This is part 2 of the 3-part series on COVID-19 and email attacks. Attackers are using fear and urgency of the COVID-19 backdrop as employees start shelter-in-place routines. These attacks are never-before-seen and being delivered to employee inboxes. Our 3-part series includes:
In addition, in our COVID-19 Resources Center, see examples of actual attacks Abnormal Security has detected, along with a deep dive that dissects the attack facets being employed to engender fear, urgency, and engagement with the recipient.
COVID-19 & coronavirus email-based attacks are increasing. Since these attacks are novel and never-before-seen, they’re being delivered to employee inboxes at organizations without advanced email protection, and receiving high rates of engagement from unsuspecting employees.
Abnormal Security’s email security platform natively detects and remediates these threats for a variety of reasons due to how our system is built. Abnormal Security has been detecting and remediating these COVID-19 attacks since they began appearing earlier this year. These attacks were caught by the engine without any changes to the platform due to the following traits displayed below:
In addition, Abnormal Security has instituted additional measures to ensure that these attacks are caught;
We are also cognizant of the fact that it is important for employees of organizations to receive legitimate COVID-19-related communications in a timely manner. As a result, in addition to boosting our ability to catch attacks that make use of the COVID-19 crisis, we are also closely monitoring and tweaking our model to minimize the likelihood of blocking legitimate COVID-19 communications.
But let’s go further into how Abnormal Security’s anomaly detection engine works, and why it’s been so effective at stopping COVID-19-related attacks.
At its core, our detection engine learns the normal behavioral patterns of our customers’ email ecosystems. The user and entity behavior analytics (UEBA) engine is trained on good emails within customer organizations, and uses that as a baseline. This enables the engine to detect anomalous activity, especially email attacks that incite fear and urgency while stoking engagement from the recipient.
Below is a sample attack showing the Abnormal Detection Engine at work.
Here’s the analysis from the detection engine that explains the remediation. There were 21K+ signals that were analyzed by the detection engine. The main traits used for the detection were that the email posed anomalous behavior. 1) Unusual sender with 2) Attempt to engage and 3) Suspicious link that is phishing for credentials.
The ABX Detection Platform consists of 1) Identity Modeling 2) Relationship Graph that models behavior, and 3) Content Analysis. The confluence of these three different engines is required to detect the most sophisticated attacks entering the enterprise ecosystem.
The three components of the ABX platform are displayed in detecting the below email attack.
In this above email attack, the attacker is 1) impersonating the HR department from a different domain and 2) attempting to incite engagement with the link through urgency.
The Identity Engine of the ABX platform detects the anomalous identity of the new sender impersonating the HR department (displayed below).
The Behavioral Engine of the ABX platform detects the anomalous behavior of the sender.
The Content Engine of the ABX platform analyzes the content using Natural Language Processing to detect formality, urgency, and engagement incited by the verbiage.
In summary, Abnormal Security’s email security platform natively detects and remediates COVID-19 threats for a variety of architectural reasons. Abnormal Security has been detecting and remediating these COVID-19 attacks since we first detected them earlier this year. The attacks were detected as a result of 1) Anomaly Detection Engine, 2) The ABX Technology, and 3) Threat Intelligence and IOCs.
You can read more about how Abnormal enables reporting on COVID-19-related attacks in part three of our three-part blog series.
Abnormal is the email security company that stands for trust.
© 2021 Abnormal Security Corporation.
All rights reserved.