Abnormal Knowledge Bases: Using PeopleBase to Prevent User Account Compromise

Discover how Abnormal uses contextual, behavioral data to uncover anomalous activity across logins and devices with PeopleBase.
January 24, 2023

While a distributed workforce has myriad benefits, the one constant with any innovation in the business world is that attackers can and will exploit it.

It’s 2023. Do you know where your users are? As it pertains to your cloud email environment, your users may just be under attack or already compromised. That new application a user installed or a new user suddenly becoming a global admin on your mail tenant may not be as innocuous as you think.

That isn’t a scare tactic so much as a point of fact. As Ed Skoudis, President of the SANS Institute, noted in a 2022 TechTarget article “[attackers] are really focused on attacking home workers because they are no longer protected in these enclaves that organizations spent the last 30 years building."

This, of course, does not mean those folks going into the office are out of the woods. In the last year, the FBI noted a 65% increase in identified exposed losses due to business email compromise (BEC), which is a category that largely encompasses email account compromise (EAC).

Considering it takes, on average, 197 days to even detect a data breach–which we will use here as a fairly synonymous stand-in for a compromised user account–what can be done to sniff out the insidious actors that may be lurking on your email platform?

Answering “Who Goes There?” with Abnormal Security

To help combat account compromise, Abnormal Security uses behavioral data and dynamic user profiling through its PeopleBase Knowledge Base, alongside the Account Takeover Protection and Security Posture Management Add-Ons. While the latter two are critical pieces of the cloud email security puzzle, detecting anomalous behavioral signals and potentially risky configuration and privilege changes, for the sake of this article, we will take a closer look at PeopleBase–the hub for user activity data, and a key starting point to investigate suspicious user events.

PeopleBase builds detailed, dynamic genomes connecting user behavior, app activity, and tenant activity. Security teams can quickly determine when a risky pattern may be emerging, especially when a user consistently logs in from unusual locations, uses unknown devices, suddenly gains global admin rights or adds multiple users and applications to a mail tenant (among other key behavioral categories).

Taken in a vacuum, a user logging in once from an entirely different country may raise red flags but may also be easily explained away as work travel or vacation. However, with the detection capabilities in Abnormal’s Account Takeover Protection—enhanced and correlated against the profiles built in PeopleBase—security teams can determine whether these individual events are part of a larger pattern to accurately diagnose whether a real risk is present.

Protecting Your Platforms with PeopleBase

Let’s take a closer look at the data housed within PeopleBase and the dynamic profiles PeopleBase builds for each user in your cloud email environment. As mentioned, PeopleBase consolidates data from a variety of sources, including Abnormal’s Inbound Email Security to detect suspicious mail activity and Account Takeover Protection to uncover anomalous activity across logins and devices.

People Base1

Specifically, PeopleBase provides:

  • An activity timeline including configuration changes, new applications installed, permissions granted, and more.

  • The team, contact info, and manager for a given user.

  • A dynamic genome comprised of a user’s typical:
    • Login locations

    • IP addresses

    • Browsers

    • Operating systems

    • Device IDs used

    • Applications used

    • Mail clients used

    • Sign-in status history

    • Geo coordinates

People Base2
People Base3

If an Abnormal user wants to drill down into any of the configuration changes or other activities undertaken by a given user, each item in the timeline provides links to associated applications, users, and tenants to facilitate a quick investigation.

For example, in the above screenshots, let’s say a Security administrator wanted to understand why Jonathan Green had added Josh Waters to the Azure Administrator role. While Jonathan is the Chief Financial Officer of his organization, it seems outside of his responsibilities to be determining user privileges. While all signs point to Jonathan’s account being legitimate, knowing the exact time and date this change occurred–and cross-referencing with login activity and circumstances around this time–can help Security practitioners confidently determine if this change warranted further investigation.

Beyond investigatory use cases, however, PeopleBase can be used to benchmark cloud email platform activity. Understanding how users interact at a holistic level means Security teams can be aware of what constitutes good behavior and respond immediately when conditions change.

PeopleBase Gives Power to the People. The Security People.

Again, as remote work continues to proliferate and present security challenges–and even as many workers return to the office and the relative safety of being “inside the perimeter”–monitoring and understanding user behavior needs to be dynamic. Security tools need to be adaptive to user changes to help answer the questions: Do you know where your users are? Are they installing risky applications or changing security configurations? Are your users who they say they are? Abnormal Security strives to give you the answers.

Want to learn more about PeopleBase? Request a personalized demo today.

Schedule a Demo
Abnormal Knowledge Bases: Using PeopleBase to Prevent User Account Compromise

See Abnormal in Action

Get a Demo

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.


See the Abnormal Solution to the Email Security Problem

Protect your organization from the full spectrum of email attacks with Abnormal.

Integrates Insights Reporting 09 08 22

Related Posts

B Mr Wonderful Talks AI
Explore the future of AI and cybersecurity and learn why prioritizing security investments is crucial with Kevin O’Leary of Shark Tank fame.
Read More
B 1500x1500 MKT468a Open Graph Images for Phishing Subjects Blog
Discover the most engaging phishing email subjects, according to Abnormal data, and how to protect your organization from these scams.
Read More
B Threat Report BEC VEC Blog
Our H1 2024 Email Threat Report revealed significant year-over-year increases in both business email compromise and vendor email compromise. Learn more.
Read More
B 2 7 24 Product Update
Abnormal product enhancements improve detection efficacy, reporting on QR code attacks, productivity, and protection from account takeover.
Read More
B 1500x1500 Quishing Stats Blog 02 05 24
Today we released our H1 2024 Email Threat Report, which examines the threat landscape and dives into the latest evolution in phishing: QR code attacks.
Read More
B 1 30 23 Microsoft ATO
A recent nation-state actor attack by the Russian-backed threat group Midnight Blizzard infiltrated Microsoft. Discover how Abnormal can protect you from account takeovers in real time.
Read More