2022 Winter Product Release Enhances Detection and Empowers Security Teams

At Abnormal, we’re constantly innovating in order to provide our customers with the best possible experience, which is why we’re thrilled to share with you our Q1 Winter Product Release. In this quarterly product release, we are focused on driving value to our customers through three key innovation categories:

1. Bolstering and modernizing every organization’s security posture against advanced attacks through enhanced detection and faster remediation.
2. Empowering security teams to gain comprehensive visibility and control across every security event and attack.
3. Enabling security teams to scale through automation and an intuitive user-experience.

Each of these will provide concrete benefits to those working with the Abnormal Security product. Let’s take a closer look at our exciting new features.

This product release includes enhanced detection for a variety of attack types, including business email compromise, account takeover, and malware.

Improved Detection Efficacy Against Business Email Compromise (BEC) Attacks

Advanced and sophisticated cyber attacks are increasingly leveraging emails as the centerpiece of their attack tactic. Business email compromise attacks typically leverage urgent requests on financial topics, resulting in significant financial damage to organizations—accounting for 44% of all cybercrime losses in 2020. It is critical to effectively identify the topic, tone, and sentiment within all communications to detect and remediate any malicious attack that leverages this attack tactic.

Our NLP and NLU algorithms are able to detect suspicious activity through analysis of the topic, tone, and sentiment of the content and further cross-reference this with other high fidelity detection signals from our detection engine to successfully block the attacks. In this release, to further improve the detection against these types of attacks, we have deployed new processing and modeling features.

We have fine-tuned our BEC detection models to increase our efficacy against BEC attacks by 10%.

Improved Response Time Against Account Takeover (ATO) Attacks

Account takeover attacks are on the rise, with about 79% of the organizations experiencing an account takeover in recent years. A successful account takeover can have significant financial risk, as well as damage customer trust and brand reputation. The ubiquitous nature of this attack requires organizations to build a defense strategy that allows them to quickly take actions to detect and remediate these attacks.

Now, Abnormal customers using Microsoft 365 as their cloud email provider can remediate account takeover (ATO) attacks either manually or automatically by signing users out of active sessions, resetting the password, and disabling accounts—all from within the Abnormal platform.

This results in a 20% improvement in response time to ATO attacks, further reducing dwell time for our customers.

Improved Malware Detection Accuracy by Reducing False Negatives

Malware, which includes viruses, ransomware, and spyware, is becoming a more pervasive security problem that affects businesses of all sizes and industries, and is often delivered via malicious URLs and email attachments. Customers need a way to protect themselves from malware entering their organization in order to protect their users and assets. Increased detection efficacy is of paramount importance due to a single incident's potential outsized negative impact.

To protect you from email-borne risks, Abnormal filters and sanitizes every email before it reaches your email infrastructure. Abnormal provides you with the highest level of protection using malware scanning, full URL inspection, smart URL rewriting, and other measures. We use machine learning and artificial intelligence via behavioral, content, and relationship models to continue to improve on abnormal detections, in addition to our threat intelligence engine and thousands of other signals we analyze on each individual message.

Our federated machine learning system ensures that malware findings and detection efficacy improvements are shared across our customers. With this release, we optimized our phishing and malware detection models to decrease our false-negative rates by 10%.

Thwarted Brand Impersonation Attacks with Improved Computer Vision

Brand impersonation and malicious embedded URLs are a dominant attack tactic employed by malicious actors. The example below shows an attack blocked by Abnormal where a bad actor attempted to impersonate the brand Turtle & Hughes using a digital fax document containing an embedded malicious URL.

Another popular attack tactic is to create credential phishing pages that emulate commonly recognized brand login pages such as Microsoft Outlook Web Access (OWA) in order to perform credential harvesting.

With this quarterly release, we have further improved Abnormal’s computer vision algorithms to analyze URL landing pages to identify brand and form layouts. These algorithms also analyze attachments using these techniques to identify logos and extract information contained within the document.

Our computer vision is also trained to view web pages and emails as humans see them, and automatically identify brand logos, QR codes, and text-based images. Our new capability protects end users against phishing attacks aimed at credential harvesting, which are designed to bypass email and web filtering solutions.

Deep analysis of landing pages and their resemblance to known login pages is a powerful tool to stop emails with malicious URLs embedded in QR codes, which are designed to bypass email and content filtering solutions. Abnormal is one of the first email security solutions to inspect embedded QR codes that often lead to malicious websites.

Our advancements in computer vision help our customers to develop a strong security posture for protection against cyberattacks that leverage brand impersonation tactics for credential harvesting, redirection to malicious websites, and more.

Reduced Spam and Graymail to Users’ Inbox to Reduce Clutter

Employees spend significant time organizing the inbox clutter caused due to spam and graymail. In addition, end users often have to rely on time-consuming and cumbersome spam and quarantine digests to salvage missed messages.

Abnormal’s optimized ML-based graymail models automatically learn from user actions, then create and manage individualized safe and block lists on behalf of each end user. We then deliver spam and unwanted, bulk messages to junk and promotional folders respectively.

As part of the quarterly release, we've also improved visibility and control for security teams.

Longer Threat Log Retention Capability for Improved Reporting

Customers often need longer periods of threat logs to share information effectively among peers or provide in-depth reporting to management in order to make important business and technical decisions.

Administrators can now download or automatically email up to 90 days of threat logs instead of 30 days for quarterly reporting, which is especially useful for fulfilling compliance obligations. A longer period of threat log retention allows our customers to achieve improved information sharing, reporting, and meeting compliance obligations.

Automatic Detection of Suspicious Messages and Improved Awareness to End Users

End users often encounter suspicious messages like reconnaissance attacks that contain short, non-threatening phrases. These are not classified as attacks, but they do have malicious intent. Organizations need effective visible cues to raise the awareness of end users and caution against these kinds of messages to help reduce the risk of potential compromise. At the same time, enterprises need a solution for security admins to easily view these kinds of suspicious messages in one dashboard and take appropriate remediation actions quickly.

Abnormal automatically identifies these suspicious messages, and administrators can review and remediate them from a single pane of glass.

Expanding the SIEM Integration Ecosystem to Microsoft Sentinel, Qradar and Sumo Logic

Enterprises often make investments in different SIEM tools for triaging, remediating, and reporting on security incidents and events holistically. To increase the return on their SIEM investments, they desire that security solution providers have direct integrations into the SIEM tool of their choice, providing better and comprehensive monitoring of security events.

Customers can now ingest Abnormal event logs derived from inbound email threats and account takeover (ATO) cases into their SIEM tool, which can optionally be configured for alerting and other downstream workflows. In addition to the existing integrations with Splunk, we have expanded our direct SIEM integrations to include more SIEM vendors with this release: Microsoft Azure Sentinel, Qradar, and Sumo Logic.

Now, customers can maximize their existing security investments, improve their overall security posture, and provide enhanced protection to their organizations and employees.

Automated Abuse Mailbox Operations to Free Up Admin Time

When end users submit an attack, security and email admins spend a significant amount of time notifying them on the status of their case or sending customized thank you messages.

IT security teams can now set up and modify text-based thank you messages that are sent to notify reporters, and the follow-up messages that are sent when their reported emails have been automatically analyzed using behavioral AI.

Any message that is not analyzed will appear within the “Not Analyzed” tab in Abuse Mailbox. Abnormal is the only email security provider that automates Abuse Mailbox operations, saving security teams valuable time to focus on higher priority tasks.

Enabling Admins to Quickly Locate Email Messages and Take Faster Actions

Often, employees inadvertently send sensitive internal messages to a large unintended audience or, in a rare case, malicious or unwanted email gets past security tools. In such cases, it is of paramount importance for security admins to locate the email under consideration and quickly take action, such as purging the email before any unwanted downstream actions occur.

Our new capability allows Microsoft 365 and Google Workspace customers to readily find messages in seconds and take action with only a few clicks from the admin interface. Email administrators can now search by fields like sender, recipient, and subject, and see a list of messages that were sent and the metadata contained in them, as well as view message bodies and headers. From there, admins can choose to remediate those messages.

These features can be useful in security and compliance scenarios, including:

• When an employee unintentionally sends a critical internal communication.

• When an employee is unsure where a message is located.

• When harmful or undesirable mail gets past email security solutions in extremely rare circumstances.

Abnormal has decreased our email message search time by 60% for email messages within the past 30 days.

We hope that you found our product innovations in this quarterly release to be thrilling and useful for your security teams. We at Abnormal are committed to constant innovation to improve our detection capabilities, including our expansive machine learning capabilities in order to help security teams stay ahead of the attackers.

Not yet an Abnormal customer? Request a demo today to learn how Abnormal can enhance your email security capabilities and provide visibility into email threats that other solutions miss.