Abnormal Knowledge Bases: Using PeopleBase to Prevent User Account Compromise

Discover how Abnormal uses contextual, behavioral data to uncover anomalous activity across logins and devices with PeopleBase.
January 24, 2023

While a distributed workforce has myriad benefits, the one constant with any innovation in the business world is that attackers can and will exploit it.

It’s 2023. Do you know where your users are? As it pertains to your cloud email environment, your users may just be under attack or already compromised. That new application a user installed or a new user suddenly becoming a global admin on your mail tenant may not be as innocuous as you think.

That isn’t a scare tactic so much as a point of fact. As Ed Skoudis, President of the SANS Institute, noted in a 2022 TechTarget article “[attackers] are really focused on attacking home workers because they are no longer protected in these enclaves that organizations spent the last 30 years building."

This, of course, does not mean those folks going into the office are out of the woods. In the last year, the FBI noted a 65% increase in identified exposed losses due to business email compromise (BEC), which is a category that largely encompasses email account compromise (EAC).

Considering it takes, on average, 197 days to even detect a data breach–which we will use here as a fairly synonymous stand-in for a compromised user account–what can be done to sniff out the insidious actors that may be lurking on your email platform?

Answering “Who Goes There?” with Abnormal Security

To help combat account compromise, Abnormal Security uses behavioral data and dynamic user profiling through its PeopleBase Knowledge Base, alongside the Account Takeover Protection and Security Posture Management Add-Ons. While the latter two are critical pieces of the cloud email security puzzle, detecting anomalous behavioral signals and potentially risky configuration and privilege changes, for the sake of this article, we will take a closer look at PeopleBase–the hub for user activity data, and a key starting point to investigate suspicious user events.

PeopleBase builds detailed, dynamic genomes connecting user behavior, app activity, and tenant activity. Security teams can quickly determine when a risky pattern may be emerging, especially when a user consistently logs in from unusual locations, uses unknown devices, suddenly gains global admin rights or adds multiple users and applications to a mail tenant (among other key behavioral categories).

Taken in a vacuum, a user logging in once from an entirely different country may raise red flags but may also be easily explained away as work travel or vacation. However, with the detection capabilities in Abnormal’s Account Takeover Protection—enhanced and correlated against the profiles built in PeopleBase—security teams can determine whether these individual events are part of a larger pattern to accurately diagnose whether a real risk is present.

Protecting Your Platforms with PeopleBase

Let’s take a closer look at the data housed within PeopleBase and the dynamic profiles PeopleBase builds for each user in your cloud email environment. As mentioned, PeopleBase consolidates data from a variety of sources, including Abnormal’s Inbound Email Security to detect suspicious mail activity and Account Takeover Protection to uncover anomalous activity across logins and devices.

People Base1

Specifically, PeopleBase provides:

  • An activity timeline including configuration changes, new applications installed, permissions granted, and more.

  • The team, contact info, and manager for a given user.

  • A dynamic genome comprised of a user’s typical:
    • Login locations

    • IP addresses

    • Browsers

    • Operating systems

    • Device IDs used

    • Applications used

    • Mail clients used

    • Sign-in status history

    • Geo coordinates

People Base2
People Base3

If an Abnormal user wants to drill down into any of the configuration changes or other activities undertaken by a given user, each item in the timeline provides links to associated applications, users, and tenants to facilitate a quick investigation.

For example, in the above screenshots, let’s say a Security administrator wanted to understand why Jonathan Green had added Josh Waters to the Azure Administrator role. While Jonathan is the Chief Financial Officer of his organization, it seems outside of his responsibilities to be determining user privileges. While all signs point to Jonathan’s account being legitimate, knowing the exact time and date this change occurred–and cross-referencing with login activity and circumstances around this time–can help Security practitioners confidently determine if this change warranted further investigation.

Beyond investigatory use cases, however, PeopleBase can be used to benchmark cloud email platform activity. Understanding how users interact at a holistic level means Security teams can be aware of what constitutes good behavior and respond immediately when conditions change.

PeopleBase Gives Power to the People. The Security People.

Again, as remote work continues to proliferate and present security challenges–and even as many workers return to the office and the relative safety of being “inside the perimeter”–monitoring and understanding user behavior needs to be dynamic. Security tools need to be adaptive to user changes to help answer the questions: Do you know where your users are? Are they installing risky applications or changing security configurations? Are your users who they say they are? Abnormal Security strives to give you the answers.

Want to learn more about PeopleBase? Request a personalized demo today.

Schedule a Demo
Abnormal Knowledge Bases: Using PeopleBase to Prevent User Account Compromise

See Abnormal in Action

Schedule a Demo

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.


See the Abnormal Solution to the Email Security Problem

Protect your organization from the full spectrum of email attacks with Abnormal.

See a Demo
Integrates Insights Reporting 09 08 22

Related Posts

BC 5 31 23 Vendor Risks
Learn the biggest risks associated with your vendor relationships and how to protect your organization from Vendor Email Compromise (VEC) attacks.
Read More
B 5 30 23 Teams
See how Abnormal's advanced security solutions protect Microsoft Teams workspace from malicious attacks and account takeovers.
Read More
Zoom BC
Discover how Abnormal protects your Zoom messages and prevents attackers from using the application to breach your business.
Read More
B 5 22 23 SOC
Discover how Abnormal simplifies detection, enhances investigation, and automates remediation, increasing threat investigation efficacy at the SOC level.
Read More
B Phishing
Knowing what to do after receiving a phishing attack is essential for preventing costly consequences. Learn how to respond to Phishing attacks.
Read More
B 5 15 23 Israel BEC
Abnormal research into an advanced Israel-based threat group puts a spotlight on the continuing rise of BEC attacks.
Read More