Abnormal Security’s COVID-19 Protection - Abnormal Security

Abnormal Security’s COVID-19 Protection

This is part 2 of the 3-part series on COVID-19 and email attacks. Attackers are using fear and urgency of the COVID-19 backdrop as employees start shelter-in-place routines. These attacks are never-before-seen and being delivered to employee inboxes. Our 3-part series includes:

  1. Attack landscape: in part one, we discuss the landscape of attacks that are entering mailboxes, the traits of the attacks, and the goal of the attacker.
  2. Abnormal protection measures (this blog): in part two, we discuss the measures taken by the Abnormal Security detection platform to detect and protect against this new type of attacks.
  3. Reporting on COVID-19 attacks in the Abnormal portal: in part three, we discuss how customers can see and report on the attacks that Abnormal is detecting and preventing from hitting their employees’ inboxes with newly created filters.

In addition, in our COVID-19 Resources Center, see examples of actual attacks Abnormal Security has detected, along with a deep dive that dissects the attack facets being employed to engender fear, urgency, and engagement with the recipient.

The Attacks

COVID-19 & coronavirus email-based attacks are increasing. Since these attacks are novel and never-before-seen, they’re being delivered to employee inboxes at organizations without advanced email protection, and receiving high rates of engagement from unsuspecting employees. 

Abnormal Security’s email security platform natively detects and remediates these threats for a variety of reasons due to how our system is built. Abnormal Security has been detecting and remediating these COVID-19 attacks since they began appearing earlier this year. These attacks were caught by the engine without any changes to the platform due to the following traits displayed below:

  1. Abnormal Security’s Anomaly Detection Engine
  2. Abnormal Security’s ABX Engine — Identity, Behavior, and Content
  3. Threat Intelligence and Indicators of Compromise (IOCs)

In addition, Abnormal Security has instituted additional measures to ensure that these attacks are caught;

  • Our models use these attacks as further training to continue bolstering the detection engine. For example, through this mechanism, our detection systems organically learned the co-existence of “COVID-19” or “corona virus” as word terms with attacks.
  • IOC-driven identification: we have built detectors targeted at catching well-known types of COVID-19-inspired attacks. These include:
    • A text-based model that uses a combination of suspicious sender and presence of COVID-19 language in the body such as “Corona Virus” and “COVID”
    • Boosting the attack score of messages from senders that attempt to impersonate organizations known to send COVID-related communications such as the CDC, WHO and the White House.

We are also cognizant of the fact that it is important for employees of organizations to receive legitimate COVID-19-related communications in a timely manner. As a result, in addition to boosting our ability to catch attacks that make use of the COVID-19 crisis, we are also closely monitoring and tweaking our model to minimize the likelihood of blocking legitimate COVID-19 communications.

But let’s go further into how Abnormal Security’s anomaly detection engine works, and why it’s been so effective at stopping COVID-19-related attacks.

Abnormal Security’s Anomaly Detection Engine

At its core, our detection engine learns the normal behavioral patterns of our customers’ email ecosystems. The user and entity behavior analytics (UEBA) engine is trained on good emails within customer organizations, and uses that as a baseline. This enables the engine to detect anomalous activity, especially email attacks that incite fear and urgency while stoking engagement from the recipient. 

Below is a sample attack showing the Abnormal Detection Engine at work.

Here’s the analysis from the detection engine that explains the remediation. There were 21K+ signals that were analyzed by the detection engine. The main traits used for the detection were that the email posed anomalous behavior. 1) Unusual sender with 2) Attempt to engage and 3) Suspicious link that is phishing for credentials. 

Abnormal Security’s ABX Engine — Identity, Behavior, and Content

The ABX Detection Platform consists of 1) Identity Modeling 2) Relationship Graph that models behavior, and 3) Content Analysis. The confluence of these three different engines is required to detect the most sophisticated attacks entering the enterprise ecosystem. 

The three components of the ABX platform are displayed in detecting the below email attack.

In this above email attack, the attacker is 1) impersonating the HR department from a different domain and 2) attempting to incite engagement with the link through urgency. 

The Identity Engine of the ABX platform detects the anomalous identity of the new sender impersonating the HR department (displayed below).

The Behavioral Engine of the ABX platform detects the anomalous behavior of the sender.

The Content Engine of the ABX platform analyzes the content using Natural Language Processing to detect formality, urgency, and engagement incited by the verbiage.


In summary, Abnormal Security’s email security platform natively detects and remediates COVID-19 threats for a variety of architectural reasons. Abnormal Security has been detecting and remediating these COVID-19 attacks since we first detected them earlier this year. The attacks were detected as a result of 1) Anomaly Detection Engine, 2) The ABX Technology, and 3) Threat Intelligence and IOCs.

You can read more about how Abnormal enables reporting on COVID-19-related attacks in part three of our three-part blog series.

Related content