidence threshold”, or a reputation being above a high-confidence threshold, or a confidence below a low-confidence threshold.  At best, any disclosure of “thresholds” occurs in ¶[0182] and [0185]; however, these portions of the Specification do not discuss the claimed “high-confidence threshold” or “low-confidence threshold”.  Specifically, ¶[0182] discloses a “yellow” email flag, indicating a “reputation not determined with confidence above a threshold”.  This disclosure broadly recites a “threshold”, and does not explicitly recite a “high-confidence threshold” or a “low-confidence threshold” as claimed.  Furthermore, this disclosure describes a reputation where an above-threshold confidence is “not determined”, which differs from the claims in that 1) claims 2, 3, and 6 recite a reputation above a high-confidence threshold, whereas the disclosure recites a confidence being above a threshold, and 2) claims 2-4 and 6 positively recite a reputation for which something has been determined as above or below a threshold, whereas the disclosure merely states that such a comparison to a threshold has been “not determined”.  To be clear, the “yellow (reputation not determined with confidence above a threshold)” only describes indicating a reputation without a determined confidence, which does not support the claim limitations of indicating a reputation with either a reputation above a threshold or a confidence below a threshold, and describes the broad use of a confidence above a threshold, whereas the claims recite a reputation above a threshold.
Moreover, ¶[0185] discloses a “low threshold for suspiciousness”, which describes a suspiciousness threshold (i.e., a threshold related to suspiciousness of an email) and not the claimed “high-confidence threshold” or “low-confidence threshold” (i.e., a threshold related to the confidence of a determined reputation).
It is also noted that the Specification does generally disclose assigning to an email payload a “reputation score” associated with a “degree of confidence”, e.g., a “green reputation…with a high degree of confidence” or a “red reputation…with high confidence” (Specification, ¶[0075]; also see ¶[0076]-[0077], [0084]-[0085]).  However, despite disclosing assigning various reputations with “high confidence/high degrees of confidence”, “sufficiently high confidence”, or even “percentage confidence”, these portions of the Specification do not disclose doing so through or in conjunction with the use of any “high-confidence thresholds” or “low-confidence thresholds” as claimed.
Therefore, these limitations in the claims are not supported by the disclosure and fail to comply with the written description requirement.

The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 16 and 17 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.

Claim 16 recites the limitation "the low-overhead user interaction".  There is insufficient antecedent basis for this limitation in the claim, as the claims do not previously recite a “low-overhead user interaction”.  Claim 17 is rejected as depending from claim 16 and under the same rationale.

The following is a quotation of 35 U.S.C. 112(d):
(d) REFERENCE IN DEPENDENT FORMS.—Subject to subsection (e), a claim in dependent form shall contain a reference to a claim previously set forth and then specify a further limitation of the subject matter claimed. A claim in dependent form shall be construed to incorporate by reference all the limitations of the claim to which it refers.

The following is a quotation of pre-AIA  35 U.S.C. 112, fourth paragraph:
Subject to the following paragraph [i.e., the fifth paragraph of pre-AIA  35 U.S.C. 112], a claim in dependent form shall contain a reference to a claim previously set forth and then specify a further limitation of the subject matter claimed. A claim in dependent form shall be construed to incorporate by reference all the limitations of the claim to which it refers.


Claims 10 and 19 are rejected under 35 U.S.C. 112(d) or pre-AIA  35 U.S.C. 112, 4th paragraph, as being of improper dependent form for failing to further limit the subject matter of the claim upon which it depends.

Claim 10 recites “wherein the validation request comprises a one-click reputation request from the mobile computing device” (emphasis added), which is subject matter previously recited in claim 1, line 5 (“a one-click validation request from a mobile computing device”, emphasis added).  Therefore, claim 10 does not further limit claim 1.

Claim 19 recites “wherein providing the reputation for the suspicious email comprises providing a push notification to the endpoint device” (emphasis added), which is subject matter previously recited claim 18, line 12 (“providing to the endpoint device a reputation for the suspicious e-mail via a push notification”, emphasis added).  Claim 19 therefore does not further limit claim 18.

Applicant may cancel the claim(s), amend the claim(s) to place the claim(s) in proper dependent form, rewrite the claim(s) in independent form, or present a sufficient showing that the dependent claim(s) complies with the statutory requirements.

Claim Rejections - 35 USC § 103
The text of those sections of Title 35, U.S. Code not included in this action can be found in a prior Office action.

Claims 1, 5-7, 9-12, and 18-20 are rejected under 35 U.S.C. 103 as being unpatentable over Himler et al. (U.S. Pat. 9,781,149), hereafter Himler, and further in view of Davison et al. (U.S. Pat. App. Pub. 2022/0078235), hereinafter Davison.

Regarding claim 1, Himler disclosed a computing apparatus (cybersecurity analyzer server, col. 5, line 25), comprising:
	a hardware platform comprising a processor and a memory (CPU, col. 15, line 63; memory, col. 16, line 2);
	a network interface (communication port, col. 16, line 32); and
	instructions encoded within the memory (instructions, col. 16, line 15) to instruct the processor to:
		receive via the network interface a one-click validation request from a mobile computing device (client computing device, i.e., mobile computing device, col. 5, line 24; e.g., portable electronic devices/smartphones, col. 3, line 28; client computing device using a reporting function for reporting, i.e., validation request, a potentially malicious message to the cybersecurity analyzer server, col. 6, lines 22-25; reporting function implemented as a reporting button, i.e., one-click, col. 6, line 30), the validation request comprising an e-mail payload (reporting function forwarding the potentially malicious message, i.e., e-mail payload, to the cybersecurity analyzer server, col. 6, lines 26-29 and 44-46, col. 15, lines 29-32);
		query a cloud phishing reputation service for a reputation, the query comprising information from the e-mail payload (accessing, i.e., querying, reference data, i.e., a cloud phishing reputation service, for reputation information, i.e., a reputation, regarding the message, col. 5, lines 56-60, col. 7, lines 26-29);
		receive from the cloud phishing reputation service reputation data for the e-mail payload (determining a trust score/reputation for the message, col. 12, line 13); and
		provide a push notification to the mobile computing device, the push notification comprising a reputation notice for the e-mail payload (outputting feedback, e.g., a message/prompt/notification, i.e., push notification/reputation notice, col. 6, lines 55-58, col. 7, lines 54-59, col. 9, line 63, col. 11, lines 14-15, col. 15, lines 1-2).
	While Himler disclosed push notifications, Himler did not disclose displaying the push notifications on a notification center of the mobile device as claimed:
 	provide a push notification to the mobile computing device, the push notification comprising a reputation notice for the e-mail payload to be displayed on a notification center of the mobile device (emphasis added).
	Davison disclosed receiving, i.e., displaying, a push notification in a notification center of a mobile device (¶[0029]).
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the push notifications of Himler to be displayed on a notification center of the mobile device as claimed, because doing so would have been applying a known technique (i.e., the use of a notification center on a mobile device to display push notifications) to a known device/method/product (i.e., push notifications) ready for improvement to yield predictable results (i.e., displaying the push notifications of Himler on a notification center of a mobile device).

Regarding claim 5, Himler and Davison disclosed the computing apparatus wherein the instructions are further to extract link information from the e-mail payload, and wherein querying the cloud phishing reputation service comprises querying a uniform resource locator (URL) reputation service for link reputations (distinguishing between malicious messages and legitimate message by identifying malicious URLs within the message, Himler, col. 8, lines 18-20, col. 12, lines 26-38; accessing, i.e., querying, reference data, i.e., a URL reputation service, for reputation information, i.e., link reputations, Himler, col. 5, lines 56-60, col. 7, lines 26-29).

	Regarding claim 6, Himler and Davison disclosed the computing apparatus wherein the reputation notice for the e-mail payload comprises a not-safe reputation if at least one link has a high-confidence reputation, comprising a reputation above a high-confidence threshold, for being a phishing link (flagging a message as malicious, i.e., a not-safe reputation, when a link, e.g., has more than 4 levels, i.e., above a high-confidence threshold, of re-direction, i.e., a high-confidence reputation for being a phishing link, Himler, col. 13, lines 16-18).

	Regarding claim 7, Himler and Davison disclosed the computing apparatus wherein the instructions are further to provide information from an attachment of the e-mail payload to the cloud reputation service, and wherein the reputation data comprise reputation data for the attachment (distinguishing between malicious messages and legitimate message by identifying malicious attachments, Himler, col. 8, lines 19-20; reference data including malware signatures, i.e., reputation data for the attachment, Himler, col. 7, lines 29-30).

	Regarding claim 9, Himler and Davison disclosed the computing apparatus wherein the validation request comprises a forwarded e-mail (reporting function forwarding the potentially malicious message, i.e., e-mail payload, to the cybersecurity analyzer server, Himler, col. 6, lines 26-29 and 44-46, col. 15, lines 29-32).

	Regarding claim 10, Himler and Davison disclosed the computing apparatus wherein the validation request comprises a one-click reputation request from the mobile computing device (reporting button, i.e., one-click reputation request, Himler, col. 6, lines 30, 40-46, col. 9, lines 58-61).

Regarding claim 11, Himler disclosed a phishing mitigation ecosystem, comprising:
	a user endpoint device (client computing device, i.e., user endpoint device, col. 5, line 24; e.g., portable electronic devices/smartphones, col. 3, line 28), comprising:
		software instructions (program instructions, col. 16, line 19) to provide an e-mail client (messaging client, col. 5, line 66) or plugin to an email client (plug-in in an email tool, col. 6, line 30), the instructions to provide a user interface (user interface, col. 6, line 2) to provide a substantially one-click user interaction to provide a phishing analysis request for an e-mail (messaging client including a reporting button, i.e., one-click user interaction, for reporting, i.e., request, and forwarding a malicious email to a cybersecurity analyzer server, col. 6, lines 30 and 40-46, col. 9, lines 58-61);
	a phishing analysis server (cybersecurity analyzer server, col. 5, line 25), comprising:
		a receiver software module to receive the phishing analysis request from the user endpoint device (client computing device using a reporting function for reporting, i.e., validation request, a potentially malicious message to the cybersecurity analyzer server, col. 6, lines 22-25);
		an extraction software module to extract analysis data from the phishing analysis request (extracting portions of the message, col. 13, lines 44-46);
		a request software module to request a reputation (accessing, i.e., requesting, reference data for reputation information, i.e., a reputation, col. 5, lines 56-60, col. 7, lines 26-29), and to receive a reputation response comprising a reputation associated with the request for a reputation (determining a trust score/reputation for the message, col. 12, line 13); and
		a server response software module to provide a push notification to the user endpoint device comprising a safety reputation for the phishing analysis request (outputting feedback, e.g., a message/prompt/notification, to the client computing device, i.e., push notification, regarding the trustworthiness, i.e., safety reputation, of a message, col. 6, lines 55-58, col. 7, lines 54-59, col. 9, line 63, col. 11, lines 14-15, col. 15, lines 1-2); and
	a cloud reputation service (reference data, col. 5, lines 56-60, col. 7, lines 26-29), comprising:
a reputation store (reference data, col. 5, lines 56-60, col. 7, lines 26-29);
		a receiver software module to receive the request for a reputation (accessing, i.e., requesting, the reference data for reputation information, i.e., a reputation, col. 5, lines 56-60, col. 7, lines 26-29);
		an analysis software module to analyze the request for a reputation and to assign a reputation from the reputation store (determining a trust score/reputation for the message, col. 12, line 13); and
		a cloud response software module to provide the reputation response to the phishing analysis server (outputting feedback, e.g., a message/prompt/notification, i.e., push notification/reputation notice, col. 6, lines 55-58, col. 7, lines 54-59, col. 9, line 63, col. 11, lines 14-15, col. 15, lines 1-2).
While Himler disclosed push notifications, Himler did not disclose displaying the push notifications on a notification center of the mobile device as claimed:
 	a server response software module to provide a push notification to the user endpoint device comprising a safety reputation for the phishing analysis request to be displayed on a notification center of the endpoint device (emphasis added).
Davison disclosed receiving, i.e., displaying, a push notification in a notification center of a mobile device, i.e., endpoint device (¶[0029]).
The combination of references is made under the same rationale as claim 1 above.

	Regarding claim 12, Himler and Davison disclosed the phishing mitigation ecosystem wherein the user endpoint device is a smart phone or tablet (smartphone, tablet computer, Himler, col. 3, lines 28-29).

Regarding claim 18, Himler disclosed a method of detecting phishing or malicious e-mail content, comprising:
	conditioning an end user operating an endpoint device (end user, col. 6, line 10; client computing device, i.e., endpoint device, col. 5, line 24) to identify an e-mail as suspicious (training, i.e., conditioning, end users, e.g., employees, to recognize malicious/phishing emails, i.e., emails as suspicious, col. 9, lines 21-35) with a low threshold for suspiciousness (e.g., a message appearing to originate from a known or official entity, col. 4, lines 3-6), wherein the threshold for suspiciousness includes any e-mail that may potentially collect personal, enterprise, or financial information (messages performing malicious actions, e.g., transmitting stored data, making data accessible to a third party, or inviting a recipient to entered login credentials or disclose sensitive information, col. 4, line 55 through col. 5, line 8);
	receiving from the end user a request to verify a suspicious e-mail (client computing device, i.e., end user, col. 5, line 24; e.g., portable electronic devices/smartphones, col. 3, line 28; client computing device using a reporting function for reporting, i.e., validation request, a potentially malicious message to the cybersecurity analyzer server, col. 6, lines 22-25);
	extracting content from the suspicious e-mail (extracting portions of the message, col. 13, lines 44-46);
	forwarding the extracted content to a public cloud reputation service (accessing, i.e., querying, reference data, i.e., a public cloud reputation service, regarding the message, col. 5, lines 56-60, col. 7, lines 26-29);
	receiving from the public cloud reputation service a reputation for the extracted content (determining a trust score/reputation for the message, col. 12, line 13); and
	providing to the endpoint device a reputation for the suspicious e-mail via a push notification (outputting feedback, e.g., a message/prompt/notification, i.e., reputation, regarding the message, col. 6, lines 55-58, col. 7, lines 54-59, col. 9, line 63, col. 11, lines 14-15, col. 15, lines 1-2).
While Himler disclosed push notifications, Himler did not disclose displaying the push notifications on a notification center of the mobile device as claimed:
	providing to the endpoint device a reputation for the suspicious e-mail via a push notification to be displayed on a notification center of the endpoint device (emphasis added).
Davison disclosed receiving, i.e., displaying, a push notification in a notification center of a mobile device, i.e., endpoint device (¶[0029]).
The combination of references is made under the same rationale as claim 1 above.

	Regarding claim 19, Himler and Davison disclosed the method wherein providing the reputation for the suspicious e-mail comprises providing a push notification to the endpoint device (outputting feedback, e.g., a message/prompt/notification, i.e., push notification, Himler, col. 6, lines 55-58, col. 7, lines 54-59, col. 9, line 63, col. 11, lines 14-15, col. 15, lines 1-2).

	Regarding claim 20, Himler and Davison disclosed the method wherein providing the reputation for the suspicious e-mail comprises providing electronic information regarding the reputation for the suspicious e-mail (presenting a prompt including specific information about the message as to why the message is trusted/untrusted, Himler, col. 15, lines 1-7).

Claim 2 is rejected under 35 U.S.C. 103 as being unpatentable over Himler (U.S. Pat. 9,781,149) and Davison (U.S. Pat. App. Pub. 2022/0078235) as applied to claim 1 above, and further in view of Edwards (U.S. Pat. App. Pub. 2019/0020682), and further in view of Mesdaq et al. (U.S. Pat. 10,601,865), hereinafter Mesdaq.

Regarding claim 2, Himler and Davison disclosed the computing apparatus as detailed above.  Himler and Davison did not disclose the computing apparatus wherein the push notification includes an instruction not to open the e-mail payload.
Edwards disclosed the computing apparatus wherein the push notification includes an instruction not to open the e-mail payload (notifying, i.e., instructing, a user that a phishing e-mail should not be opened, Edwards, ¶[0124]).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the apparatus of Himler and Davison wherein the push notification includes an instruction not to open the e-mail payload as claimed, because doing so would make it less likely that a user would interact with a malicious e-mail (Edwards, ¶[0005]).
Himler, Davison, and Edwards did not disclose:
wherein the reputation notice comprises a high-confidence reputation, comprising a reputation above a high-confidence threshold, that the e-mail payload includes phishing content.
Mesdaq disclosed:
wherein the reputation notice comprises a high-confidence reputation, comprising a reputation above a high-confidence threshold, that the e-mail payload includes phishing content (generating a score indicating a level of confidence that an email is associated with a phishing attack, i.e., reputation, including, e.g., the category “malicious”, i.e., high-confidence, col. 4, lines 5-11, col. 11, lines 36-37, col. 15, lines 55-57; determining an email to be associated with a phishing attack, i.e., a high-confidence reputation, when the score, i.e., reputation, meets or exceeds a predefined threshold, i.e., above a high-confidence threshold, col. 4, lines 11-14; providing an alert, i.e., reputation notice, to a user of an endpoint, col. 4, lines 32-35).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify reputation notice of Himler, Davison, and Edwards to include a high-confidence reputation, comprising a reputation above a high-confidence threshold, that the e-mail payload includes phishing content as claimed, because doing so would have provided more detailed information regarding the safety of e-mail.  Additionally, it would have been applying a known technique (i.e., high-confidence reputations and threshold comparison) to a known device/method/product ready for improvement (i.e., providing reputation notices regarding e-mail/phishing content) to yield predictable results (i.e., a reputation notice comprising a high-confidence reputation above a threshold as claimed).

Claim 3 is rejected under 35 U.S.C. 103 as being unpatentable over Himler (U.S. Pat. 9,781,149) and Davison (U.S. Pat. App. Pub. 2022/0078235) as applied to claim 1 above, and further in view of Mesdaq (U.S. Pat. 10,601,865), and further in view of Egilmez et al. (U.S. Pat. App. Pub. 2017/0034091), hereinafter Egilmez.

Regarding claim 3, Himler and Davison disclosed the computing apparatus as detailed above.  Himler and Davison did not disclose the computing apparatus wherein the reputation notice comprises a high-confidence reputation, comprising a reputation above a high-confidence threshold, that the e-mail payload is non-malicious, and wherein the push notification includes an instruction that the e-mail payload can be safely opened.
	Mesdaq disclosed:
wherein the reputation notice comprises a high-confidence reputation, comprising a reputation above a high-confidence threshold, that the e-mail payload is non-malicious (generating a score indicating a level of confidence that an email is associated with a phishing attack, i.e., reputation, including, e.g., the category “benign”, i.e., high-confidence, col. 4, lines 5-11, col. 11, lines 36-37, col. 15, lines 55-57; providing an alert, i.e., reputation notice, to a user of an endpoint, col. 4, lines 32-35).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify reputation notice of Himler and Davison to include a high-confidence reputation, comprising a reputation above a high-confidence threshold, that the e-mail payload is non-malicious as claimed, because doing so would have provided more detailed information regarding the safety of e-mail.  Additionally, it would have been applying a known technique (i.e., high-confidence reputations) to a known device/method/product ready for improvement (i.e., providing reputation notices regarding e-mail/phishing content) to yield predictable results (i.e., a reputation notice comprising a high-confidence reputation as claimed).
Himler, Davison, and Mesdaq did not disclose:
wherein the push notification includes an instruction that the e-mail payload can be safely opened.
Egilmez disclosed:
wherein the push notification includes an instruction that the e-mail payload can be safely opened (notifying a client that an email is harmless and can be opened, ¶[0013]).
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the push notification of Himler, Davison, and Mesdaq to include an instruction that the e-mail payload can be safely opened as claimed, because doing so would have been use of a known technique (i.e., notifying a user that an email is safe to open) to improve similar devices/methods/products (i.e., the email reputation system of Himler, Davison, and Mesdaq) in the same way.

Claim 4 is rejected under 35 U.S.C. 103 as being unpatentable over Himler (U.S. Pat. 9,781,149) and Davison (U.S. Pat. App. Pub. 2022/0078235) as applied to claim 1 above, and further in view of Ryan et al. (U.S. Pat. App. Pub. 2019/0132273), hereinafter Ryan, and further in view of Kumar et al. (U.S. Pat. App. Pub. 2020/0145458), hereinafter Kumar.

Regarding claim 4, Himler and Davison disclosed the computing apparatus as detailed above.  Himler and Davison did not disclose the computing apparatus wherein the reputation notice comprises a low-confidence reputation, comprising a confidence below a low-confidence threshold, and wherein the push notification comprises a warning that a reliable reputation for the e-mail payload could not be computed.
	Ryan disclosed:
wherein the reputation notice (a user terminal receiving a response message in response to a performed thread analysis for an electronic message indicating a threat status, i.e., reputation notice, of the electronic message, ¶[0054]) comprises a low-confidence reputation, comprising a confidence below a low-confidence threshold (a threat status at a confidence level, i.e., confidence, less than a confidence level threshold, i.e., below a low-confidence threshold, ¶[0057], [0070])
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the apparatus of Himler and Davison wherein the reputation notice comprises a low-confidence reputation, comprising a confidence below a low-confidence threshold as claimed, because doing so would have provided more accurate classification of phishing/attack emails.
Himler, Davison, and Ryan did not disclose:
wherein the push notification comprises a warning that a reliable reputation for the e-mail payload could not be computed.
	Kumar disclosed:
wherein the push notification comprises a warning that a reliable reputation for the e-mail payload could not be computed (displaying that a service has no opinion regarding the risk level of the e-mail, ¶[0034]).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the push notification of Himler, Davison, and Ryan wherein the push notification comprises a warning that a reliable reputation for the e-mail payload could not be computed as claimed, because doing so would have diminished the risk of a successful phish attack and promoted early caution (Kumar, ¶[0025]).

Claim 8 is rejected under 35 U.S.C. 103 as being unpatentable over Himler (U.S. Pat. 9,781,149) and Davison (U.S. Pat. App. Pub. 2022/0078235) as applied to claim 1 above, and further in view of Mesdaq (U.S. Pat. 10,601,865).

	Regarding claim 8, Himler and Davison disclosed the computing apparatus as detailed above.  Himler and Davison did not disclose the computing apparatus wherein the instructions are further to provide a screenshot image of the e-mail payload, and wherein the reputation data comprise reputation data based on a visual analysis of the e-mail payload.
	Mesdaq disclosed:
	wherein the instructions are further to provide a screenshot image of the e-mail payload, and wherein the reputation data comprise reputation data based on a visual analysis of the e-mail payload (extracting visual content, i.e., a screenshot image, attributed with an e-mail to perform screen shot analysis, i.e., visual analysis, to determine a phishing attack, col. 12, line 45-65).
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the computing apparatus of Himler and Davison wherein the instructions are further to provide a screenshot image of the e-mail payload, and wherein the reputation data comprise reputation data based on a visual analysis of the e-mail payload as claimed, because doing so would have been applying a known technique (i.e., screenshot/visual analysis) to a known device/method/product ready for improvement (i.e., the phishing detection system of Himler and Davison) to yield predictable results (i.e., an e-mail system providing a screenshot image for visual analysis as claimed).

Claim 14 is rejected under 35 U.S.C. 103 as being unpatentable over Himler (U.S. Pat. 9,781,149) and Davison (U.S. Pat. App. Pub. 2022/0078235) as applied to claim 11 above, and further in view of Makavy (U.S. Pat. App. Pub. 2018/0219892).

Regarding claim 14, Himler and Davison disclosed the phishing mitigation ecosystem as detailed above.  Himler and Davison did not disclose the phishing mitigation ecosystem wherein the phishing analysis server further comprises a module to remotely instruct the user endpoint device to delete or quarantine an e-mail after determining with high confidence that the e-mail is a malicious phishing e-mail.
	Makavy disclosed:
a module to remotely instruct the user endpoint device to delete or quarantine an e-mail after determining with high confidence that the e-mail is a malicious phishing e-mail (email monitoring system, i.e., module, instructing a user at a second device, i.e., remotely, to segregate, i.e., quarantine, or delete and e-mail identified as malicious, ¶[0063]).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the system of Himler and Davison to further comprise a module to remotely instruct the user endpoint device to delete or quarantine an e-mail after determining with high confidence that the e-mail is a malicious phishing e-mail as claimed, because doing so would have aided users in avoiding opening malicious e-mails and prevented cyberattacks (Makavy, ¶[0003]).

Claim 15 is rejected under 35 U.S.C. 103 as being unpatentable over Himler (U.S. Pat. 9,781,149) and Davison (U.S. Pat. App. Pub. 2022/0078235) as applied to claim 11 above, and further in view of Kumar (U.S. Pat. App. Pub. 2020/0145458).

	Regarding claim 15, Himler and Davison disclosed the phishing mitigation ecosystem as detailed above.  Himler and Davison did not disclose the phishing mitigation ecosystem wherein the response to the user endpoint device comprises an e-mail flag indicating that an e-mail is green (safe), red (unsafe), or yellow (reputation not determined with confidence above a threshold).
	Kumar disclosed an e-mail flag indicating that an e-mail is green (safe), red (unsafe), or yellow (reputation not determined with confidence above a threshold) (e-mail flags indicating risk level of an e-mail, ¶[0023]-[0025]; indicating the e-mail is trusted, i.e., safe, using a green check mark, ¶[0029]; a red flag to indicate a risk level of “phish”, i.e., unsafe, ¶[0040]; using yellow to indicate “unsure”, i.e., reputation not determined with confidence above a threshold, ¶[0031]).
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the system of Himler and Davison to include an e-mail flag indicating that an e-mail is green (safe), red (unsafe), or yellow (reputation not determined with confidence above a threshold) as claimed, because such flags diminished the risk of a successful phish attack and promoted early caution (Kumar, ¶[0025]).

Claim 16 is rejected under 35 U.S.C. 103 as being unpatentable over Himler (U.S. Pat. 9,781,149) and Davison (U.S. Pat. App. Pub. 2022/0078235) as applied to claim 11 above, and further in view of Olenoski et al. (U.S. Pat. App. Pub. 2019/0325159), hereinafter Olenoski.

Regarding claim 16, Himler and Davison disclosed the phishing mitigation ecosystem as detailed above.  Himler and Davison did not disclose the phishing mitigation ecosystem wherein the low-overhead user interaction comprises providing authentication credentials to the phishing analysis server for a user's web e-mail.
	Olenoski disclosed a user interaction providing authentication credentials to a server for a user's web e-mail (sending a request, i.e., user interaction, including email login credentials, i.e., authentication credentials, to a server that allow the server to access a user’s e-mail account, i.e., user’s web e-mail, ¶[0021]).
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the low-overhead user interaction of Himler and Davison to include providing authentication credentials to the phishing analysis server for a user's web e-mail as claimed, because doing so would have provided improved security (Olenoski, ¶[0016]).

Claim 17 is rejected under 35 U.S.C. 103 as being unpatentable over Himler (U.S. Pat. 9,781,149), Davison (U.S. Pat. App. Pub. 2022/0078235), and Olenoski (U.S. Pat. App. Pub. 2019/0325159) as applied to claim 16 above, and further in view of Auerbach et al. (U.S. Pat. App. Pub. 2005/0223061), hereinafter Auerbach.

Regarding claim 17, Himler, Davison, and Olenoski disclosed the phishing analysis mitigation ecosystem as detailed above.  Himler, Davison, and Olenoski did not disclose the phishing analysis mitigation ecosystem wherein receiving the request for a reputation comprises retrieving the user's incoming mail via post office protocol (POP) or internet message access protocol (IMAP) without deleting the incoming mail or marking the incoming mail as read.
	Auerbach disclosed:
retrieving the user's incoming mail via post office protocol (POP) or internet message access protocol (IMAP) without deleting the incoming mail or marking the incoming mail as read (retrieving new mail, i.e., incoming mail, from a server using IMAP or POP without removing it, i.e., deleting, or marking it as read, ¶[0046]).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the system of Himler, Davison, and Olenoski wherein receiving the request for a reputation comprises retrieving the user's incoming mail via post office protocol (POP) or internet message access protocol (IMAP) without deleting the incoming mail or marking the incoming mail as read as claimed, because doing so would have been a faster way to identify new mail (Auerbach, ¶[0046]).

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JOSEPH R MANIWANG whose telephone number is (571)270-7257. The examiner can normally be reached 8:30AM - 4:30PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Wing F Chan can be reached on (571) 272-7493. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/JOSEPH R MANIWANG/Examiner, Art Unit 2441                                                                                                                                                                                                        
/WING F CHAN/Supervisory Patent Examiner, Art Unit 2441