ZapFraud Inc v. Mimecast North America Inc

I. Executive Summary and Procedural Information

• Parties & Counsel:
  • Plaintiff: ZapFraud, Inc. (Delaware)
  • Defendant: Mimecast North America, Inc. (Delaware), Mimecast UK Limited (U.K.), Mimecast Services Ltd. (U.K.)
  • Plaintiff’s Counsel: Farnan LLP; Desmarais LLP
• Case Identification: 1:19-cv-01690, D. Del., 04/24/2020
• Venue Allegations: Plaintiff alleges venue is proper in the District of Delaware because Defendant Mimecast North America, Inc. is incorporated in Delaware, and the foreign Mimecast entities are subject to personal jurisdiction in the district.
• Core Dispute: Plaintiff alleges that Defendant’s email security products and services infringe patents related to the automated detection of phishing and Business Email Compromise scams.
• Technical Context: The technology at issue involves analyzing both the content and technical metadata of an electronic communication to determine if it is a fraudulent attempt to impersonate a trusted entity.
• Key Procedural History: The operative complaint is a Second Amended Complaint. The complaint alleges that Defendant Mimecast attended industry conferences where ZapFraud’s founder, Dr. Jakobsson, presented on the patented fraud detection technology.

Case Timeline

II. Technology and Patent(s)-in-Suit Analysis

U.S. Patent No. 10,277,628 - Detecting Phishing Attempts

• Patent Identification: U.S. Patent No. 10,277,628, "Detecting Phishing Attempts," issued April 30, 2019. (Compl. ¶23).

The Invention Explained

• Problem Addressed: The patent addresses the problem of existing email filters being "readily defeated" by fraudulent messages that incorporate human-readable content, such as names of authoritative entities, making them appear legitimate to a recipient even if they lack technical authenticity. (Compl. ¶¶ 27-28; ’628 Patent, col. 1:15-32).
• The Patented Solution: The invention proposes a two-part analysis to classify an electronic communication. First, it determines a "first likelihood that a potential recipient...would conclude that the communication was transmitted on behalf of an authoritative entity." Second, it assesses a "second likelihood that the received communication was transmitted with authorization from the purported authoritative entity." The final classification is based on both likelihoods, combining a user-perception analysis with a technical verification analysis. (Compl. ¶29; ’628 Patent, Abstract; Fig. 3).
• Technical Importance: This dual-analysis approach was designed to combat sophisticated social engineering attacks that exploit the gap between a message's apparent legitimacy to a human and its actual technical origin. (Compl. ¶1, ¶19).

Key Claims at a Glance

• The complaint asserts at least independent claim 1. (Compl. ¶33). It also states that Mimecast infringes "one or more claims," suggesting the right to assert other claims is preserved. (Compl. ¶30).
• Essential elements of independent claim 1:
  • A classification system comprising a client device, a profile and content database, and at least one server.
  • The server is configured to parse a display name from an electronic communication.
  • It then determines that the communication appears to be from an "authoritative entity" by computing a "similarity distance" between the communication's display name and a name of the authoritative entity retrieved from the database.
  • This similarity distance is computed via a match based on display names and/or headers, determined by methods including Hamming distance, edit distance, or a support vector machine.
  • The server also determines that the communication was not transmitted with authorization from that entity.
  • Based on both determinations, the server performs a security determination, classifying the communication as "good" or "bad."
  • Based on a "bad" classification, the server performs a remedial action, such as erasing, flagging, or forwarding the communication. (’628 Patent, col. 33:54-34:53).

U.S. Patent No. 10,609,073 - Detecting Phishing Attempts

• Patent Identification: U.S. Patent No. 10,609,073, "Detecting Phishing Attempts," issued March 31, 2020. (Compl. ¶43).

The Invention Explained

• Problem Addressed: The patent describes the same problem as its parent ’628 Patent: conventional email security technologies can be circumvented by customized, human-readable phishing attempts that appear trustworthy to a recipient. (Compl. ¶¶ 47-48; ’073 Patent, col. 1:15-32).
• The Patented Solution: The invention, like the ’628 Patent, discloses combining an assessment of the "likely end-user interpretation" with an assessment of whether the "apparent sender matches the actual sender" before taking action on the message. (Compl. ¶49; ’073 Patent, Abstract).
• Technical Importance: The technology aims to provide more robust protection against Business Email Compromise and other targeted fraud by analyzing messages from both a perceptual and a technical standpoint. (Compl. ¶1, ¶31).

Key Claims at a Glance

• The complaint asserts at least independent claim 1. (Compl. ¶51). It also alleges infringement of "one or more claims." (Compl. ¶50).
• Essential elements of independent claim 1:
  • A classification system comprising a client device, a database, and at least one server.
  • The server determines that a communication appears to be from an "authoritative entity" by computing a "similarity distance" between a "first item" from the communication (e.g., display name, email address, text part, or header) and a "second item" associated with the authoritative entity (retrieved from the database).
  • The similarity match is determined using methods such as Hamming or edit distance.
  • The server also determines that the communication was not transmitted with authorization from the authoritative entity.
  • Based on both of these determinations, the server performs a "security action," such as erasing or marking up the communication. (’073 Patent, col. 33:59-34:42).

III. The Accused Instrumentality

Product Identification

• Mimecast Email Security service, Targeted Threat Protection, and Impersonation Protect. (Compl. ¶30, ¶50).

Functionality and Market Context

• The accused products are described as software-as-a-service (SaaS) email security solutions that protect customers from "Business Email Compromise" and other social engineering attacks. (Compl. ¶10, ¶31). The complaint alleges these services function by checking for "combinations of impersonation attack identifiers, such as the similarity of the sender's domain to the customer's domain, and whether the sender's display name is the same as one of the internal user display names." (Compl. ¶32). Based on the number of identifiers triggered, the services allegedly take action on the email, such as placing it on hold, tagging it, or bouncing it. (Compl. ¶32).
• No probative visual evidence provided in complaint.

IV. Analysis of Infringement Allegations

10,277,628 Infringement Allegations

10,609,073 Infringement Allegations

Identified Points of Contention:

• Scope Questions: The complaint alleges that a "Mimecast Administration Console" is the claimed "client device." (’628 Compl. ¶33.a). A potential point of contention may be whether an administrative tool used to configure a security service qualifies as a "client device used to access the electronic communication" in the context of the patent, which also describes user devices like computers and mobile phones. (’628 Patent, Fig. 1).
• Technical Questions: The asserted claims recite specific computational methods for determining similarity, such as "Hamming distance," "edit distance," and use of a "support vector machine." (Compl. ¶33.c.ii.2.a.iii; ’628 Patent, col. 34:24-28). The complaint alleges these in the alternative. A central technical question will be what specific algorithm(s) Mimecast’s "Impersonation Protect" feature actually uses to compute "similarity" and whether those methods fall within the scope of the claimed techniques.

V. Key Claim Terms for Construction

• The Term: "authoritative entity"

• Context and Importance: This term is foundational to the infringement analysis, as the first step of the claimed method is to determine if a message appears to be from such an entity. The complaint's theory of infringement equates this term with "an internal user of a Mimecast customer." (Compl. ¶33.c.ii.2). The scope of "authoritative entity" will define the universe of messages to which the patented method applies.

• Intrinsic Evidence for Interpretation:

  • Evidence for a Broader Interpretation: The specification provides a broad, exemplary list, stating an authoritative entity can be "a bank or other financial services provider, shipping/postal carrier, cellular or other utility provider, etc." (’628 Patent, col. 2:62-65). This language may support a construction that is not limited to a customer's own internal users.
  • Evidence for a Narrower Interpretation: The specific implementation described in claim 1 involves retrieving the "name of the authoritative entity" from a "profile and content database," which could suggest the entity must be a known, pre-defined entity (such as a customer's employee) whose name is stored for comparison, rather than any entity that generally appears authoritative. (’628 Patent, col. 33:65-67).

• The Term: "similarity distance"

• Context and Importance: Infringement requires a showing that the accused system computes a "similarity distance." Practitioners may focus on this term because the claim follows it with a list of specific computational methods. The dispute will likely center on whether Mimecast's proprietary similarity-checking algorithms are encompassed by this term.

• Intrinsic Evidence for Interpretation:

  • Evidence for a Broader Interpretation: The claim language states that the distance is computed by comparison of items "by at least one of" a list of matching techniques and that matches are determined "by at least one of" a list of metrics (Hamming distance, edit distance, SVM, etc.). (’628 Patent, col. 34:10-34). A party could argue this "at least one of" phrasing indicates the list is exemplary, not exhaustive.
  • Evidence for a Narrower Interpretation: A party could argue that the term's meaning is defined and limited by the explicit list of computational methods provided in the claim itself. If an accused product uses a different, unlisted method for measuring similarity, it may not literally meet this limitation.

VI. Other Allegations

• Indirect Infringement: The complaint alleges inducement based on Mimecast supplying the accused products with the knowledge and intent that its customers will use them in an infringing manner. This intent is allegedly evidenced by Mimecast's "promotional and marketing materials, supporting materials, instructions, product manuals, and/or technical information." (Compl. ¶37, ¶55). Contributory infringement is alleged on the basis that the products are especially made to infringe and are not staple articles of commerce. (Compl. ¶38, ¶56).
• Willful Infringement: Willfulness is alleged based on Mimecast having knowledge of the patents and infringement "since at least the filing of this action." (Compl. ¶40, ¶58).

VII. Analyst’s Conclusion: Key Questions for the Case

• A core issue will be one of claim construction: how will the term "similarity distance" be defined? Will its scope be limited to the explicit computational methods listed in the claims (e.g., Hamming distance, edit distance), or will it be construed more broadly to encompass other algorithmic approaches to measuring the similarity between sender names? The answer will heavily influence whether Mimecast's specific implementation infringes.
• A key evidentiary question will be one of technical proof: what evidence will demonstrate that the accused Mimecast services, particularly "Impersonation Protect," actually perform the two-step logical process required by the claims? The case will likely turn on a detailed technical comparison between the patented method—determining an appearance of authoritativeness and then separately determining a lack of technical authorization—and the precise operational steps of the accused systems.