chat
expand_more

Abnormal Knowledge Bases: Using AppBase to Prevent Third-Party Application Attacks

Discover how Abnormal provides greater visibility into application permissions and data access across the cloud email platform with AppBase.
January 9, 2023

Remember when Apple’s trademark “there’s an app for that” was simply a quippy phrase to push the utility of having a smartphone?

Well, 12 years removed from Apple registering that trademark, the ubiquity of applications have taken on a new meaning in the corporate world…and in the world of cybercriminals.

Businesses use, on average, 323 SaaS applications, and to the delight of threat actors, IT teams typically only manage and have visibility into 27% of those apps.

One area of the business that is especially susceptible to application overload is an organization’s cloud email platform. With dozens of plug-ins and third-party app integrations for everything from calendars to creative suites, even organizations with the most granular app policies may be met with a visit from the shadow IT fairy. And that could spell trouble.

In fact, vulnerabilities in third-party software accounted for 13% of all breaches in 2022–costing victimized organizations $4.55M on average.

If you’re wondering how these app attacks typically present themselves, there are a couple of ways: either a threat actor flat-out steals API keys and then installs malicious applications with read/write access, or an internal user is tricked by a threat actor into installing what appears to be a legitimate application.

Both of these attacks can and do bypass traditional inbound email security tools as they often include no payload, come from a legitimate sender, or simply do not have an email component at all. The key to stopping these breaches is visibility and the ability to quickly address suspicious app installs and permission changes across the email platform.

How Abnormal Demystifies Your Application Landscape

Abnormal Security addresses this problem head-on in two interconnected ways: AppBase and the Security Posture Management Add-On. The latter is fed by the data within the former, as AppBase provides a running catalog of every app installed in your cloud email platform and the permissions for those apps.

This data is then correlated against the other Knowledge Bases–in particular, PeopleBase and TenantBase–to build detailed, dynamic genomes connecting user behavior, app activity, and tenant activity. Security teams can quickly determine when a risky pattern may be emerging, especially when an unknown app with outsized permissions has been discovered.

Security Posture Management acts as a complement and extension of AppBase by surfacing when changes then occur to apps and associated permissions. Organizations can discover which apps their users have installed, and critically, when suspicious events occur–such as apps going from calendar access-only to suddenly being able to read and write to email.

Cover Your Apps With AppBase

Let’s take a closer look at the breadth of capabilities within AppBase. As noted, AppBase centralizes app install and usage data, permissions, and other key metadata to help security teams understand how many apps are integrated into their cloud email platform, what those apps can do, and how heavily those apps are used.

App Base1

Specifically, AppBase is provided a running list that includes:

  • App Name

  • Access Level (Low or High levels of privilege)

  • Permissions (calendar and mailbox read/write access)

  • App Type

  • Tenant housing this integration

  • Registered user count

  • Platform

  • Analysis (insights such as privileged users having access)

If an Abnormal user drills down into the applications in the inventory list, they are met with a running timeline for a given application alongside additional details–including the publisher, an app description, and integration dates. In the example below, we can see the permissions granted for the fictional application, Spoof Force:

App Base2

From this app profile, a security analyst investigating a threat can then click the App ID to be taken directly to the application in Azure. The analyst can also click the names of users or tenants in the activity timeline to be taken to PeopleBase or TenantBase–continuing their investigation by using the activity contained in those Knowledge Bases.

If security teams were previously unaware of Spoof Force or felt Renee West was a risky user, it is crucial to know that this application not only exists in the organization’s email environment, but is integrated into the primary mail tenant, is accessed by privileged users, and has full permissions to access calendars and mailboxes. AppBase puts this information at the fingertips of security teams so they can remediate risks faster.

How AppBase Helps Solve the SaaS Problem

Again, if your organization is like most, you have hundreds of SaaS apps. Many of those apps are directly integrated with your cloud email security platform. Do you know what they are? Do you know what they can access? Do you know who accesses them? AppBase, along with the other Abnormal Knowledge Bases and Security Posture Management, helps to answer these questions so you can shine a light on the shadowy world of malicious app attacks.

Want to learn more about AppBase? Schedule a demo today.

Schedule a Demo
Abnormal Knowledge Bases: Using AppBase to Prevent Third-Party Application Attacks

See Abnormal in Action

Get a Demo

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

Get AI Protection for Your Human Interactions

Protect your organization from socially-engineered email attacks that target human behavior.
Request a Demo
Request a Demo

Related Posts

B Proofpoint Customer Story Blog 8
A Fortune 500 transportation and logistics leader blocked more than 6,700 attacks missed by Proofpoint and reclaimed 350 SOC hours per month by adding Abnormal to its security stack.
Read More
B Gartner MQ 2024 Announcement Blog
Abnormal Security was named a Leader in the 2024 Gartner Magic Quadrant for Email Security Platforms and positioned furthest for Completeness of Vision.
Read More
B Gift Card Scams Tricker to Spot Blog
Learn why gift card scams are becoming more difficult to identify, how cybercriminals evolve their tactics, and strategies to protect your organization.
Read More
B Offensive AI 12 16 24
Learn how AI is used in cybersecurity, what defensive AI vs. offensive AI means, and how to use defensive AI to combat offensive AI.
Read More
B Proofpoint Customer Story Blog 7
See how Abnormal's AI helped a Fortune 500 insurance provider detect 27,847 threats missed by Proofpoint and save 6,600+ hours in employee productivity.
Read More
B Cyberattack Forecast Emerging Threats Blog
Uncover the latest email threats and strategies to strengthen your cybersecurity and prepare for 2025.
Read More