Abnormal Knowledge Bases: Using AppBase to Prevent Third-Party Application Attacks

Discover how Abnormal provides greater visibility into application permissions and data access across the cloud email platform with AppBase.
January 9, 2023

Remember when Apple’s trademark “there’s an app for that” was simply a quippy phrase to push the utility of having a smartphone?

Well, 12 years removed from Apple registering that trademark, the ubiquity of applications have taken on a new meaning in the corporate world…and in the world of cybercriminals.

Businesses use, on average, 323 SaaS applications, and to the delight of threat actors, IT teams typically only manage and have visibility into 27% of those apps.

One area of the business that is especially susceptible to application overload is an organization’s cloud email platform. With dozens of plug-ins and third-party app integrations for everything from calendars to creative suites, even organizations with the most granular app policies may be met with a visit from the shadow IT fairy. And that could spell trouble.

In fact, vulnerabilities in third-party software accounted for 13% of all breaches in 2022–costing victimized organizations $4.55M on average.

If you’re wondering how these app attacks typically present themselves, there are a couple of ways: either a threat actor flat-out steals API keys and then installs malicious applications with read/write access, or an internal user is tricked by a threat actor into installing what appears to be a legitimate application.

Both of these attacks can and do bypass traditional inbound email security tools as they often include no payload, come from a legitimate sender, or simply do not have an email component at all. The key to stopping these breaches is visibility and the ability to quickly address suspicious app installs and permission changes across the email platform.

How Abnormal Demystifies Your Application Landscape

Abnormal Security addresses this problem head-on in two interconnected ways: AppBase and the Security Posture Management Add-On. The latter is fed by the data within the former, as AppBase provides a running catalog of every app installed in your cloud email platform and the permissions for those apps.

This data is then correlated against the other Knowledge Bases–in particular, PeopleBase and TenantBase–to build detailed, dynamic genomes connecting user behavior, app activity, and tenant activity. Security teams can quickly determine when a risky pattern may be emerging, especially when an unknown app with outsized permissions has been discovered.

Security Posture Management acts as a complement and extension of AppBase by surfacing when changes then occur to apps and associated permissions. Organizations can discover which apps their users have installed, and critically, when suspicious events occur–such as apps going from calendar access-only to suddenly being able to read and write to email.

Cover Your Apps With AppBase

Let’s take a closer look at the breadth of capabilities within AppBase. As noted, AppBase centralizes app install and usage data, permissions, and other key metadata to help security teams understand how many apps are integrated into their cloud email platform, what those apps can do, and how heavily those apps are used.

App Base1

Specifically, AppBase is provided a running list that includes:

  • App Name

  • Access Level (Low or High levels of privilege)

  • Permissions (calendar and mailbox read/write access)

  • App Type

  • Tenant housing this integration

  • Registered user count

  • Platform

  • Analysis (insights such as privileged users having access)

If an Abnormal user drills down into the applications in the inventory list, they are met with a running timeline for a given application alongside additional details–including the publisher, an app description, and integration dates. In the example below, we can see the permissions granted for the fictional application, Spoof Force:

App Base2

From this app profile, a security analyst investigating a threat can then click the App ID to be taken directly to the application in Azure. The analyst can also click the names of users or tenants in the activity timeline to be taken to PeopleBase or TenantBase–continuing their investigation by using the activity contained in those Knowledge Bases.

If security teams were previously unaware of Spoof Force or felt Renee West was a risky user, it is crucial to know that this application not only exists in the organization’s email environment, but is integrated into the primary mail tenant, is accessed by privileged users, and has full permissions to access calendars and mailboxes. AppBase puts this information at the fingertips of security teams so they can remediate risks faster.

How AppBase Helps Solve the SaaS Problem

Again, if your organization is like most, you have hundreds of SaaS apps. Many of those apps are directly integrated with your cloud email security platform. Do you know what they are? Do you know what they can access? Do you know who accesses them? AppBase, along with the other Abnormal Knowledge Bases and Security Posture Management, helps to answer these questions so you can shine a light on the shadowy world of malicious app attacks.

Want to learn more about AppBase? Schedule a demo today.

Schedule a Demo
Abnormal Knowledge Bases: Using AppBase to Prevent Third-Party Application Attacks

See Abnormal in Action

Get a Demo

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.


See the Abnormal Solution to the Email Security Problem

Protect your organization from the full spectrum of email attacks with Abnormal.

Integrates Insights Reporting 09 08 22

Related Posts

B Complex Case of Account Compromise Blog
Discover how Abnormal helped one organization detect the sophisticated tactics an attacker used to compromise an employee's email account.
Read More
B Cross Platform Account Takeover
Discover the dangers of cross-platform account takeover, the challenges of detecting this attack, and how to implement proactive protection against ATO.
Read More
B 5 17 24 Legal
Learn how cybercriminals use superficial disclaimers to deceive others while facilitating illegal activity on cybercrime forums.
Read More
B Cybersecurity Influencers Blog 2024
Stay up to date on the latest cybersecurity trends, industry news, and best practices by following these 15 innovative and influential thought leaders on social media.
Read More
B 5 13 24 Docusign
Cybercriminals are abusing Docusign by selling customizable phishing templates on cybercrime forums, allowing attackers to steal credentials for phishing and business email compromise (BEC) scams.
Read More
Abnormal employees honored as CRN 2024 Women of the Channel for their influential leadership in the tech industry.
Read More