chat
expand_more

Abnormal Knowledge Bases: Using AppBase to Prevent Third-Party Application Attacks

Discover how Abnormal provides greater visibility into application permissions and data access across the cloud email platform with AppBase.
January 9, 2023

Remember when Apple’s trademark “there’s an app for that” was simply a quippy phrase to push the utility of having a smartphone?

Well, 12 years removed from Apple registering that trademark, the ubiquity of applications have taken on a new meaning in the corporate world…and in the world of cybercriminals.

Businesses use, on average, 323 SaaS applications, and to the delight of threat actors, IT teams typically only manage and have visibility into 27% of those apps.

One area of the business that is especially susceptible to application overload is an organization’s cloud email platform. With dozens of plug-ins and third-party app integrations for everything from calendars to creative suites, even organizations with the most granular app policies may be met with a visit from the shadow IT fairy. And that could spell trouble.

In fact, vulnerabilities in third-party software accounted for 13% of all breaches in 2022–costing victimized organizations $4.55M on average.

If you’re wondering how these app attacks typically present themselves, there are a couple of ways: either a threat actor flat-out steals API keys and then installs malicious applications with read/write access, or an internal user is tricked by a threat actor into installing what appears to be a legitimate application.

Both of these attacks can and do bypass traditional inbound email security tools as they often include no payload, come from a legitimate sender, or simply do not have an email component at all. The key to stopping these breaches is visibility and the ability to quickly address suspicious app installs and permission changes across the email platform.

How Abnormal Demystifies Your Application Landscape

Abnormal Security addresses this problem head-on in two interconnected ways: AppBase and the Security Posture Management Add-On. The latter is fed by the data within the former, as AppBase provides a running catalog of every app installed in your cloud email platform and the permissions for those apps.

This data is then correlated against the other Knowledge Bases–in particular, PeopleBase and TenantBase–to build detailed, dynamic genomes connecting user behavior, app activity, and tenant activity. Security teams can quickly determine when a risky pattern may be emerging, especially when an unknown app with outsized permissions has been discovered.

Security Posture Management acts as a complement and extension of AppBase by surfacing when changes then occur to apps and associated permissions. Organizations can discover which apps their users have installed, and critically, when suspicious events occur–such as apps going from calendar access-only to suddenly being able to read and write to email.

Cover Your Apps With AppBase

Let’s take a closer look at the breadth of capabilities within AppBase. As noted, AppBase centralizes app install and usage data, permissions, and other key metadata to help security teams understand how many apps are integrated into their cloud email platform, what those apps can do, and how heavily those apps are used.

App Base1

Specifically, AppBase is provided a running list that includes:

  • App Name

  • Access Level (Low or High levels of privilege)

  • Permissions (calendar and mailbox read/write access)

  • App Type

  • Tenant housing this integration

  • Registered user count

  • Platform

  • Analysis (insights such as privileged users having access)

If an Abnormal user drills down into the applications in the inventory list, they are met with a running timeline for a given application alongside additional details–including the publisher, an app description, and integration dates. In the example below, we can see the permissions granted for the fictional application, Spoof Force:

App Base2

From this app profile, a security analyst investigating a threat can then click the App ID to be taken directly to the application in Azure. The analyst can also click the names of users or tenants in the activity timeline to be taken to PeopleBase or TenantBase–continuing their investigation by using the activity contained in those Knowledge Bases.

If security teams were previously unaware of Spoof Force or felt Renee West was a risky user, it is crucial to know that this application not only exists in the organization’s email environment, but is integrated into the primary mail tenant, is accessed by privileged users, and has full permissions to access calendars and mailboxes. AppBase puts this information at the fingertips of security teams so they can remediate risks faster.

How AppBase Helps Solve the SaaS Problem

Again, if your organization is like most, you have hundreds of SaaS apps. Many of those apps are directly integrated with your cloud email security platform. Do you know what they are? Do you know what they can access? Do you know who accesses them? AppBase, along with the other Abnormal Knowledge Bases and Security Posture Management, helps to answer these questions so you can shine a light on the shadowy world of malicious app attacks.

Want to learn more about AppBase? Schedule a demo today.

Schedule a Demo
Abnormal Knowledge Bases: Using AppBase to Prevent Third-Party Application Attacks

See Abnormal in Action

Get a Demo

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

Get AI Protection for Your Human Interactions

Protect your organization from socially-engineered email attacks that target human behavior.
Request a Demo
Request a Demo

Related Posts

B Proofpoint Customer Story F500 Insurance Provider
A Fortune 500 insurance provider blocked 6,454 missed attacks and saved 341 SOC hours per month by adding Abnormal to address gaps left by Proofpoint.
Read More
B Malicious AI Platforms Blog
What happened to WormGPT? Discover how AI tools like WormGPT changed cybercrime, why they vanished, and what cybercriminals are using now.
Read More
B MKT748 Open Graph Images for Cyber Savvy 7
Explore insights from Brian Markham, CISO at EAB, as he discusses cybersecurity challenges, building trust in education, adapting to AI threats, and his goals for the future. Learn how he and his team are working to make education smarter while prioritizing data security.
Read More
B Manufacturing Industry Attack Trends Blog
New data shows a surge in advanced email attacks on manufacturing organizations. Explore our research on this alarming trend.
Read More
B Dropbox Open Enrollment Attack Blog
Discover how Dropbox was exploited in a sophisticated phishing attack that leveraged AiTM tactics to steal credentials during the open enrollment period.
Read More
B AISOC
Discover how AI is transforming security operation centers by reducing noise, enhancing clarity, and empowering analysts with enriched data for faster threat detection and response.
Read More