Enhancing Remediation Controls for Unwanted Mail With an API-based Approach

Promotional mail takes many shapes and forms, and every employee within an organization has a different appetite for content.

No one wants to spend several minutes each day sorting through spam messages, but some marketing-oriented content—like webinars or white papers—can be helpful and appropriate during a workday. Plus, a lot of spam messages are somewhat “unknowable”, in that they’re suspicious, deceitful, or predatory, but not inherently harmful.

So how can an organization deploy technology like an integrated cloud email security platform to provide the right level of protection, to the right users, at the right time?

The legacy approach certainly isn’t working. First, secure email gateways (SEGs) don’t integrate tightly with today’s cloud office. Second, they employ a legacy approach to stopping email attacks (including unwanted mail) that is blunt and binary. Emails are simply “good” or “bad”, and employees are responsible for sorting out spam and graymail messages via email digests and summaries.

Further, user preferences are not utilized to adapt protection over time. As a result, employees have to sift through hundreds of messages on a daily basis and mark them as spam or delete the messages to reduce the clutter and focus on relevant messages.

In contrast, the modern approach to limiting spam and graymail leverages business context to apply fine-grained protection.

Abnormal Integrated Cloud Email Security (ICES) derives business context on the organizations we serve from our cloud-native, API-based architecture. This API-based architecture allows us to instantly understand identity, behavior, and content patterns that indicate what departments communicate the most, where employees log in from, the devices they use, which vendors they work with, and more.

When employees move messages into Junk and Promotions folders, our platform gains insight into their specific preferences, including which messages they find valuable and important. Over time, the models learn the user behavior and automate the action of moving the email to the preferred folder, saving valuable time in the day.

Our modern, cloud-native API-based architecture underpins everything we do. It allows us to solve the spam and graymail problem—and any email-related challenge—with a context-rich, fine-grained approach.

To help organizations get ahead of the spam, graymail, and suspicious mail challenge, we offer these capabilities:

Native banners that warn end users of potentially suspicious content

More flexible configuration options for URL watch, which re-writes messages to detonate malicious content

The ability to organize graymail in promotional folders

Due to the wide spectrum of graymail and unwanted mail, effectively managing incoming email requires a context-rich and multi-faceted approach based on the nature of the message. Our approach to protecting organizations from unwanted mail relies on these 4 key principles:

1. Clear-cut attacks should be automatically blocked and quarantined.
2. Promotional marketing emails should be filtered from the inbox and organized into a user-accessible folder.
3. Reconnaissance emails should be marked as suspicious, and end users should be warned.
4. Email trackers should be optionally removed from messages to enhance privacy and security.
   

We use a variety of solutions to provide the right finessed solution required for the respective email issue:

• Automatically blocking clear-cut attacks.
• Continuous protection based on how employees move emails into folders.
• Warning users of suspicious email that doesn’t neatly fit a given category. (Examples include reconnaissance emails that do not have an obvious payload but are used to escalate toward a future attack.)
  

The context-rich, API-driven approach enables us to continuously improve on this protection.

Coming soon, Abnormal users will be able to do the following:

• Remove web trackers embedded in email messages as images
• Send promotional marketing emails to a separate configurable folder

We're excited to announce we're rolling out the ability to warn users of suspicious emails like reconnaissance messages. These messages do not have an obvious payload, but responses can be used to inform a future attack.

To empower users and portal administrators to take the right action when faced with potentially suspicious mail, we provide:

Customizable banners for suspicious messages

The ability to prepend a subject for remediated suspicious messages

Suspicious messages will no longer be present in the Threat Log

However, these messages are still searchable via Search and Respond. This change is focused on helping our core users focus on the more advanced attacks that need their attention in the Threat Log.

To locate suspicious emails, Abnormal users can search for messages in Search and Respond with the prepended suspicious mail subject line they enable for suspicious mail (the example above is External - Suspicious).

We actively and regularly seek feedback from our customers. Based on customer inputs, we are laser-focused on:

1. Continually increasing the efficacy of Abnormal ICES for managing promotional and unwanted mail.
2. Making sure our dashboard empowers analysts to focus on high-priority threats and filter out noise. For example, removing suspicious messages from the Threat Log allows security teams to enjoy the SOC automation capabilities of the platform while not having to actively review the logs.
3. Empower users with a differentiated user experience. Users will now be able to self-serve decisions on the very low volume of suspicious messages.
   

If you have any questions or feedback on this update, please open a case in our Support Portal or email support@abnormalsecurity.com.