Abnormal Knowledge Bases: Using AppBase to Prevent Third-Party Application Attacks

Discover how Abnormal provides greater visibility into application permissions and data access across the cloud email platform with AppBase.
January 9, 2023

Remember when Apple’s trademark “there’s an app for that” was simply a quippy phrase to push the utility of having a smartphone?

Well, 12 years removed from Apple registering that trademark, the ubiquity of applications have taken on a new meaning in the corporate world…and in the world of cybercriminals.

Businesses use, on average, 323 SaaS applications, and to the delight of threat actors, IT teams typically only manage and have visibility into 27% of those apps.

One area of the business that is especially susceptible to application overload is an organization’s cloud email platform. With dozens of plug-ins and third-party app integrations for everything from calendars to creative suites, even organizations with the most granular app policies may be met with a visit from the shadow IT fairy. And that could spell trouble.

In fact, vulnerabilities in third-party software accounted for 13% of all breaches in 2022–costing victimized organizations $4.55M on average.

If you’re wondering how these app attacks typically present themselves, there are a couple of ways: either a threat actor flat-out steals API keys and then installs malicious applications with read/write access, or an internal user is tricked by a threat actor into installing what appears to be a legitimate application.

Both of these attacks can and do bypass traditional inbound email security tools as they often include no payload, come from a legitimate sender, or simply do not have an email component at all. The key to stopping these breaches is visibility and the ability to quickly address suspicious app installs and permission changes across the email platform.

How Abnormal Demystifies Your Application Landscape

Abnormal Security addresses this problem head-on in two interconnected ways: AppBase and the Security Posture Management Add-On. The latter is fed by the data within the former, as AppBase provides a running catalog of every app installed in your cloud email platform and the permissions for those apps.

This data is then correlated against the other Knowledge Bases–in particular, PeopleBase and TenantBase–to build detailed, dynamic genomes connecting user behavior, app activity, and tenant activity. Security teams can quickly determine when a risky pattern may be emerging, especially when an unknown app with outsized permissions has been discovered.

Security Posture Management acts as a complement and extension of AppBase by surfacing when changes then occur to apps and associated permissions. Organizations can discover which apps their users have installed, and critically, when suspicious events occur–such as apps going from calendar access-only to suddenly being able to read and write to email.

Cover Your Apps With AppBase

Let’s take a closer look at the breadth of capabilities within AppBase. As noted, AppBase centralizes app install and usage data, permissions, and other key metadata to help security teams understand how many apps are integrated into their cloud email platform, what those apps can do, and how heavily those apps are used.

App Base1

Specifically, AppBase is provided a running list that includes:

  • App Name

  • Access Level (Low or High levels of privilege)

  • Permissions (calendar and mailbox read/write access)

  • App Type

  • Tenant housing this integration

  • Registered user count

  • Platform

  • Analysis (insights such as privileged users having access)

If an Abnormal user drills down into the applications in the inventory list, they are met with a running timeline for a given application alongside additional details–including the publisher, an app description, and integration dates. In the example below, we can see the permissions granted for the fictional application, Spoof Force:

App Base2

From this app profile, a security analyst investigating a threat can then click the App ID to be taken directly to the application in Azure. The analyst can also click the names of users or tenants in the activity timeline to be taken to PeopleBase or TenantBase–continuing their investigation by using the activity contained in those Knowledge Bases.

If security teams were previously unaware of Spoof Force or felt Renee West was a risky user, it is crucial to know that this application not only exists in the organization’s email environment, but is integrated into the primary mail tenant, is accessed by privileged users, and has full permissions to access calendars and mailboxes. AppBase puts this information at the fingertips of security teams so they can remediate risks faster.

How AppBase Helps Solve the SaaS Problem

Again, if your organization is like most, you have hundreds of SaaS apps. Many of those apps are directly integrated with your cloud email security platform. Do you know what they are? Do you know what they can access? Do you know who accesses them? AppBase, along with the other Abnormal Knowledge Bases and Security Posture Management, helps to answer these questions so you can shine a light on the shadowy world of malicious app attacks.

Want to learn more about AppBase? Schedule a demo today.

Schedule a Demo
Abnormal Knowledge Bases: Using AppBase to Prevent Third-Party Application Attacks

See Abnormal in Action

Schedule a Demo

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.


See the Abnormal Solution to the Email Security Problem

Protect your organization from the full spectrum of email attacks with Abnormal.

Integrates Insights Reporting 09 08 22

Related Posts

B Disney Attack Blog
This Disney+ scam email uses brand impersonation and personalization to send a convincing fake subscription charge notice.
Read More
B 2024 Cybersecurity Predictions
As AI becomes more prevalent in the new year, discover how our experts believe the world will change—for both good and bad.
Read More
B 11 27 23 ATO Stats
Account takeover allows threat actors to steal sign-in credentials and access an organization's network. Read some eye-popping stats about ATO cost and frequency.
Read More
B Unmasking Vendor Fraud
Learn about the techniques, tools, and technologies we use to train the models that form the backbone of our vendor fraud detection.
Read More
Get the latest insights from the 2023 ISC2 Cybersecurity Workforce Study, including which skills are most sought-after, how careers have changed, and how AI is affecting the industry.
Read More
B Good Bad Ugly Future of AI
Hear about positive and malicious use cases of AI and how to protect against novel threats in this recap from Chapter 3 of our Convergence of AI + Cybersecurity series.
Read More