Abnormal Activity: Unveiling Abnormal Updates for Improved Detection, Investigation, and Productivity

Welcome to the latest installment of Abnormal Activity! This recurring quarterly blog and webinar series provides insights into the evolution of our product. In this edition, we're thrilled to unveil significant enhancements that can directly impact the detection, investigation, productivity, and reporting for your security team.

Join us as we showcase the exciting developments our team has been diligently working on, offering you a fresh perspective and a renewed appreciation for AI-native email security.

We also encourage you to join us for our Abnormal Activity webinar on March 6 at 1:00 pm ET. Register here.

Now, let’s dive into the updates!

Graymail messages inundate user inboxes with sales outreach, newsletters, and advertisements, overwhelming employees and eroding productivity. In 2022, Email Productivity was released as an add-on module to Inbound Email Security. Email Productivity applies the same behavioral AI, natural language processing (NLP), and natural language understanding (NLU) models used to stop inbound email attacks, to remove graymail messages from the inbox.

Email Productivity is now available for Google Workspace environments. When deployed in a Google environment, Email Productivity will automatically remove promotional messages from the inbox and place them into a graymail label, as seen below. This results in measurable productivity gains.

Attackers are increasingly crafting emails that contain an image attachment of a malicious QR code. To combat this threat, Abnormal previously released a QR code detector which works in tandem with behavioral AI to detect and remediate emails containing a malicious QR code.

Customers can now filter Threat Log to view all attacks remediated by the QR code detector. This enhancement provides valuable insights into the frequency of QR code attacks and allows for a more targeted analysis of security threats.

In this latest enhancement of Abnormal Email Account Takeover Protection, Abnormal Cases have been enriched with contextual insights detailing why an event triggered a case and which signals helped determine that event was suspicious. Abnormal Cases will now highlight how frequently a user (and in certain cases, the company itself) was associated with analyzed signals such as IP addresses, ISPs, browsers, locations, etc—ultimately helping to determine when the use of one of these signals is suspicious.

Additionally, Cases will now be assigned a Confidence Score: A ‘High’ score requires immediate attention, a ‘Medium’ score indicates a “potential risk” that should be investigated, and a ‘Low’ score is attributed to notable or suspicious events that may be unusual but are not anomalous enough to label as an urgent threat.

To reduce noise, Cases in the Account Takeover Protection list view will be segmented based on confidence to give immediate visibility into the highest priority Cases, while still providing quick access to the other suspicious user cases that are not considered active account takeovers.

Abuse Mailbox Automation automatically triages and remediates user-reported emails and marks them as malicious, spam, or safe. When a malicious email is identified, Abuse Mailbox will intelligently locate and remove other unreported emails within the same phishing campaign.

Abnormal has introduced new large language models to accelerate the analysis of reported messages to Abuse Mailbox Automation.

In the relentless pursuit of detection excellence, Abnormal consistently invests in improvements to its AI-native detection engine. By implementing new detectors and leveraging additional data, we aim to amplify the detection engine’s overall effectiveness at identifying new and emerging attacks, such as the real-world example below.

In this image-based attack, the attacker employs urgent subject lines and attachments to induce a rushed response from the recipient. This attack also passed an SPF check which could make it appear more legitimate to the recipient. The content of the attack is embedded in the image to intentionally thwart detection. Abnormal was able to detect this attack with a natural language processing (NLP) based model. In this new enhancement, Abnormal trained a character-level NLP model to detect a slice of attacks where the subject, display name, and from email fields are sufficient to judge a message accurately.

We are excited to share a series of detection enhancements and new detectors:

• Improved detectors to identify new OnMicrosoft backscatter attacks. In these attacks, spammers use real email addresses to receive bounce messages for messages the recipient didn’t send.

• Implementation of detection mechanisms to enhance the identification of Netflix impersonation phishing attacks, particularly those masquerading as subscription renewal notices.

• New detection improvements for attack messages that consist of top impersonated brands using legitimate attack vectors to collect sensitive information.

• Enhanced detection rate to more effectively identify instances of display name impersonation involving the company name in attacks.

New detectors:

• New detector to increase the detection rate of VIP impersonations sending potential invoice fraud.

• New detector to better detect Meta impersonation emails leveraging Salesforce and Google notifications.

• New detector to improve the detection rate of brand impersonation attacks where attackers utilize spacing in the sender’s name for obfuscation.

• New detector to stop attacks that contain hidden text and appended conversations.

• New detector to increase the detection rate of DocuSign name impersonation attacks.

In addition to the enhancements above, Abnormal consistently retrains its detection models to dynamically respond to evolving attack patterns observed in the Abnormal environment. This proactive approach boosts our ability to detect unprecedented and novel malicious attacks.

Abnormal is committed to further refining its current product offerings and detection capabilities, while simultaneously developing new and exciting products and features to further secure our customers’ environments. To get a sneak peek at our roadmap, register for the Abnormal Activity product update webinar on March 6 at 1:00 pm ET. To learn more about what Abnormal can do for you today, request a demo below.