Abnormal Knowledge Bases: Using PeopleBase to Prevent User Account Compromise

Discover how Abnormal uses contextual, behavioral data to uncover anomalous activity across logins and devices with PeopleBase.
January 24, 2023

While a distributed workforce has myriad benefits, the one constant with any innovation in the business world is that attackers can and will exploit it.

With that said, it’s 2023. Do you know where your users are? As it pertains to your cloud email environment, your users may just be under attack or already compromised. That new application a user installed or a new user suddenly becoming a global admin on your mail tenant may not be as innocuous as you think.

That isn’t used as a scare tactic but as a point of fact. As Ed Skoudis, President of the SANS Institute, noted in a 2022 TechTarget article “[attackers] are really focused on attacking home workers because they are no longer protected in these enclaves that organizations spent the last 30 years building."

This, of course, does not mean those folks going into the office are out of the woods. In the last year, the FBI noted a 65% increase in identified exposed losses due to business email compromise (BEC), which is a category that largely encompasses email account compromise (EAC).

Considering it takes, on average, 197 days to even detect a data breach–which we will use here as a fairly synonymous stand-in for a compromised user account–what can be done to sniff out the insidious actors that may be lurking on your email platform?

Answering “Who Goes There?” with Abnormal Security

To help combat account compromise, Abnormal Security uses behavioral data and dynamic user profiling through its PeopleBase Knowledge Base, alongside the Account Takeover Protection and Security Posture Management Add-Ons. While the latter two are critical pieces of the cloud email security puzzle, detecting anomalous behavioral signals and potentially risky configuration and privilege changes, for the sake of this article, we will take a closer look at PeopleBase–the hub for user activity data, and a key starting point to investigate suspicious user events.

PeopleBase builds detailed, dynamic genomes connecting user behavior, app activity, and tenant activity. Security teams can quickly determine when a risky pattern may be emerging, especially when a user consistently logs in from unusual locations, uses unknown devices, suddenly gains global admin rights or adds multiple users and applications to a mail tenant (among other key behavioral categories).

Taken in a vacuum, a user logging in once from an entirely different country may raise red flags but may also be easily explained away as work travel or vacation. However, with the detection capabilities in Abnormal’s Account Takeover Protection—enhanced and correlated against the profiles built in PeopleBase—security teams can determine whether these individual events are part of a larger pattern to accurately diagnose whether a real risk is present.

Protecting Your Platforms with PeopleBase

Let’s take a closer look at the data housed within PeopleBase and the dynamic profiles PeopleBase builds for each user in your cloud email environment. As mentioned, PeopleBase consolidates data from a variety of sources, including Abnormal’s Inbound Email Security to detect suspicious mail activity and Account Takeover Protection to uncover anomalous activity across logins and devices.

People Base1

Specifically, PeopleBase provides:

  • An activity timeline including configuration changes, new applications installed, permissions granted, and more.

  • The team, contact info, and manager for a given user.

  • A dynamic genome comprised of a user’s typical:
    • Login locations

    • IP addresses

    • Browsers

    • Operating systems

    • Device IDs used

    • Applications used

    • Mail clients used

    • Sign-in status history

    • Geo coordinates

People Base2
People Base3

If an Abnormal user wants to drill down into any of the configuration changes or other activities undertaken by a given user, each item in the timeline provides links to associated applications, users, and tenants to facilitate a quick investigation.

For example, in the above screenshots, let’s say a Security administrator wanted to understand why Jonathan Green had added Josh Waters to the Azure Administrator role. While Jonathan is the Chief Financial Officer of his organization, it seems outside of his responsibilities to be determining user privileges. While all signs point to Jonathan’s account being legitimate, knowing the exact time and date this change occurred–and cross-referencing with login activity and circumstances around this time–can help Security practitioners confidently determine if this change warranted further investigation.

Beyond investigatory use cases, however, PeopleBase can be used to benchmark cloud email platform activity. Understanding how users interact at a holistic level means Security teams can be aware of what constitutes good behavior and respond immediately when conditions change.

PeopleBase Gives Power to the People. The Security People.

Again, as remote work continues to proliferate and present security challenges–and even as many workers return to the office and the relative safety of being “inside the perimeter”–monitoring and understanding user behavior needs to be dynamic. Security tools need to be adaptive to user changes to help answer the questions: Do you know where your users are? Are they installing risky applications or changing security configurations? Are your users who they say they are? Abnormal Security strives to give you the answers.

Want to learn more about PeopleBase? Request a personalized demo today.

Schedule a Demo
Abnormal Knowledge Bases: Using PeopleBase to Prevent User Account Compromise

See Abnormal in Action

Schedule a Demo

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.


See the Abnormal Solution to the Email Security Problem

Protect your organization from the full spectrum of email attacks with Abnormal.

See a Demo
Integrates Insights Reporting 09 08 22

Related Posts

B 1500x1500 Knowledge Base People Base L1 R1
Discover how Abnormal uses contextual, behavioral data to uncover anomalous activity across logins and devices with PeopleBase.
Read More
ABN B 12 2 22 Expanding our partnership L1 R2
Our partnership with Microsoft has created plenty of opportunities to celebrate. Here are some of the especially exciting moments from 2022.
Read More
B 1500x1500 5 key takeaways L1 R1
Ed Amoroso discusses the biggest security risks with cloud email and how to prevent them.
Read More
B Threat Intel Phishing Attacks HR Policies
Threat actors are capitalizing on the new year, posing as human resources officials to send credential phishing attacks.
Read More
ESG Blog
ESG’s technical validation proves the risk reduction capabilities of Abnormal Cloud Email Security.
Read More
CFO Cover
Industry-leading CFO Sam Wolff discusses spending on security technology in the current macroeconomic conditions.
Read More