Abnormal Improves Attack Detection Efficacy Against Hidden Payloads by 5%

January 7, 2022

Enhanced Hidden Payload Analysis and Detection Detection Accuracy

While our detection capabilities have always been best-in-class, attackers constantly evolve their tactics. Approximately 69% of advanced attacks are payload-based, targeting our customers. A payload-based email attack contains a malicious attachment, URL, or combination of both. In order to relentlessly improve our product and stay ahead of the attacks, our engineering team identified trends in customer cases, which was accomplished by grouping similar behaviors and observations together.

By improving our ability to analyze previously hidden payloads, our detection engines can more precisely identify malicious payload-based attacks and give our customers even better protection against such attacks. The Abnormal engineering and first responder teams minimized our customer false negatives rate by 5%, improving our ability to analyze hidden payloads.

New Hidden Payload Detection Methodologies

In this release, we shipped improvements to address these three classes of hard-to-analyze payloads:

  1. Wrapped URLs. A wrapped URL is essentially a URL embedded inside another URL. Security vendors often utilize URL wrapping to track clicks on links and optionally redirect to a block page if they are able to detect the content is bad at the time of click, oftentimes this makes it difficult to analyze the original URL sent in the email when downstream from another security solution. We improved our ability to retrieve the original URL or domain when we detect that a URL is wrapped without clicking the link. This allows us to determine whether or not the original URL is malicious more effectively.
    Wrapped URL Redirect Example
    Wrapped URL example to redirect from one URL [protect-au.com] to another URL [beandbeeducation.net]
  2. Encoded HTML attachments. We added enhanced detection capabilities to detect when an encoded HTML attachment is present in the email. Combined with communication-pattern-based features, this allows us to precisely detect when an email containing an encoded attachment is malicious.
    HTML encoded email with malicious code
    An example of an HTML encoded email with malicious code

    Encoded HTML attachments have legitimate business uses, such as instructing a web browser or email application how to interpret the text characters in your HTML or the body of the email to maintain consistent formatting. There is a high chance that you have received an embedded email recently that was probably a phishing attack. The HTML attachment often hosts web pages on the victim’s computer instead of the internet, which is a stealthy method for bad actors to avoid URL reputation checks.
  3. HTML attachments with redirect scripts. When an HTML attachment contains a redirect script, we added features to detect it. Furthermore, combined with user communication-pattern-based features, we can precisely identify when an email with a redirect script is malicious.
    HTML attachment with redirect script
    HTML attachment with a redirect script used for credential harvesting

    The combined benefits of further increasing the detection efficacy of malicious payloads embedded in email messages by 5% further protects customers against these attacks. This helps IT security teams minimize exposure to threats lurking within mailboxes that could lead to account takeovers, malware infections, intellectual property losses, compliance issues, or even lawsuits over data breaches.

Learn More

Abnormal is committed to constant innovation to improve our detection capabilities, including our expansive machine learning capabilities to help security teams stay ahead of the attackers.

Want to learn more? Request a demo today.

Related Posts

Blog customer communications leads to product innovation
Learn how customers have influenced the latest round of product enhancements to better protect your organization from email-borne threats.
Read More
Blog attack detection efficacy cover
Abnormal’s relentless pursuit of innovation significantly improves the detection efficacy of hidden payloads in emails by an additional 5%.
Read More
Blog mnru cover
Estimating both the time and cost to complete a task has been a continual challenge for engineering teams as long as I’ve been working in industry. Coordinating the complex interactions and execution task sequencing across multiple tasks and people is a complex, ever-evolving challenge, and one that most teams struggle with daily.
Read More
Blog what do phishing emails cover
Phishing attacks are on the rise; the FBI reports that such attacks cost $54 billion in 2020, and phishing complaints increased by a whopping 110% from 2019 to 2020. If you're one of the many people targeted by a phishing email, you're not alone.
Read More
Blog holiday scams cover
We've arrived at that time of year—a time for reflection and celebration and spending time with family, and also that time of year where the cyber grinches hope to spoil the holiday fun.
Read More
Log4j email blog cover
Over the last few days, Abnormal has successfully blocked multiple attempts by attackers to deliver emails similar to these to our customers’ unsuspecting end users.
Read More
Blog securitry privacy cover
Customers place tremendous trust in Abnormal to protect them from the full spectrum of attacks when they provide us access to the email stored in Microsoft 365 or Google Workspace. To that end, we’re focused on protecting your data and building your trust.
Read More
Blog podcast role cto
Tim Tully, Partner at Menlo Ventures, grew up in Silicon Valley, where a love for coding was kindled in him. Tim is a technologist to the core, which innately led him to become an elite technical leader at companies like Splunk and Yahoo.
Read More
Blog canadian visa cover
Abnormal Security recently identified a scam aimed at the Canadian electronic travel authorization (eTA) program, which bears a striking resemblance to a long-standing fraud scheme described in our post from several weeks ago targeting TSA travel program applicants.
Read More
Automate abuse mailbox cover
Managing and monitoring an Abuse Mailbox can be a significant pain point for IT security teams, particularly large organizations with thousands of employees.
Read More
Blog calendar invite attack cover
Meeting invites are one of the most common types of emails sent today, so it should come as no surprise that attackers have found a way to manipulate them. Scores of recipients that utilize Abnormal Security recently received emails that contained a .ics attachment—an invitation file commonly used to populate online calendar applications with meeting and event information.
Read More
Blog saving memory python cover
At a hyper-growth startup, a solution from six months ago will unfortunately no longer scale. The business is growing rapidly, and this traffic to this service in particular was growing at an unprecedented rate. We hit a point where it needed re-architecting to support 10x the current scale.
Read More