Abnormal Knowledge Bases: Using VendorBase to Prevent Vendor Email Compromise Attacks

Organizations spend hundreds of thousands of dollars increasing their security posture to protect against the constant threat of cyberattacks, all of which could cause financial loss, damage to brand reputation, or data loss. But what happens when attackers focus less on you and more on your supply chain? What can you do about the attackers who are targeting you, using real accounts of the vendors with which you do business?

Since its initial identification in 2013, executive impersonation has been the most popular type of business email compromise, as attackers often impersonate the CEO. But over the past few years, attackers have started adjusting their strategies—opting to impersonate third-party vendors and suppliers instead.

Supply chain email compromise, often referred to as vendor email compromise or VEC, is an attack strategy that involves the impersonation of a trusted vendor to gain access to company funds, intellectual property, employee information, or customer data. Attackers may use domain spoofing, user impersonation, or stolen credentials of compromised accounts to engage with organizations.

In January 2022, the number of attacks impersonating third parties surpassed those impersonating internal employees for the first time. This trend has continued each month since, with third-party impersonations making up 52% of all BEC attacks in May 2022. Part of this increase can be attributed to the fact that there are multiple ways for organizations to be targeted by vendors, including with aging report attacks and blind third-party impersonation using information gathered from the public domain.

Abnormal’s approach to cloud email security goes beyond simply identifying your employees and assessing the risk for each one. Instead, Abnormal analyzes communications between all senders and recipients, including the vendors in your supply chain.

Using our behavioral AI, machine learning models, natural language processing, and computer vision, we can establish a baseline of communication patterns, track invoice information such as banking details, and analyze the relationship between vendor and organization. Our in-depth content analysis allows us to inspect every email's tone, intent, attachments, and URLs to determine the risk score of the message and provide a risk assessment of the vendor. By understanding normal behavior, Abnormal can detect when changes have occurred across the supply chain and use that risk information to make decisions on incoming messages.

Abnormal centralizes the email analysis information of your vendors in a Knowledge Base called VendorBase™. VendorBase is a global, federated database that tracks the reputation of every vendor across all Abnormal customers, providing deeper insight and visibility into each vendor’s email activities. By correlating data across all customers, Abnormal can detect when a vendor may be at higher risk for one customer and use that information to block emails from that same vendor for another customer.

VendorBase gives Abnormal customers access to the signals used as part of our behavioral AI for every vendor.

This includes:

• Profile information

• Relationship analysis, including vendor contacts and internal recipients

• Common vendor locations and IP addresses

• Risk assessment scores with in-depth insights

• Timeline of malicious email activity, including attacks targeting the Abnormal community

In this example, you can see the information Abnormal has gathered about Prolia Systems.

The risk assessment of each vendor is computed using signals related to the vendor's identity and behavior, as well as the content of each message. It also includes reports from all Abnormal customers and uses the results as part of the risk assessment computation. This information is included in VendorBase and is available to all Abnormal customers.

Before VendorBase, organizations lacked a tool that would offer them clear visibility into the risk of their supply chain, making it difficult to detect email attacks. And because these attacks are often sent from legitimate vendor accounts, they can cause severe loss to organizations.

With Abnormal, preventing supply chain compromise is easy and does not require manual configuration. With our cloud-native, API-based approach, there is no delay in email delivery time, and all inspection and scanning are performed in memory.

Abnormal natively integrates into your cloud office environment, assesses signals about your employees and vendors, and continuously establishes baselines of “known good” behavior throughout the environment. When an email deviates from this baseline, Abnormal automatically remediates the message and thwarts the attack, protecting your organization from both vendor fraud and the full spectrum of attacks.

Want to learn more about VendorBase? Request a personalized demo today to see the product in action.