Abnormal Improves Attack Detection Efficacy Against Hidden Payloads by 5%

Abnormal’s relentless pursuit of innovation significantly improves the detection efficacy of hidden payloads in emails by an additional 5%.
January 7, 2022

Enhanced Hidden Payload Analysis and Detection Detection Accuracy

While our detection capabilities have always been best-in-class, attackers constantly evolve their tactics. Approximately 69% of advanced attacks are payload-based, targeting our customers. A payload-based email attack contains a malicious attachment, URL, or combination of both. In order to relentlessly improve our product and stay ahead of the attacks, our engineering team identified trends in customer cases, which was accomplished by grouping similar behaviors and observations together.

By improving our ability to analyze previously hidden payloads, our detection engines can more precisely identify malicious payload-based attacks and give our customers even better protection against such attacks. The Abnormal engineering and first responder teams minimized our customer false negatives rate by 5%, improving our ability to analyze hidden payloads.

New Hidden Payload Detection Methodologies

In this release, we shipped improvements to address these three classes of hard-to-analyze payloads:

  1. Wrapped URLs. A wrapped URL is essentially a URL embedded inside another URL. Security vendors often utilize URL wrapping to track clicks on links and optionally redirect to a block page if they are able to detect the content is bad at the time of click, oftentimes this makes it difficult to analyze the original URL sent in the email when downstream from another security solution. We improved our ability to retrieve the original URL or domain when we detect that a URL is wrapped without clicking the link. This allows us to determine whether or not the original URL is malicious more effectively.
    An example of a wrapped URL that hides a redirect
    Wrapped URL example to redirect from one URL [] to another URL []
  2. Encoded HTML attachments. We added enhanced detection capabilities to detect when an encoded HTML attachment is present in the email. Combined with communication-pattern-based features, this allows us to precisely detect when an email containing an encoded attachment is malicious.
    HTML encoded email with malicious code
    An example of an HTML encoded email with malicious code

    Encoded HTML attachments have legitimate business uses, such as instructing a web browser or email application how to interpret the text characters in your HTML or the body of the email to maintain consistent formatting. There is a high chance that you have received an embedded email recently that was probably a phishing attack. The HTML attachment often hosts web pages on the victim’s computer instead of the internet, which is a stealthy method for bad actors to avoid URL reputation checks.
  3. HTML attachments with redirect scripts. When an HTML attachment contains a redirect script, we added features to detect it. Furthermore, combined with user communication-pattern-based features, we can precisely identify when an email with a redirect script is malicious.
    HTML attachment with redirect script for credential harvesting
    HTML attachment with a redirect script used for credential harvesting

    The combined benefits of further increasing the detection efficacy of malicious payloads embedded in email messages by 5% further protects customers against these attacks. This helps IT security teams minimize exposure to threats lurking within mailboxes that could lead to account takeovers, malware infections, intellectual property losses, compliance issues, or even lawsuits over data breaches.

Learn More

Abnormal is committed to constant innovation to improve our detection capabilities, including our expansive machine learning capabilities to help security teams stay ahead of the attackers.

Want to learn more? Request a demo today.

Abnormal Improves Attack Detection Efficacy Against Hidden Payloads by 5%

See Abnormal in Action

Schedule a Demo

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.


See the Abnormal Solution to the Email Security Problem

Protect your organization from the full spectrum of email attacks with Abnormal.

See a Demo
Integrates Insights Reporting 09 08 22

Related Posts

B Health Care
Email attacks like BEC against the healthcare industry are on the rise in 2023. Protect yourself with sophisticated cloud-native email security.
Read More
B AI Series
Discover how Abnormal's advanced AI models are used to detect abnormalities in email behavior and protect organizations from the most sophisticated email attacks.
Read More
B Insights from Clemson University CISO
John Hoyt, CISO at Clemson University, shares his take on the unique cybersecurity challenges of higher education and how Abnormal Security can help.
Read More
B Nigerian Prince
Scams about the Nigerian Prince that promise millions have been around for decades. But they are transitioning, now using ChatGPT and similar tools to seem more convincing.
Read More
B 9 12 23 ATO
Learn why account takeovers are successful, how to detect and remediate them, and how to better protect yourself from cybercriminals in the future.
Read More
B 9 8 23 Incident Response
An effective incident response plan is crucial to minimizing the effects of an email attack and preventing future breaches.
Read More