Abnormal Knowledge Bases: Using VendorBase to Prevent Vendor Email Compromise Attacks

Discover how Abnormal provides detailed risk assessments based on vendor email analysis with VendorBase.
December 21, 2022

Organizations spend hundreds of thousands of dollars increasing their security posture to protect against the constant threat of cyberattacks, all of which could cause financial loss, damage to brand reputation, or data loss. But what happens when attackers focus less on you and more on your supply chain? What can you do about the attackers who are targeting you, using real accounts of the vendors with which you do business?

Since its initial identification in 2013, executive impersonation has been the most popular type of business email compromise, as attackers often impersonate the CEO. But over the past few years, attackers have started adjusting their strategies—opting to impersonate third-party vendors and suppliers instead.

Supply chain email compromise, often referred to as vendor email compromise or VEC, is an attack strategy that involves the impersonation of a trusted vendor to gain access to company funds, intellectual property, employee information, or customer data. Attackers may use domain spoofing, user impersonation, or stolen credentials of compromised accounts to engage with organizations.

In January 2022, the number of attacks impersonating third parties surpassed those impersonating internal employees for the first time. This trend has continued each month since, with third-party impersonations making up 52% of all BEC attacks in May 2022. Part of this increase can be attributed to the fact that there are multiple ways for organizations to be targeted by vendors, including with aging report attacks and blind third-party impersonation using information gathered from the public domain.

How Abnormal Stops VEC Attacks

Abnormal’s approach to cloud email security goes beyond simply identifying your employees and assessing the risk for each one. Instead, Abnormal analyzes communications between all senders and recipients, including the vendors in your supply chain.

Using our behavioral AI, machine learning models, natural language processing, and computer vision, we can establish a baseline of communication patterns, track invoice information such as banking details, and analyze the relationship between vendor and organization. Our in-depth content analysis allows us to inspect every email's tone, intent, attachments, and URLs to determine the risk score of the message and provide a risk assessment of the vendor. By understanding normal behavior, Abnormal can detect when changes have occurred across the supply chain and use that risk information to make decisions on incoming messages.

Increase Your Visibility With VendorBase

Abnormal centralizes the email analysis information of your vendors in a Knowledge Base called VendorBase™. VendorBase is a global, federated database that tracks the reputation of every vendor across all Abnormal customers, providing deeper insight and visibility into each vendor’s email activities. By correlating data across all customers, Abnormal can detect when a vendor may be at higher risk for one customer and use that information to block emails from that same vendor for another customer.


VendorBase gives Abnormal customers access to the signals used as part of our behavioral AI for every vendor.

This includes:

  • Profile information

  • Relationship analysis, including vendor contacts and internal recipients

  • Common vendor locations and IP addresses

  • Risk assessment scores with in-depth insights

  • Timeline of malicious email activity, including attacks targeting the Abnormal community

In this example, you can see the information Abnormal has gathered about Prolia Systems.


The risk assessment of each vendor is computed using signals related to the vendor's identity and behavior, as well as the content of each message. It also includes reports from all Abnormal customers and uses the results as part of the risk assessment computation. This information is included in VendorBase and is available to all Abnormal customers.


How VendorBase Can Help Your Organization

Before VendorBase, organizations lacked a tool that would offer them clear visibility into the risk of their supply chain, making it difficult to detect email attacks. And because these attacks are often sent from legitimate vendor accounts, they can cause severe loss to organizations.

With Abnormal, preventing supply chain compromise is easy and does not require manual configuration. With our cloud-native, API-based approach, there is no delay in email delivery time, and all inspection and scanning are performed in memory.

Abnormal natively integrates into your cloud office environment, assesses signals about your employees and vendors, and continuously establishes baselines of “known good” behavior throughout the environment. When an email deviates from this baseline, Abnormal automatically remediates the message and thwarts the attack, protecting your organization from both vendor fraud and the full spectrum of attacks.

Want to learn more about VendorBase? Request a personalized demo today to see the product in action.

Abnormal Knowledge Bases: Using VendorBase to Prevent Vendor Email Compromise Attacks

See Abnormal in Action

Get a Demo

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

Get AI Protection for Your Human Interactions

Protect your organization from socially-engineered email attacks that target human behavior.
Request a Demo
Request a Demo

Related Posts

B 07 22 24 MKT624 Images for Paris Olympics Blog
Threat actors are targeting French businesses ahead of the Paris 2024 Olympics. Learn how they're capitalizing on the event and how to protect your organization.
Read More
B Cross Platform ATO
Cross-platform account takeover is an attack where one compromised account is used to access other accounts. Learn about four real-world examples: compromised email passwords, hijacked GitHub accounts, stolen AWS credentials, and leaked Slack logins.
Read More
B Why MFA Alone Will No Longer Suffice
Explore why account takeover attacks pose a major threat to enterprises and why multi-factor authentication (MFA) alone isn't enough to prevent them.
Read More
Learn how Abnormal uses natural language processing or NLP to protect organizations from phishing, account takeovers, and more.
Read More
B DK Compromise 7 11 24
Discover the top five ways hackers compromise accounts, from exploiting leaked API credentials to SIM swapping partnerships, and more. Learn how these techniques enable account takeover (ATO) and pose risks to enterprises.
Read More
B Sans Recap 7 11 24
Discover trends among modern SOC teams, including misaligned budgets, increased automation, unsatisfactory AI tools, staffing issues, and more.
Read More