Prosecution Insights
Last updated: July 17, 2026
Application No. 19/173,269

Dynamic Message Analysis Platform for Enhanced Enterprise Security

Non-Final OA §103
Filed
Apr 08, 2025
Priority
Dec 12, 2019 — provisional 62/947,050 +3 more
Examiner
WICKRAMASURIYA, SAMEERA
Art Unit
Tech Center
Assignee
Proofpoint Inc.
OA Round
1 (Non-Final)
76%
Grant Probability
Favorable
1-2
OA Rounds
1y 5m
Est. Remaining
99%
With Interview

Examiner Intelligence

Grants 76% — above average
76%
Career Allowance Rate
137 granted / 180 resolved
+16.1% vs TC avg
Strong +34% interview lift
Without
With
+34.5%
Interview Lift
resolved cases with interview
Typical timeline
2y 9m
Avg Prosecution
8 currently pending
Career history
190
Total Applications
across all art units

Statute-Specific Performance

§101
1.4%
-38.6% vs TC avg
§103
87.4%
+47.4% vs TC avg
§102
4.5%
-35.5% vs TC avg
§112
5.6%
-34.4% vs TC avg
Black line = Tech Center average estimate • Based on career data from 180 resolved cases

Office Action

§103
7DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Information Disclosure Statement 2. The information disclosure statement(s) (IDS) submitted on 04/08/2025, 05/30/2025, 08/22/2025, 12/30/2025, 01/30/2026 and 05/13/2026 are in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement(s) is/are being considered by the examiner. Double Patenting 3. The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969). A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA as explained in MPEP § 2159. See MPEP §§ 706.02(l)(1) - 706.02(l)(3) for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp. 4. Claims 1-20 are rejected on the ground of nonstatutory double patenting as being unpatentable over Claims 1-20 of U.S. Patent No. US 12,306,930 B2. Although the claims at issue are not identical, they are not patentably distinct from each other because Claims 1-20 of the conflicting patent anticipate the limitations of Claims 1-20 of the instant application. Therefore, Claims 1-20 are not patentable. Claim Rejections - 35 USC § 103 5. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. 6. The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows: 1. Determining the scope and contents of the prior art. 2. Ascertaining the differences between the prior art and the claims at issue. 3. Resolving the level of ordinary skill in the pertinent art. 4. Considering objective evidence present in the application indicating obviousness or nonobviousness. 7. This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary. Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention. 8. Claims 1, 3-9 and 12-20 are rejected under 35 U.S.C. 103 as being unpatentable over Jakobsson (US 2018/0152471 A1, hereinafter Jakobsson) in view of Ferri et al. (US 2010/0192224 A1, hereinafter Ferri). Regarding Claim 1, Jakobsson discloses a computing platform (Jakobsson: ¶ [0025] invention can be implemented in numerous ways, including as a process; an apparatus; a system; a composition of matter; a computer program product embodied on a computer readable storage medium; and/or a processor, such as a processor configured to execute instructions stored on and/or provided by a memory coupled to the processor), comprising: at least one processor (Jakobsson: ¶ [0025] the term 'processor' refers to one or more devices, circuits, and/or processing cores configured to process data, such as computer program instructions); a communication interface communicatively coupled to the at least one processor (Jakobsson: ¶ [0035] network 108 include one or more of the following: a direct or indirect physical communication connection, a mobile communication network, Internet, intranet, Local Area Network, Wide Area Network, Storage Area Network, and any other form of connecting two or more systems, components, or storage devices together, ¶ [0025]); and memory storing computer-readable instructions that, when executed by the at least one processor, cause the computing platform to (Jakobsson: ¶ [0025]): determine a weighted grade for an endpoint relationship (Jakobsson: ¶ [0048] determining whether the sender of the message has an established relationship with the intended recipient, ¶ [0049] the message is analyzed for security risks using historical observations associated with the sender of the message with respect to the intended recipient of the message, ¶ [0050] each aspect is analyzed to determine a risk component score associated with each component. These component scores are then combined (e.g., added, weighted then added, averaged, etc.) to determine an overall risk score, ¶¶ [0045-0047, 0055, 0058, 0076]); identify that the weighted grade exceeds a predetermined threshold (Jakobsson: ¶ [0058] one or more security risk scores are determined and based on these score(s), a security action is selected among different security action options…, the security risk score may indicate that the message is of high risk…, If there exists a different security risk score for different types of security risks, each different type of score may be analyzed separately and/or analyzed in combination to determine which level, ¶ [0131] the measure of total risk is utilized to mitigate risk of messages received from the message contact..., if a value of the measure of total risk is above a threshold value, the message is identified as a risk and the message is filtered to reduce its risk to the recipient, ¶ [0045]); based on identifying that the weighted grade exceeds the predetermined threshold, tag the endpoint relationship as compromised (Jakobsson: ¶ [0058] one or more security risk scores are determined and based on these score(s), a security action is selected among different security action options…, the security risk score may indicate that the message is of high risk…, If there exists a different security risk score for different types of security risks, each different type of score may be analyzed separately and/or analyzed in combination to determine which level, ¶ [0131] when a message from the message contact is received, its measure of total risk for the sender of the message ( e.g., message contact) is obtained and the measure of total risk is utilized to determine whether to filter and/or allow the message to be delivered…., the measure of total risk is utilized to mitigate risk of messages received from the message contact..., if a value of the measure of total risk is above a threshold value, the message is identified as a risk and the message is filtered to reduce its risk to the recipient, ¶[0049] the message is analyzed for security risks using historical observations associated with the sender of the message with respect to the intended recipient of the message,¶[0050, 0135]); determine that a first message involves an endpoint of the endpoint relationship that was tagged as compromised (Jakobsson: ¶ [0058] one or more security risk scores are determined and based on these score(s), a security action is selected among different security action options…, the security risk score may indicate that the message is of high risk…, If there exists a different security risk score for different types of security risks, each different type of score may be analyzed separately and/or analyzed in combination to determine which level, ¶¶ [0131, 0143, 0196]); and rewrite a uniform resource located (URL) included in the first message to point to a security service that is configured to open the URL in an isolation environment (Jakobsson: ¶ [0144] modifying data included in the data field includes modifying a location identifier of content associated with the sender of the message. For example, a URL to an image of the sender is modified to reference a different image, ¶¶ [0025, 0058, 0131]). However, it is noted that Jakobsson does not explicitly disclose: rewrite a uniform resource located (URL) included in the first message to point to a security service that is configured to open the URL in an isolation environment. However, Ferri from the same field of endeavor as the claimed invention discloses a user desires to access information on a web page that may contain malicious content (Ferri: [Abstract]), opening content referenced by a hyperlink in a sandbox session (Ferri: ¶ [0015]), it is determined if content referenced by the hyperlink should be opened in a sandbox session. Determining if the content should be opened in a sandbox session may be manual based on user interaction or automatic based on a set of policies (Ferri: ¶ [0016]), and opening content comprises requesting the content referenced by the hyperlink from a source (e.g., web server), and rendering the content returned from the source in the browser (Ferri: ¶ [0019], See also ¶¶ [0028-0029]). Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Ferri in the teachings of Jakobsson. A person having ordinary skill in the art would have been motivated to do so because sandbox session protects a host by preventing content from being stored on the host beyond the confines of the sandbox session (Ferri: ¶ [0021]), and the content items can be scanned using at least an antivirus scan, a spy-ware scan and a mal-ware scan within the sandbox (See Ferri: ¶ [0022]). Regarding Claim 3, Claim 3 is dependent on Claim 1, and the combination of Jakobsson and Ferri discloses all the limitations of Claim 1. Jakobsson further discloses wherein the security service is hosted by one of: the computing platform or the isolation environment (Jakobsson: ¶ [0059] performing additional automated scrutiny of the message (e.g., including its content portion)…, analyzing attachments of the message by attempting to execute them in a sandbox or virtual machine…, and moving the message to a special folder identifying its higher risk, ¶ [0025] invention can be implemented in numerous ways, including as a process; an apparatus; a system; a composition of matter; a computer program product embodied on a computer readable storage medium). Regarding Claim 4, Claim 4 is dependent on Claim 1, and the combination of Jakobsson and Ferri discloses all the limitations of Claim 1. However, Jakobsson does not explicitly disclose wherein rewriting the URL to point to the security service that is configured to open the URL in the isolation environment causes the isolation environment to: request content corresponding to the URL; receive the content corresponding to the URL; apply one or more security checks to the content corresponding to the URL; render the content corresponding to the URL; and send, based on the rendered content and to a user device, a graphical output. Ferri further discloses a user desires to access information on a web page that may contain malicious content (Ferri: [Abstract]), opening content referenced by a hyperlink in a sandbox session (Ferri: ¶ [0015]), the sandbox session may be configured with firewall and/or antivirus protection (Ferri: ¶ [0017]), and the content is opened in the browser of the sandbox session. Opening content comprises requesting the content referenced by the hyperlink from a source (e.g., web server), and rendering the content returned from the source in the browser…, sandbox session isolates any potential malicious content returned from the source from space and/or resources not allocated to the sandbox session (Ferri: ¶ [0019], also see ¶¶ [0020-0021]), and the artifact is scanned for possible malicious content. The sandbox session initiates at least one of an antivirus scan, a spy-ware scan and a mal-ware scan on the artifact (Ferri: ¶ [0022]), and provided as a computer program product, or software, that may include a machine readable medium having stored thereon instructions, which may be used to program a computer system ( or other electronic device(s)) to perform a process (Ferri: ¶ [0028]). Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Ferri in the teachings of Jakobsson. A person having ordinary skill in the art would have been motivated to do so because sandbox session protects a host by preventing content from being stored on the host beyond the confines of the sandbox session (Ferri: ¶ [0021]), and the content items can be scanned using at least an antivirus scan, a spy-ware scan and a mal-ware scan within the sandbox (See Ferri: ¶ [0022]). Regarding Claim 5, Claim 5 is dependent on Claim 4, and the combination of Jakobsson and Ferri discloses all the limitations of Claim 4. However, Jakobsson does not explicitly disclose wherein sending the graphical output to the user device enables the user device to interact with the rendered content in the isolation environment. Ferri further discloses a user desires to access information on a web page that may contain malicious content (Ferri: [Abstract]), opening content referenced by a hyperlink in a sandbox session (Ferri: ¶ [0015]), the content is opened in the browser of the sandbox session. Opening content comprises requesting the content referenced by the hyperlink from a source (e.g., web server), and rendering the content returned from the source in the browser (Ferri: ¶ [0019]), and a user may desire to save an artifact contained within the content referenced by a hyperlink opened in the sandbox session. Examples of artifacts include PDF files, images, word processing documents, spreadsheets, etc. (Ferri: ¶ [0021]) and provided as a computer program product, or software, that may include a machine readable medium having stored thereon instructions, which may be used to program a computer system (or other electronic device(s)) to perform a process (Ferri: ¶ [0028]). Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Ferri in the teachings of Jakobsson. A person having ordinary skill in the art would have been motivated to do so because sandbox session protects a host by preventing content from being stored on the host beyond the confines of the sandbox session (Ferri: ¶ [0021]), and the content items can be scanned using at least an antivirus scan, a spy-ware scan and a mal-ware scan within the sandbox (See Ferri: ¶ [0022]). Regarding Claim 6, Claim 6 is dependent on Claim 1, and the combination of Jakobsson and Ferri discloses all the limitations of Claim 1. Jakobsson further discloses wherein the memory stores additional computer-readable instructions that, when executed by the at least one processor, cause the computing platform to: detect that signals within a second message do not match signals within the first message (Jakobsson: ¶ [0039] At 204, the message is profiled…, Profiling the message includes storing information about and/or included in the message in a database to track historical observations about the sender of the message, ¶ [0050] there exists a plurality of aspects of the message to be analyzed using the historical observations, ¶ [0051] using past observation data generated by profiling past messages from the sender, statistics on the commonality of various combinations of metadata/configurations/content of messages have been determined and stored in a data structure. Using this information in combination with identified information in the contents and/or header of the message, a likelihood the received message conforms to a typical message from the sender for the intended recipient is determined); and in response to detecting that the signals within the second message do not match the signals within the first message, trigger the second message to be displayed along with a warning label (Jakobsson: ¶ [0035] risk analysis performed by recipient message server 106 results in a risk value of a message. The risk value may be utilized at least in part to flag/label the message, modify the message (e.g., add warning), and/or to determine whether to allow the message to be delivered to an intended recipient of the message, ¶ [0051] using past observation data generated by profiling past messages from the sender, statistics on the commonality of various combinations of metadata/configurations/content of messages have been determined and stored in a data structure. Using this information in combination with identified information in the contents and/or header of the message, a likelihood the received message conforms to a typical message from the sender for the intended recipient is determined…, risk score value for an aspect of the message may be computed using a Bayesian probability score of the particular observation/feature/content/metadata being consistent with past observations of communications between the sender and the recipient ¶ [0058] the security risk score may indicate that the message is of medium risk (e.g., risk score is above the first threshold but below a second threshold) and the message is modified to include a warning prior to being allowed to be accessed by the intended recipient). Regarding Claim 7, Claim 7 is dependent on Claim 1, and the combination of Jakobsson and Ferri discloses all the limitations of Claim 1. Jakobsson further discloses wherein the memory stores additional computer-readable instructions that, when executed by the at least one processor, cause the computing platform to: identify a parent organization corresponding to the endpoint relationship that was tagged as compromised (Jakobsson: ¶ [0048] determining whether the sender of the message has an established relationship with the intended recipient includes obtaining a social, organizational, communication, collaboration, business and/or other relationship information of the sender and/or the intended recipient, ¶ [0074] performing a security analysis includes identifying which domains and subdomains are used ¶¶ [0058, 0131]); identify additional endpoints associated with the parent organization (Jakobsson: ¶ [0074] performing a security analysis includes identifying which domains and subdomains are used…, any traffic associated with a subdomain and domain that is not on the list of subdomains/domains that are known to send legitimate traffic is flagged, and, depending on a policy and/or contents, quarantined, blocked, marked up, or escalated for additional scrutiny, ¶¶ [0058, 0131]); determine that a second message involves one of the additional endpoints associated with the parent organization, the second message comprising a second URL (Jakobsson: ¶ [0074] performing a security analysis includes identifying which domains and subdomains are used…, any traffic associated with a subdomain and domain that is not on the list of subdomains/domains that are known to send legitimate traffic is flagged, and, depending on a policy and/or contents, quarantined, blocked, marked up, or escalated for additional scrutiny, ¶ [0144] modifying data included in the data field includes modifying a location identifier of content associated with the sender of the message. For example, a URL, ¶¶ [0058, 0131]); and rewrite the second URL to point to the security service that is configured to open the URL in the isolation environment (Jakobsson: ¶ [0074] performing a security analysis includes identifying which domains and subdomains are used…, any traffic associated with a subdomain and domain that is not on the list of subdomains/domains that are known to send legitimate traffic is flagged, and, depending on a policy and/or contents, quarantined, blocked, marked up, or escalated for additional scrutiny, ¶ [0144] modifying data included in the data field includes modifying a location identifier of content associated with the sender of the message. For example, a URL an image of the sender is modified to reference a different image, ¶¶ [0058, 0131]). However, Jakobsson does not explicitly disclose rewrite the second URL to point to the security service that is configured to open the URL in the isolation environment. Ferri further discloses a user desires to access information on a web page that may contain malicious content (Ferri: [Abstract]), opening content referenced by a hyperlink in a sandbox session (Ferri: ¶ [0015]), it is determined if content referenced by the hyperlink should be opened in a sandbox session. Determining if the content should be opened in a sandbox session may be manual based on user interaction or automatic based on a set of policies (Ferri: ¶ [0016]), and opening content comprises requesting the content referenced by the hyperlink from a source (e.g., web server), and rendering the content returned from the source in the browser (Ferri: ¶ [0019], See also ¶¶ [0028-0029]). Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Ferri in the teachings of Jakobsson. A person having ordinary skill in the art would have been motivated to do so because sandbox session protects a host by preventing content from being stored on the host beyond the confines of the sandbox session (Ferri: ¶ [0021]), and the content items can be scanned using at least an antivirus scan, a spy-ware scan and a mal-ware scan within the sandbox (See Ferri: ¶ [0022]). Regarding Claim 8, Claim 8 is dependent on Claim 1, and the combination of Jakobsson and Ferri discloses all the limitations of Claim 1. Jakobsson further discloses wherein the first message is addressed to a first enterprise organization (Jakobsson: ¶ [0044] the sender of the message has an established relationship with the intended recipient of the message if the sender (e.g., from email address of the sender) has sent a message to the intended recipient of the message (e.g., recipient email address of the message), ¶ [0048] determining whether the sender of the message has an established relationship with the intended recipient includes obtaining a social, organizational, communication, collaboration, business and/or other relationship information of the sender and/or the intended recipient, ¶ [0086] attackers typically configure accounts they have compromised to forward emails to another account, ¶¶ [0058, 0098, 0131]). Regarding Claim 9, Claim 9 is dependent on Claim 8, and the combination of Jakobsson and Ferri discloses all the limitations of Claim 8. Jakobsson further discloses wherein the memory stores additional computer-readable instructions that, when executed by the at least one processor, cause the computing platform to: detect additional messages corresponding to the endpoint relationship that was tagged as compromised, wherein the additional messages are addressed to users at other enterprise organizations, different than the first enterprise organization (Jakobsson: ¶ [0031] incoming messages are filtered and analyzed for spam, viruses, spoofing, impersonation, ATOed sender, and any other harmful or undesired content to detect, prevent, or minimize such messages from reaching a message recipient served by the recipient message server, ¶ [0086] attackers typically configure accounts they have compromised to forward emails to another account, either selectively (such as based on the subject line, the sender, the thread, etc.) or for all emails, ¶ [0098]); identify a subset of the additional messages that include URLs (Jakobsson: ¶ [0031] incoming messages are filtered and analyzed for spam, viruses, spoofing, impersonation, ATOed sender, and any other harmful or undesired content to detect, prevent, or minimize such messages from reaching a message recipient served by the recipient message server, ¶ [0106] an amount/volume/rate of messages sent by the sender, a number/breadth of different recipients ( e.g., number of different domains of recipients, number of different email addresses of recipients, etc.), ¶ [0143] it is determined to filter the message, if applicable. Filtering the message may include modifying at least a portion of the message, affecting delivery of the message, providing a notification regarding the message, and/or performing additional analysis on the message, ¶¶ [0098, 0107-110, 0121, 0144]); and rewrite the URLs to point to the security service that is configured to open the URLs in the isolation environment (Jakobsson: ¶ [0074] performing a security analysis includes…, traffic is flagged, and, depending on a policy and/or contents, quarantined, blocked, marked up, or escalated for additional scrutiny, ¶ [0144] modifying data included in the data field includes modifying a location identifier of content associated with the sender of the message. For example, a URL an image of the sender is modified to reference a different image). However, Jakobsson does not explicitly disclose: rewrite the URLs to point to the security service that is configured to open the URLs in the isolation environment. Ferri further discloses a user desires to access information on a web page that may contain malicious content (Ferri: [Abstract]), opening content referenced by a hyperlink in a sandbox session (Ferri: ¶ [0015]), it is determined if content referenced by the hyperlink should be opened in a sandbox session. Determining if the content should be opened in a sandbox session may be manual based on user interaction or automatic based on a set of policies (Ferri: ¶ [0016]), and opening content comprises requesting the content referenced by the hyperlink from a source (e.g., web server), and rendering the content returned from the source in the browser (Ferri: ¶ [0019], See also ¶¶ [0028-0029]). Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Ferri in the teachings of Jakobsson. A person having ordinary skill in the art would have been motivated to do so because sandbox session protects a host by preventing content from being stored on the host beyond the confines of the sandbox session (Ferri: ¶ [0021]), and the content items can be scanned using at least an antivirus scan, a spy-ware scan and a mal-ware scan within the sandbox (See Ferri: ¶ [0022]). Regarding Claim 12, Claim 12 is dependent on Claim 1, and the combination of Jakobsson and Ferri discloses all the limitations of Claim 1. Jakobsson further discloses wherein tagging the endpoint relationship as compromised includes one of more of: pushing an alert to one or more user devices indicating that the endpoint relationship that was tagged as compromised is compromised (Jakobsson: ¶ [0035] risk value may be utilized at least in part to flag/label the message, modify the message (e.g., add warning), and/or to determine whether to allow the message to be delivered to an intended recipient of the message, ¶ [0053] marked up with a warning "This message comes from an account that is temporarily associated with risk. Please proceed with caution, ¶¶ [0029, 0035, 0168, 0187]), or configuring the alert for retrieval by the one or more user devices via application protocol interfaces (API) . Regarding Claim 13, Jakobsson discloses a method comprising: at a computing platform comprising at least one processor, a communication interface, and memory: (Jakobsson: ¶ [0025] invention can be implemented in numerous ways, including as a process; an apparatus; a system; a composition of matter; a computer program product embodied on a computer readable storage medium; and/or a processor, such as a processor configured to execute instructions stored on and/or provided by a memory coupled to the processor, ¶ [0035] network 108 include one or more of the following: a direct or indirect physical communication connection, a mobile communication network, Internet, intranet, Local Area Network, Wide Area Network, Storage Area Network, and any other form of connecting two or more systems, components, or storage devices together) and discloses all the limitations of Claim 13, in combination with Ferri, as discussed in Claim 1. Therefore, Claim 13 is rejected using the same rationales as discussed in Claim 1. Regarding Claim 14, Claim 14 is dependent on Claim 13, and the combination of Jakobsson and Ferri discloses all the limitations of Claim 1. Jakobsson further discloses wherein determining the weighted grade for the endpoint relationship is based on a security scoring process (Jakobsson: ¶ [0039] the historical information about messages by the sender for a particular recipient may be combined with historical information about messages sent by the sender for other recipients to determine a combined message profile/history of the sender for use in assessing security risk of messages by the sender for recipient without an established communication history with the sender, ¶ [0040] information in the header of the message that identifies one or more of the following is tracked for the sender of the message: a mail user agent, a time zone, IP address…, ¶ [0050] historical observations include information about messages from/to the sender of the message to/from the recipient of the received message, ¶ [0051] past observation data about messages from the sender is analyzed to determine a probability that a combination of features/contents/metadata of the message being analyzed is likely to be exhibited together and this probability is utilized to determine a risk component score). Regarding Claims 15-19, Claims 15-16 and 18-19 are dependent on Claim 13 and Claim 17 is dependent on Claim 16. The combination of Jakobsson and Ferri discloses all the limitations of Claims 13 and 16. The combination of Jakobsson and Ferri discloses all the limitations of Claims 15-19 as discussed in Claims 3-7. Therefore, Claims 15-19 are rejected using the same rationales as discussed in Claims 3-7. Regarding Claim 20, Jakobsson discloses one or more non-transitory computer-readable media storing instructions that, when executed by a computing platform comprising at least one processor, a communication interface, and memory, cause the computing platform to: (Jakobsson: ¶ [0025] invention can be implemented in numerous ways, including as a process; an apparatus; a system; a composition of matter; a computer program product embodied on a computer readable storage medium; and/or a processor, such as a processor configured to execute instructions stored on and/or provided by a memory coupled to the processor, ¶ [0035] network 108 include one or more of the following: a direct or indirect physical communication connection, a mobile communication network, Internet, intranet, Local Area Network, Wide Area Network, Storage Area Network, and any other form of connecting two or more systems, components, or storage devices together), and discloses all the limitations of Claim 20, in combination with Ferri, as discussed in Claim 1. Therefore, Claim 20 is rejected using the same rationales as discussed in Claim 1. 9. Claim 2 is rejected under 35 U.S.C. 103 as being unpatentable over Jakobsson (US 2018/0152471 A1, hereinafter Jakobsson) in view of Ferri et al. (US 2010/0192224 A1, hereinafter Ferri) and further in view of Lin et al. (US 11,178,168 B1, hereinafter Lin). Regarding Claim 2, Claim 2 is dependent on Claim 1, and the combination of Jakobsson and Ferri discloses all the limitations of Claim 1. Jakobsson further discloses wherein determining the weighted grade for the endpoint relationship is based on a security scoring process (Jakobsson: ¶ [0039] the historical information about messages by the sender for a particular recipient may be combined with historical information about messages sent by the sender for other recipients to determine a combined message profile/history of the sender for use in assessing security risk of messages by the sender for recipient without an established communication history with the sender, ¶ [0040] information in the header of the message that identifies one or more of the following is tracked for the sender of the message: a mail user agent, a time zone, IP address…, ¶ [0050] historical observations include information about messages from/to the sender of the message to/from the recipient of the received message, ¶ [0051] past observation data about messages from the sender is analyzed to determine a probability that a combination of features/contents/metadata of the message being analyzed is likely to be exhibited together and this probability is utilized to determine a risk component score). However, it is noted that Jakobsson and Ferri do not explicitly disclose wherein the security scoring process includes, for each endpoint in the endpoint relationship: determining that a first domain and a second domain are related; determining a security score for the first domain and a security score for the second domain; and determining a security score of a first endpoint of the endpoint relationship based on a combination of the first domain security score and the second domain security score. Lin from the same field of endeavor as the claimed invention discloses a self-learning system, method, and computer program for detecting cybersecurity threats in a computer network based on anomalous user behavior and multi-domain data. A computer system tracks user behavior during a user session across multiple data domains (Lin: [Abstract]), For each domain observed in a user session (i.e., for each domain in which at least one user event is observed in the session), the system calculates a domain risk score as the sum of the individual event-level risk probabilities (“event-level risks”) (Lin: [Col. 4 Lines: 18-22]), and the system then calculates a preliminary session risk score for the user session by summing the domain risk score(s) for the domain(s) observed in the user session (step 130) (Lin: [Col. 4 Lines: 39-42], also see [Col. 2 Lines: 23-27]). Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Lin in the teachings of Jakobsson. A person having ordinary skill in the art would have been motivated to do so because the system selectively pick only a critical subset of domains that are related to the user behavior, the readability and accuracy of the outcome is improved (See also Lin: [Col. 4 Lines: 10-26]). 10. Claim 10 is rejected under 35 U.S.C. 103 as being unpatentable over Jakobsson (US 2018/0152471 A1, hereinafter Jakobsson) in view of Ferri et al. (US 2010/0192224 A1, hereinafter Ferri), and further in view of Xavier et al. (US 2018/0013790 Al, hereinafter Xavier). Regarding Claim 10, Claim 10 is dependent on Claim 9, and the combination of Jakobsson and Ferri discloses all the limitations of Claim 9. Jakobsson further discloses wherein the memory stores additional computer-readable instructions that, when executed by the at least one processor, cause the computing platform to: cause the remainder of the additional messages to be displayed with a warning label (Jakobsson: ¶ [0035] risk value may be utilized at least in part to flag/label the message, modify the message (e.g., add warning), and/or to determine whether to allow the message to be delivered to an intended recipient of the message, ¶ [0058] the security risk score may indicate that the message is of medium risk (e.g., risk score is above the first threshold but below a second threshold) and the message is modified to include a warning prior to being allowed to be accessed by the intended recipient ( e.g., allow the modified message to a message inbox of the intended recipient), ¶ [0059]). The combination of Jakobsson and Ferri does not explicitly disclose: identify a remainder of the additional messages that do not include URLs; and cause the remainder of the additional messages to be displayed with a warning label. Xavier from the same field of endeavor as the claimed invention discloses Anti-Phishing protection assists in protecting against phishing attacks. Any links that are contained within a message that has been identified as a phishing message are disabled (Xavier: [Abstract]), determine phishing messages is examining the formatting of the URLs contained within the message. For example, some URLS may be numeric URLs which may raise suspicion of the message (Xavier: ¶ [0015]), where a message is received. According to one embodiment, the message is an email message…, the message is passed through a phishing filter to determine whether or not the message is a phishing message…, a message will be determined to be a phishing message by examining the links that are included within the message..., (Xavier: ¶ [0020-0022]), and a determination is made as to whether the message is junk mail. When the message is junk mail the process moves to block 380 where the message is moved to the junk mail folder (i.e. implies message is marked as spam/junk) (Xavier: ¶ [0026], See Fig. 3--340,370,380). Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Xavier in the teachings of Jakobsson. A person having ordinary skill in the art would have been motivated to do so to additionally provide users with information about unwanted messages. 11. Claim 11 is rejected under 35 U.S.C. 103 as being unpatentable over Jakobsson (US 2018/0152471 A1, hereinafter Jakobsson) in view of Ferri et al. (US 2010/0192224 A1, hereinafter Ferri) in view of Xavier et al. (US 2018/0013790 Al, hereinafter Xavier) and further in view of Risher et al. (US 2009/0216842 A1, hereinafter Risher). Regarding Claim 11, Claim 11 is dependent on Claim 10, and the combination of Jakobsson, Ferri and Xavier discloses all the limitations of Claim 10. Jakobsson further discloses wherein the memory stores additional computer-readable instructions that, when executed by the at least one processor, cause the computing platform to: generate a supply chain monitoring interface, wherein the supply chain monitoring interface includes message security information, and wherein the supply chain monitoring interface includes one or more selectable elements that, once selected, cause display of information related to malicious messages associated with the endpoint relationship that are sent to an individual enterprise organization (Jakobsson: ¶ [0181] Message 1320 includes contents of the original message 1322 as well as added selected choices 1324 that requests the recipient to classify the sender of the message, See Fig. 13B) and information related to malicious messages associated with the endpoint relationship that are sent to a plurality of enterprise organizations monitored by the computing platform. However, the combination of Jakobsson, Ferri and Xavier does not explicitly disclose wherein the memory stores additional computer-readable instructions that, when executed by the at least one processor, cause the computing platform to: generate a supply chain monitoring interface, wherein the supply chain monitoring interface includes message security information, and wherein the supply chain monitoring interface includes one or more selectable elements that, once selected, cause display of information related to malicious messages associated with the endpoint relationship that are sent to an individual enterprise organization and information related to malicious messages associated with the endpoint relationship that are sent to a plurality of enterprise organizations monitored by the computing platform. Risher from the same field of endeavor as the claimed invention discloses report 600 may include information about last hop sources 601 including domains 607-609. For each message server (610-612) associated with a given domain 607-609 is also shown total messages 602, total good (DK/DKIM) signed messages 603, total broken (DK/DKIM) signed messages 604, total messages unsigned 605, and total messages for a given message server that are determined to be fraudulent (Risher: ¶ [0092]), domains 608-609 from which numerous messages are received, but were determined to be fraudulent, forged…,such determination may be based on a variety of evaluations, including a comparison between the determined last hop server a message and the purported source domain indicated by various headers within the message (Risher: ¶ [0094], See fig. 6), and detecting and reporting use by a domain of a message authentication mechanism, such as DomainKeys (DK), and/or DomainKeys Identified Mail (DKIM), and enabling Subsequent blocking of messages based, in part, on its usage by a domain (Risher: ¶ [0019]). Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Risher in the teachings of Jakobsson. A person having ordinary skill in the art would have been motivated to do so to enable businesses to better manage messages, such as email messages…, if a business is determined to be employing DK/DKIM message authentication above a specified threshold, then other businesses, including itself, may use such information to reject, and/or re-direct messages alleging to come from a domain associated with that business, but which failed to use a valid DK/DKIM message authentication sig nature (Risher: ¶ [0019], also see ¶ [0021]). Conclusion 12. The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. US-20060168024-A1 US-20160094566-A1 US-20050204009-A1 US-20160330219-A1 Any inquiry concerning this communication or earlier communications from the examiner should be directed to SAMEERA WICKRAMASURIYA whose telephone number is (571)272-1507. The examiner can normally be reached on MON-FRI 8AM-4:30PM EST. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, JUNG W. KIM can be reached on (571)272-3804. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /SAMEERA WICKRAMASURIYA/ Examiner, Art Unit 2494 /ROBERT B LEUNG/Primary Examiner, Art Unit 2494
Read full office action

Prosecution Timeline

Apr 08, 2025
Application Filed
Jun 30, 2026
Non-Final Rejection mailed — §103 (current)

Precedent Cases

Applications granted by this same examiner with similar technology

Patent 12683973
SYSTEMS, METHODS, AND APPARATUSES FOR PRE-CONFIGURED PER-TENANT ISOLATION IN A MULTI-TENANT CLOUD BASED COMPUTING ENVIRONMENT
2y 6m to grant Granted Jul 14, 2026
Patent 12683960
Email Processing for Improved Authentication Question Accuracy
1y 10m to grant Granted Jul 14, 2026
Patent 12671705
SELECTING POLICIES TO APPLY TO NETWORK TRAFFIC FLOWS BASED ON PERCEPTION SCORES
3y 2m to grant Granted Jun 30, 2026
Patent 12652316
ADJUSTMENT OF ACCESS PERMISSIONS OF USER DEVICES BASED ON CREATED ACCESS POLICIES
2y 10m to grant Granted Jun 09, 2026
Patent 12647426
Nested Access Privilege Check for Multi-Tenant Organizations
3y 8m to grant Granted Jun 02, 2026
Study what changed to get past this examiner. Based on 5 most recent grants.

Strategy Recommendation AI-generated — please review before filing

Get a prosecution strategy drawn from examiner precedents, rejection analysis, and claim mapping.
Typically takes 5-10 seconds — AI-generated, attorney review required before filing

Prosecution Projections

1-2
Expected OA Rounds
76%
Grant Probability
99%
With Interview (+34.5%)
2y 9m (~1y 5m remaining)
Median Time to Grant
Low
PTA Risk
Based on 180 resolved cases by this examiner. Grant probability derived from career allowance rate.

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month