Abnormal Improves Attack Detection Efficacy Against Hidden Payloads by 5%

January 7, 2022

Enhanced Hidden Payload Analysis and Detection Detection Accuracy

While our detection capabilities have always been best-in-class, attackers constantly evolve their tactics. Approximately 69% of advanced attacks are payload-based, targeting our customers. A payload-based email attack contains a malicious attachment, URL, or combination of both. In order to relentlessly improve our product and stay ahead of the attacks, our engineering team identified trends in customer cases, which was accomplished by grouping similar behaviors and observations together.

By improving our ability to analyze previously hidden payloads, our detection engines can more precisely identify malicious payload-based attacks and give our customers even better protection against such attacks. The Abnormal engineering and first responder teams minimized our customer false negatives rate by 5%, improving our ability to analyze hidden payloads.

New Hidden Payload Detection Methodologies

In this release, we shipped improvements to address these three classes of hard-to-analyze payloads:

  1. Wrapped URLs. A wrapped URL is essentially a URL embedded inside another URL. Security vendors often utilize URL wrapping to track clicks on links and optionally redirect to a block page if they are able to detect the content is bad at the time of click, oftentimes this makes it difficult to analyze the original URL sent in the email when downstream from another security solution. We improved our ability to retrieve the original URL or domain when we detect that a URL is wrapped without clicking the link. This allows us to determine whether or not the original URL is malicious more effectively.
    An example of a wrapped URL that hides a redirect
    Wrapped URL example to redirect from one URL [protect-au.com] to another URL [beandbeeducation.net]
  2. Encoded HTML attachments. We added enhanced detection capabilities to detect when an encoded HTML attachment is present in the email. Combined with communication-pattern-based features, this allows us to precisely detect when an email containing an encoded attachment is malicious.
    HTML encoded email with malicious code
    An example of an HTML encoded email with malicious code

    Encoded HTML attachments have legitimate business uses, such as instructing a web browser or email application how to interpret the text characters in your HTML or the body of the email to maintain consistent formatting. There is a high chance that you have received an embedded email recently that was probably a phishing attack. The HTML attachment often hosts web pages on the victim’s computer instead of the internet, which is a stealthy method for bad actors to avoid URL reputation checks.
  3. HTML attachments with redirect scripts. When an HTML attachment contains a redirect script, we added features to detect it. Furthermore, combined with user communication-pattern-based features, we can precisely identify when an email with a redirect script is malicious.
    HTML attachment with redirect script for credential harvesting
    HTML attachment with a redirect script used for credential harvesting

    The combined benefits of further increasing the detection efficacy of malicious payloads embedded in email messages by 5% further protects customers against these attacks. This helps IT security teams minimize exposure to threats lurking within mailboxes that could lead to account takeovers, malware infections, intellectual property losses, compliance issues, or even lawsuits over data breaches.

Learn More

Abnormal is committed to constant innovation to improve our detection capabilities, including our expansive machine learning capabilities to help security teams stay ahead of the attackers.

Want to learn more? Request a demo today.

Demo 2x 1

See the Abnormal Solution to the Email Security Problem

Protect your organization from the attacks that matter most with Abnormal Integrated Cloud Email Security.

Related Posts

B 06 21 22 Threat Intel blog
Executives are no longer the go-to impersonated party in business email compromise (BEC) attacks. Now, threat actors are opting to impersonate vendors instead.
Read More
B 06 7 22 Disentangling ML Pipelines Blog
Learn how explicitly modeling dependencies in a machine learning pipeline can vastly reduce its complexity and make it behave like a tower of Legos: easy to change, and hard to break.
Read More
B 04 07 22 SEG
As enterprises across the world struggle to stop modern email attacks, it begs the question: how are these attacks evading traditional solutions like SEGs?
Read More
Enhanced Remediation Blog Cover
The most effective way to manage spam and graymail is to leverage a cloud-native, API-based architecture to understand identity, behavior, and content patterns.
Read More
B 05 16 22 VP of Recruiting
We are thrilled to announce the addition of Mary Price, our new Vice President of Talent. Mary will support our continued investment in the next generation of talent here at Abnormal.
Read More
B 06 01 22 Stripe Phishing
In this sophisticated credential phishing attack, the threat actor created a duplicate version of Stripe’s entire website.
Read More
B Podcast Engineering9
In episode 9 of Abnormal Engineering Stories, Dan sits down with Mukund Narasimhan to discuss his perspective on productionizing machine learning.
Read More
B 05 31 22 RSA Conference
Attending RSA Conference 2022? So is Abnormal! We’d love to see you at the event.
Read More
B 05 27 22 Active Ransomware Groups
Here’s an in-depth analysis of the 62 most prominent ransomware groups and their activities since January 2020.
Read More
B 05 24 22 ESI Season 1 Recap Blog
The first season of Enterprise Software Innovators (ESI) has come to a close. While the ESI team is hard at work on season two, here’s a recap of some season one highlights.
Read More
B 05 13 22 Hiring Experience
Abnormal Security is committed to offering an exceptional experience for candidates and employees. Hear about our recruiting and onboarding firsthand from three Abnormal employees.
Read More
B 05 11 22 Scaling Out Redis
As we’ve scaled our customer base, the size of our datasets has also grown. With our rapid expansion, we were on track to hit the data storage limit of our Redis server in two months, so we needed to figure out a way to scale beyond this—and fast!
Read More