Abnormal Knowledge Bases: Using PeopleBase to Prevent User Account Compromise

Discover how Abnormal uses contextual, behavioral data to uncover anomalous activity across logins and devices with PeopleBase.
January 24, 2023

While a distributed workforce has myriad benefits, the one constant with any innovation in the business world is that attackers can and will exploit it.

It’s 2023. Do you know where your users are? As it pertains to your cloud email environment, your users may just be under attack or already compromised. That new application a user installed or a new user suddenly becoming a global admin on your mail tenant may not be as innocuous as you think.

That isn’t a scare tactic so much as a point of fact. As Ed Skoudis, President of the SANS Institute, noted in a 2022 TechTarget article “[attackers] are really focused on attacking home workers because they are no longer protected in these enclaves that organizations spent the last 30 years building."

This, of course, does not mean those folks going into the office are out of the woods. In the last year, the FBI noted a 65% increase in identified exposed losses due to business email compromise (BEC), which is a category that largely encompasses email account compromise (EAC).

Considering it takes, on average, 197 days to even detect a data breach–which we will use here as a fairly synonymous stand-in for a compromised user account–what can be done to sniff out the insidious actors that may be lurking on your email platform?

Answering “Who Goes There?” with Abnormal Security

To help combat account compromise, Abnormal Security uses behavioral data and dynamic user profiling through its PeopleBase Knowledge Base, alongside the Account Takeover Protection and Security Posture Management Add-Ons. While the latter two are critical pieces of the cloud email security puzzle, detecting anomalous behavioral signals and potentially risky configuration and privilege changes, for the sake of this article, we will take a closer look at PeopleBase–the hub for user activity data, and a key starting point to investigate suspicious user events.

PeopleBase builds detailed, dynamic genomes connecting user behavior, app activity, and tenant activity. Security teams can quickly determine when a risky pattern may be emerging, especially when a user consistently logs in from unusual locations, uses unknown devices, suddenly gains global admin rights or adds multiple users and applications to a mail tenant (among other key behavioral categories).

Taken in a vacuum, a user logging in once from an entirely different country may raise red flags but may also be easily explained away as work travel or vacation. However, with the detection capabilities in Abnormal’s Account Takeover Protection—enhanced and correlated against the profiles built in PeopleBase—security teams can determine whether these individual events are part of a larger pattern to accurately diagnose whether a real risk is present.

Protecting Your Platforms with PeopleBase

Let’s take a closer look at the data housed within PeopleBase and the dynamic profiles PeopleBase builds for each user in your cloud email environment. As mentioned, PeopleBase consolidates data from a variety of sources, including Abnormal’s Inbound Email Security to detect suspicious mail activity and Account Takeover Protection to uncover anomalous activity across logins and devices.

People Base1

Specifically, PeopleBase provides:

  • An activity timeline including configuration changes, new applications installed, permissions granted, and more.

  • The team, contact info, and manager for a given user.

  • A dynamic genome comprised of a user’s typical:
    • Login locations

    • IP addresses

    • Browsers

    • Operating systems

    • Device IDs used

    • Applications used

    • Mail clients used

    • Sign-in status history

    • Geo coordinates

People Base2
People Base3

If an Abnormal user wants to drill down into any of the configuration changes or other activities undertaken by a given user, each item in the timeline provides links to associated applications, users, and tenants to facilitate a quick investigation.

For example, in the above screenshots, let’s say a Security administrator wanted to understand why Jonathan Green had added Josh Waters to the Azure Administrator role. While Jonathan is the Chief Financial Officer of his organization, it seems outside of his responsibilities to be determining user privileges. While all signs point to Jonathan’s account being legitimate, knowing the exact time and date this change occurred–and cross-referencing with login activity and circumstances around this time–can help Security practitioners confidently determine if this change warranted further investigation.

Beyond investigatory use cases, however, PeopleBase can be used to benchmark cloud email platform activity. Understanding how users interact at a holistic level means Security teams can be aware of what constitutes good behavior and respond immediately when conditions change.

PeopleBase Gives Power to the People. The Security People.

Again, as remote work continues to proliferate and present security challenges–and even as many workers return to the office and the relative safety of being “inside the perimeter”–monitoring and understanding user behavior needs to be dynamic. Security tools need to be adaptive to user changes to help answer the questions: Do you know where your users are? Are they installing risky applications or changing security configurations? Are your users who they say they are? Abnormal Security strives to give you the answers.

Want to learn more about PeopleBase? Request a personalized demo today.

Schedule a Demo
Abnormal Knowledge Bases: Using PeopleBase to Prevent User Account Compromise

See Abnormal in Action

Get a Demo

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.


See the Abnormal Solution to the Email Security Problem

Protect your organization from the full spectrum of email attacks with Abnormal.

Integrates Insights Reporting 09 08 22

Related Posts

B Earn Your CPE Credits with Abnormal
Earn your continuing education credits with ISC2 by viewing cybersecurity content from Abnormal Security.
Read More
B Seg Lessons
Discover key insights gleaned from replacing 100+ SEGs for Abnormal customers.
Read More
B Europe Attack Data Blog
Discover what our research uncovered about the European threat landscape and attack trends for organizations in the region.
Read More
Abnormal aims to provide superior detection of email attacks while also directly and indirectly influencing the security awareness of your employees.
Read More
B 6 3 24 BEC Attacks
Discover how cybercriminals obtain corporate data from brokers like ZoomInfo and Apollo to enable targeted business email compromise (BEC) attacks.
Read More
B Addressing Account Takeovers Blog
Discover how security leaders are protecting their organizations against account takeover with insights from our survey of 300 cybersecurity stakeholders.
Read More