Blocklists are always behind. A phishing page can be registered, used to harvest credentials, and abandoned within hours — long before it lands on any reputation list. By the time a URL is blocked, the campaign that used it has often already moved to a fresh domain. Defending against phishing by enumerating known-bad sites is a race the defender structurally cannot win.
The grant US10944789B2, "Phishing detection enhanced through machine learning techniques" (issued March 9, 2021, assigned to Easy Solutions Enterprises Corp.), changes the basis of the decision. Its CPC classifications pair the phishing class H04L 63/1483 with the machine-learning class G06N 20/00 and the intrusion-detection classes H04L 63/1416 and H04L 63/1425 — a detector that judges a page by learned characteristics, not by whether it's on a list.
“Phishing enhancement and phishing detection enhancement technologies. The technologies can include determinations of an effectiveness rate of one or more phishing threat actors. The technologies can also include selection of effective URLs from at least one effective phishing threat actor.”— U.S. Patent No. 10,944,789 source
The mechanism worth understanding is that phishing pages share recognizable traits even when each one is new. The way they mimic a legitimate brand's layout, the structure of their URLs, the presence of credential-harvesting forms pointed at suspicious endpoints — these features recur across campaigns. A model trained on enough examples learns to recognize a phishing page on sight, the way an experienced analyst would, without needing to have seen that exact page before.
For defenders, the practical takeaway is coverage of the zero-hour window. The most dangerous phishing pages are the freshest ones — live, unreported, and not yet blocked. A learned detector is the layer that can catch them in that window, which is exactly when blocklists are useless.
As with all learned detection, the limitation is adversarial: attackers can study what the model keys on and design pages to avoid those features. The patent's value is in raising the cost of evasion, not eliminating it. But the shift it represents — from enumerating bad URLs to recognizing phishing behavior — is what makes detection viable against an adversary who can spin up infrastructure faster than any list can track.