Pixm Architecture leverages heavily, Azure and Google Cloud provider services for its deployment. Each tenant in Pixm has their own databases in Azure SQL Elastic DB Pool for storing all generated threat feeds by the user’s Pixm browser extension. The data is ingested from Extension side and consumed from Frontend.

Data Ingestion

The browser extension can be installed from chrome, firefox and edge web store directly or using GPO deployment through MSI for enterprise customers. Upon installation the extension registers with the backend to uniquely identify itself for all consequent calls. On the backend side all the calls are first received by the Application Gateway and then routed to its respective services for further processing.

The live threat detection takes place when the extension user visits a page with login controls, during which the page details are collected along with a screenshot and sent to backend VMSS (Virtual Machine Scale Set - Azure service with auto scaling capabilities) via gateway. The VMSS uses GPU machines for doing visual detection of trained brands using a proprietary machine learning algorithm to say if the page is phishing or not. All the collected page info is fed via a Service Bus Queue to be then persisted in SQL Server customer databases.

Data Consumption

Pixm also provides a multi-tenant portal front end application to enterprise users for managing various aspects of this anti-phishing product like threat, configuration, user and license management. This is built on React framework and Google Cloud Identity Platform is used as an authentication server which allows us to do a high degree of customization in authentication flow for our needs. Front-end deployment uses Azure CDN with Front Door. Front Door is an Azure service which allows us to use wildcard subdomains dynamically for each newly onboarded customer. When the Customer admins login to the portal using his subdomain they are able to see the threat feed time series data on their main dashboard.

Services Overview

All the services are running in a severless manner as Azure FaaS. The cloud provider handles the scalability and maintainability of the service containers and is billed based on consumption basis.

• Threat Service : This integrates with Google WebRisk API for detection of non-zero day phishing attacks captured by Google.
• Extension Service : This service is called by the extension for registration, heartbeat, threat detection, uninstall etc.
• Portal Service : This service is called by the React portal frontend which helps to aggregate data from other services.
• User Service : This service is a wrapper around the Google Identity platform APIs for user management.

Other Cloud Services

• Storage Account - This service is used to collect the visual detected screenshot images.
• App Insight - For log tracing and backend analytics of all services.
• Key Vault - For storing application or environment secrets.
• Automation Account - Used for automating the provisioning of newly onboarded customers.
• Google Identity Platform - JWT token based authentication Services on Google cloud for the customer login.
• Google WebRisk - It is a service which allows us to use google's threat intel database of phishing urls.