Enhancing Remediation Controls for Unwanted Mail With an API-based Approach

The most effective way to manage spam and graymail is to leverage a cloud-native, API-based architecture to understand identity, behavior, and content patterns.
June 8, 2022

Promotional mail takes many shapes and forms, and every employee within an organization has a different appetite for content.

No one wants to spend several minutes each day sorting through spam messages, but some marketing-oriented content—like webinars or white papers—can be helpful and appropriate during a workday. Plus, a lot of spam messages are somewhat “unknowable”, in that they’re suspicious, deceitful, or predatory, but not inherently harmful.

So how can an organization deploy technology like an integrated cloud email security platform to provide the right level of protection, to the right users, at the right time?

Why API-Based Architecture Enables Stronger Protection from Attacks

The legacy approach certainly isn’t working. First, secure email gateways (SEGs) don’t integrate tightly with today’s cloud office. Second, they employ a legacy approach to stopping email attacks (including unwanted mail) that is blunt and binary. Emails are simply “good” or “bad”, and employees are responsible for sorting out spam and graymail messages via email digests and summaries.

Further, user preferences are not utilized to adapt protection over time. As a result, employees have to sift through hundreds of messages on a daily basis and mark them as spam or delete the messages to reduce the clutter and focus on relevant messages.

In contrast, the modern approach to limiting spam and graymail leverages business context to apply fine-grained protection.

Abnormal Integrated Cloud Email Security (ICES) derives business context on the organizations we serve from our cloud-native, API-based architecture. This API-based architecture allows us to instantly understand identity, behavior, and content patterns that indicate what departments communicate the most, where employees log in from, the devices they use, which vendors they work with, and more.

When employees move messages into Junk and Promotions folders, our platform gains insight into their specific preferences, including which messages they find valuable and important. Over time, the models learn the user behavior and automate the action of moving the email to the preferred folder, saving valuable time in the day.

Our modern, cloud-native API-based architecture underpins everything we do. It allows us to solve the spam and graymail problem—and any email-related challenge—with a context-rich, fine-grained approach.

To help organizations get ahead of the spam, graymail, and suspicious mail challenge, we offer these capabilities:

Native banners that warn end users of potentially suspicious content

Native Banners with Suspicious Content Warning

Availability: New this week

More flexible configuration options for URL watch, which re-writes messages to detonate malicious content

Rewrite Messages with Malicious Content

Availability: Later this year

The ability to organize graymail in promotional folders

Organize Graymail in Promotional Folders

Availability: Today

The Modern Solution to Reduce Clutter and Increase Productivity

Due to the wide spectrum of graymail and unwanted mail, effectively managing incoming email requires a context-rich and multi-faceted approach based on the nature of the message. Our approach to protecting organizations from unwanted mail relies on these 4 key principles:

  1. Clear-cut attacks should be automatically blocked and quarantined.
  2. Promotional marketing emails should be filtered from the inbox and organized into a user-accessible folder.
  3. Reconnaissance emails should be marked as suspicious, and end users should be warned.
  4. Email trackers should be optionally removed from messages to enhance privacy and security.

We use a variety of solutions to provide the right finessed solution required for the respective email issue:

  • Automatically blocking clear-cut attacks.
  • Continuous protection based on how employees move emails into folders.
  • Warning users of suspicious email that doesn’t neatly fit a given category. (Examples include reconnaissance emails that do not have an obvious payload but are used to escalate toward a future attack.)

The context-rich, API-driven approach enables us to continuously improve on this protection.

Coming soon, Abnormal users will be able to do the following:

  • Remove web trackers embedded in email messages as images
  • Send promotional marketing emails to a separate configurable folder

Our Unique Approach to Handling Suspicious Mail

We're excited to announce we're rolling out the ability to warn users of suspicious emails like reconnaissance messages. These messages do not have an obvious payload, but responses can be used to inform a future attack.

To empower users and portal administrators to take the right action when faced with potentially suspicious mail, we provide:

Customizable banners for suspicious messages

Customizable Banners for Suspicious Messages

Availability: New this week

The ability to prepend a subject for remediated suspicious messages

Prepend a Subject on Suspicious Messages

Availability: New this week

Suspicious messages will no longer be present in the Threat Log

However, these messages are still searchable via Search and Respond. This change is focused on helping our core users focus on the more advanced attacks that need their attention in the Threat Log.

To locate suspicious emails, Abnormal users can search for messages in Search and Respond with the prepended suspicious mail subject line they enable for suspicious mail (the example above is External - Suspicious).

Suspicious Messages Removed from Threat Log

Availability: Effective now

Improving Customer Satisfaction, One Feature at a Time

We actively and regularly seek feedback from our customers. Based on customer inputs, we are laser-focused on:

  1. Continually increasing the efficacy of Abnormal ICES for managing promotional and unwanted mail.
  2. Making sure our dashboard empowers analysts to focus on high-priority threats and filter out noise. For example, removing suspicious messages from the Threat Log allows security teams to enjoy the SOC automation capabilities of the platform while not having to actively review the logs.
  3. Empower users with a differentiated user experience. Users will now be able to self-serve decisions on the very low volume of suspicious messages.

If you have any questions or feedback on this update, please open a case in our Support Portal or email

Enhancing Remediation Controls for Unwanted Mail With an API-based Approach

See Abnormal in Action

Get a Demo

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.


See the Abnormal Solution to the Email Security Problem

Protect your organization from the full spectrum of email attacks with Abnormal.

Integrates Insights Reporting 09 08 22

Related Posts

B 1500x1500 Adobe Acrobat Sign Attack Blog
Attackers attempt to steal sensitive information using a fraudulent electronic signature request for a nonexistent NDA and branded phishing pages.
Read More
B 4 15 24 RBAC
Discover how a security-driven RBAC design pattern allows Abnormal customers to maximize their user setup with minimum hurdles.
Read More
B 4 10 24 Zoom
Learn about the techniques cybercriminals use to steal Zoom accounts, including phishing, information stealers, and credential stuffing.
Read More
Social Images for next Cyber Savvy Blog
Explore how Alex Green, the CISO of Delta Dental, safeguards over 80 million customers against modern cyber threats, and gain valuable insights into the cybersecurity landscape.
Read More
B Images for EDB Blog from Sanjay
Abnormal is excited to announce the establishment of a strategic partnership with the Singapore Economic Development Board (EDB).
Read More
B Automotive Data Blog
Research reveals the automotive industry has become a popular target for business email compromise and vendor email compromise attacks. Learn why.
Read More