Jun 2, 2026

description

v1.9.64 — Major reliability + protection update
🚨 NEW: Account-takeover detection on verified senders. When a "trusted" sender's
account is compromised and starts sending classic scams (gift card requests,
wire fraud, urgency tactics), the trust badge no longer overrides to green —
it surfaces a clear "verified sender + scam language detected — possible
account takeover" warning.
🛡️ NEW: Master vault control syncs every 5 minutes. When your admin disables
the password vault platform-wide, all browsers see the change within minutes
instead of next login. Plus defense-in-depth gates so stale browsers can't
leak save prompts.
🤖 IMPROVED: AI Email Analysis now shows specific failure reasons ("Daily AI
limit (10/day)", "Sign in to use AI", "Session expired") instead of generic
"Failed". When AI scores under 30, the email is queued for your admin's
review rather than silently dropped.
📋 NEW: Trust-badge override when AI flags a sender the heuristic missed.
If our AI says 8/100 but the local engine said 99/100, the badge updates
to match AI's verdict so you don't see a misleading green score.
🚨 IMPROVED: Heuristic engine catches more scams. New invoice/renewal scam
detection (fake McAfee/Norton/Geek Squad/PayPal charges), spam-folder cap
(emails in Gmail Spam or Outlook Junk never display >50/100), invoice
phone-callback detection.
🛡️ NEW: "Trusted by colleagues" badge when your coworkers have collectively
marked a sender as safe — crowd-sourced positive reputation, org-scoped only.
⏳ NEW: Offline-friendly buttons. When our API is briefly unreachable,
Report/Mark Safe/Alert clicks now show "Saved — will send" and auto-retry
every 5 minutes instead of losing the action.
🔐 NEW: Session-expired UX. If your auth session ages out mid-action, the
button shows "Session expired — click extension icon to sign in" instead of
a cryptic "Invalid token" error. Plus a "!" badge appears on the toolbar.
🧐 IMPROVED: 10-second "undo" on Report Suspicious / Report Safe / Community
Alert buttons. Misclicks are cancellable in-flow.
🐛 FIXED: Community Alert button bug (was throwing "analysis is not defined"
on click).
📅 COMING SOON: Calendar spam auto-decline (Google + Microsoft Calendar
integration in next major version).
🎨 New extension icon matching our website favicon (green shield).

What's New in v1.9.51
Renamed to "Phishing Protection & Training". Description updated to reflect current feature set. Password Manager will be deployed in a future update.

What's New in v1.9.47
Better detection of a rising scam: emails pretending to give away high-value items ("estate downsizing", "free piano in memory of my late father", etc.). These often hook a reply and then demand shipping/handling payment.
Also calibrated the warning tone — emails in the "Use Caution" range no longer show "DANGER" prose. The trust score speaks for itself. "Quick report" buttons in Gmail injection.

What's new in v1.9.39
Adds SMS as an MFA option for Vault Master Password entry. Various bugfixes.

What's new in v1.9.23
Fixes the Quick Link Scanner — pasting a URL into the popup's scanner now correctly authenticates with our backend and shows the safety verdict. Previously the result would briefly flash and disappear without showing anything. Updated Sandbox Link Checker URL to sandbox.thoushaltnotclick.com

What's new in v1.9.20
Major update accumulating improvements since v1.9.2. Sign in with Microsoft is now available in the extension popup, alongside Google SSO and email/password. Faster phishing detection on Gmail and Outlook. Password vault upgraded to Argon2id key derivation for stronger encryption. Have I Been Pwned breach checks on a smarter background schedule. Vault auto-fill more reliable across login forms. Sandbox iframe analyzer hardened. Defense against impersonation token sync to keep platform-admin sessions clean.

ThouShaltNotClick adds a quiet layer of protection inside Gmail and Outlook — analyzing every link, every sender, and every header, then warning users in plain language before a click can do harm.
Phishing protection
A clear trust badge appears in the email header, with green for safe, yellow for caution, and red for danger. Each warning explains why a message looks suspicious — never just a score — so users learn what to watch for over time. Hover any link to see where it actually leads, even when the visible text says otherwise. A one-click report sends suspicious emails to your administrator for verification, helping protect everyone in your organization.
Password manager
The built-in vault stores passwords with strong client-side encryption — a zero-knowledge design where only you can decrypt your data. Saved logins autofill on supported sites, and the extension can offer to save new credentials when you sign in. Personal email addresses can be checked against known data breaches so you know when to rotate a compromised password — using a privacy-preserving check that never sends the password itself.
Site safety
The extension icon shifts color based on the current page — giving you an at-a-glance read on whether the site you're on has been flagged. When new threats are reported and verified by an administrator at one organization, protection updates for everyone using the extension.
Built for organizations who care about their people
ThouShaltNotClick was built specifically for Catholic schools and faith-based organizations — and works equally well for any team that needs phishing protection without enterprise complexity or pricing. Administrators can enroll an entire staff in minutes, and managed Chromebook deployment is supported.
Privacy
Your passwords and vault contents are encrypted on your device before they reach our servers. We cannot read them. Email content is analyzed locally; no message body is sent to our servers unless you explicitly request a deeper analysis. We do not collect browsing history.
Get started
Sign in with your existing ThouShaltNotClick account, or create one free at https://www.thoushaltnotclick.com.
Created by a Catholic — accessible to all.

v1.9.78 — faster protection, broader Outlook support, more privacy
• Protection works the moment you install. Phishing badges now appear on your emails right away instead of waiting a few minutes after setup.
• Now works on Outlook's new web address. Added support for outlook.cloud.microsoft — Microsoft's new unified Outlook-on-the-web domain — so badges, link analysis, and the Kindness Meter all work there too.
• "Community Alert" now counts. Flagging a training/simulation email with Community Alert credits you the same as "Report Suspicious."
• Minor fixes and polish.

v1.9.74 — Major reliability + protection update
🛡️ Brand impersonation detection — catches phishing emails that mimic
banks, retailers, and e-sign portals (DocuSign, Adobe Sign, etc).
🎯 Account-takeover guard — even verified-safe senders get scrutinized
when an email shows scam-language patterns (gift cards, wire requests,
payroll changes, urgency + dangerous action).
🔍 AI Analysis verdict persists across page refreshes — no re-analyzing
every time you switch tabs.
🚨 Report Missed Phish — flag phishing emails the extension missed so
admins + the platform can learn from them.
⏪ 5-second undo on Report Suspicious, Mark Safe, and Community Alert —
click once, then "X in Ns — Click to undo" before it commits.
⚡ Welcome page fix — "Got it — let's go" now properly takes you to
sign-in then your dashboard (previously the tab closed mid-flow).
🟢 Online Kindness Meter — green shield icon variants matching the
website favicon.
🧹 Improvements — clearer "Session expired — click icon to sign in"
messaging when JWTs rotate; exclusion list capacity raised past 270
domains; vault save-prompt cleanup; calendar-spam stub groundwork.
📊 Backend version tracking — admins can see which extension version
each user is running, for support diagnostics.

v1.9.64 — Major reliability + protection update
🚨 NEW: Account-takeover detection on verified senders. When a "trusted" sender's
account is compromised and starts sending classic scams (gift card requests,
wire fraud, urgency tactics), the trust badge no longer overrides to green —
it surfaces a clear "verified sender + scam language detected — possible
account takeover" warning.
🤖 IMPROVED: AI Email Analysis now shows specific failure reasons ("Daily AI
limit (10/day)", "Sign in to use AI", "Session expired") instead of generic
"Failed". When AI scores under 30, the email is queued for your admin's
review rather than silently dropped.
📋 NEW: Trust-badge override when AI flags a sender the heuristic missed.
If our AI says 8/100 but the local engine said 99/100, the badge updates
to match AI's verdict so you don't see a misleading green score.
🚨 IMPROVED: Heuristic engine catches more scams. New invoice/renewal scam
detection (fake McAfee/Norton/Geek Squad/PayPal charges), spam-folder cap
(emails in Gmail Spam or Outlook Junk never display >50/100), invoice
phone-callback detection.
🛡️ NEW: "Trusted by colleagues" badge when your coworkers have collectively
marked a sender as safe — crowd-sourced positive reputation, org-scoped only.
⏳ NEW: Offline-friendly buttons. When our API is briefly unreachable,
Report/Mark Safe/Alert clicks now show "Saved — will send" and auto-retry
every 5 minutes instead of losing the action.
🔐 NEW: Session-expired UX. If your auth session ages out mid-action, the
button shows "Session expired — click extension icon to sign in" instead of
a cryptic "Invalid token" error. Plus a "!" badge appears on the toolbar.
🧐 IMPROVED: 10-second "undo" on Report Suspicious / Report Safe / Community
Alert buttons. Misclicks are cancellable in-flow.
🐛 FIXED: Community Alert button bug (was throwing "analysis is not defined"
on click).
📅 COMING SOON: Calendar spam auto-decline (Google + Microsoft Calendar
integration in next major version).
🎨 New extension icon matching our website favicon (green shield).

What's New in v1.9.51
Renamed to "Phishing Protection & Training". Description updated to reflect current feature set. Password Manager will be deployed in a future update.

What's New in v1.9.47
Better detection of a rising scam: emails pretending to give away high-value items ("estate downsizing", "free piano in memory of my late father", etc.). These often hook a reply and then demand shipping/handling payment.
Also calibrated the warning tone — emails in the "Use Caution" range no longer show "DANGER" prose. The trust score speaks for itself. "Quick report" buttons in Gmail injection.

What's new in v1.9.39
Adds SMS as an MFA option for Vault Master Password entry. Various bugfixes.

What's new in v1.9.23
Fixes the Quick Link Scanner — pasting a URL into the popup's scanner now correctly authenticates with our backend and shows the safety verdict. Previously the result would briefly flash and disappear without showing anything. Updated Sandbox Link Checker URL to sandbox.thoushaltnotclick.com

What's new in v1.9.20
Major update accumulating improvements since v1.9.2. Sign in with Microsoft is now available in the extension popup, alongside Google SSO and email/password. Faster phishing detection on Gmail and Outlook. Password vault upgraded to Argon2id key derivation for stronger encryption. Have I Been Pwned breach checks on a smarter background schedule. Vault auto-fill more reliable across login forms. Sandbox iframe analyzer hardened. Defense against impersonation token sync to keep platform-admin sessions clean.

ThouShaltNotClick adds a quiet layer of protection inside Gmail and Outlook — analyzing every link, every sender, and every header, then warning users in plain language before a click can do harm.
Phishing protection
A clear trust badge appears in the email header, with green for safe, yellow for caution, and red for danger. Each warning explains why a message looks suspicious — never just a score — so users learn what to watch for over time. Hover any link to see where it actually leads, even when the visible text says otherwise. A one-click report sends suspicious emails to your administrator for verification, helping protect everyone in your organization.
Password manager
The built-in vault stores passwords with strong client-side encryption — a zero-knowledge design where only you can decrypt your data. Saved logins autofill on supported sites, and the extension can offer to save new credentials when you sign in. Personal email addresses can be checked against known data breaches so you know when to rotate a compromised password — using a privacy-preserving check that never sends the password itself.
Site safety
The extension icon shifts color based on the current page — giving you an at-a-glance read on whether the site you're on has been flagged. When new threats are reported and verified by an administrator at one organization, protection updates for everyone using the extension.
Built for organizations who care about their people
ThouShaltNotClick was built specifically for Catholic schools and faith-based organizations — and works equally well for any team that needs phishing protection without enterprise complexity or pricing. Administrators can enroll an entire staff in minutes, and managed Chromebook deployment is supported.
Privacy
Your passwords and vault contents are encrypted on your device before they reach our servers. We cannot read them. Email content is analyzed locally; no message body is sent to our servers unless you explicitly request a deeper analysis. We do not collect browsing history.
Get started
Sign in with your existing ThouShaltNotClick account, or create one free at https://www.thoushaltnotclick.com.
Created by a Catholic — accessible to all.

Jun 2, 2026

host_permissions

https://mail.google.com/*, https://outlook.live.com/*, https://outlook.office.com/*, https://outlook.office365.com/*, https://*.thoushaltnotclick.com/*, https://thoushaltnotclick-api-production.up.railway.app/*, https://api.pwnedpasswords.com/*

https://mail.google.com/*, https://outlook.live.com/*, https://outlook.office.com/*, https://outlook.office365.com/*, https://outlook.cloud.microsoft/*, https://*.thoushaltnotclick.com/*, https://thoushaltnotclick-api-production.up.railway.app/*, https://api.pwnedpasswords.com/*

May 26, 2026