Fall 2023 Product Recap: Enhanced Detection Capabilities Target Quishing and MFA Bypass

As Fall swept in, Abnormal didn’t leaf any room for mediocrity. In fact, we released a suite of impactful product enhancements aimed at strengthening our core detection capabilities while providing increased visibility for our customers.

All puns aside for now, these enhancements truly showcase the Abnormal commitment to thwart ‌email and email-like attacks and automate customers’ security operations.

We are excited to review these enhancements and preview our 2024 roadmap during a live webinar on December 5 at 1:00 pm ET. Click here to register!

Can’t wait for the webinar? Continue reading to learn about the specific enhancements we’ve released in the last few months to improve our products.

Detecting Malicious QR Code Attacks

Over the past few months, there has been an increasing number of phishing attacks deployed through the use of malicious QR codes. This attack method, also known as “quishing” makes up approximately 17% of all advanced attacks that bypass native spam/junk filters, according to Abnormal data. Threat actors encode these QR codes with malicious links that often direct to what appears to be a legitimate website, such as a Google or Microsoft login page. Unfortunately, when a victim enters their login credentials, the attacker can steal and use those credentials to launch additional attacks.

To address this threat, Abnormal has updated its defense strategies and released a QR code detector that can extract links from QR codes for further analysis. This detector works with Abnormal behavioral AI detection to provide a powerfully complete solution to the rise of these threats. This enhancement will improve the detection of such attacks, and optimistically, we anticipate a reduced frequency of having to say "quishing" as a result.

Detect the Signs of MFA Bypass in Account Takeover Protection

Recent attacks on government agencies and major corporations have highlighted the ability of threat actors to bypass MFA. The attackers rely on stolen or forged session tokens to gain access to an account while avoiding typical authentication processes. From there, attackers establish persistence through social engineering, convincing IT teams to reset credentials and MFA devices. If the new device is approved, subsequent sessions may appear to be legitimate, making it very difficult to detect when these attacks have occurred.

To help detect and combat these tactics, we have added new signals to our Account Takeover Protection solution. Abnormal can now detect suspicious device registration that could indicate an attacker has manipulated the account and may be attempting to establish persistence. A new, unknown device could be registered to validate MFA requests. When done in conjunction with additional suspicious behaviors, this could indicate an attacker establishing complete control of an account they had initially compromised via session hijacking or other MFA bypass tactic.

New Security Posture Events to Help Stop Consent Phishing

Consent phishing attacks occur when users or an application grants 0Auth access. These attacks can bypass email security tools by using legitimate domains or compromised vendors to appear as legitimate requests. If consent is granted, an attacker can breach the organization.

Abnormal Security Posture Management can now surface when a new application has been granted new permission, when a new user has been added to a mail tenant, and when users are assigned to an application. This enhancement mitigates the risk of an attacker tunneling deeper within an organization by helping uncover when a malicious application may have been granted access.

Enhanced Explainability in Abnormal Cases

Abnormal deploys AI models to understand each organization and detect malicious activity with high precision. As an AI-native security company, we are dedicated to providing easy-to-understand explanations of why a threat is deemed a threat.

Abnormal Cases lays out a comprehensive timeline of events that led to determining an account has been compromised. Each event is enriched with insights into why a specific activity was considered suspicious. Customers can now gain even deeper visibility into anomalous activity, including detection confidence and why an event triggered a case. This streamlines investigations for customers, whether in the Abnormal Portal or in a SIEM, after exporting case events.

New Integration with CrowdStrike Fal.Con XDR

Email and endpoint devices remain the most highly-attacked entry points into an organization. Without native connections between email and endpoint security tools, security teams bear the burden of manually correlating signals from multiple security domains.

Thanks to a new integration, CrowdStrike Falcon® Insight XDR customers can now ingest the Abnormal AI-powered signals and data to gain cross-domain visibility from their endpoint, identity, and network security solutions. This provides greater insight into the most sophisticated socially engineered email attacks facing their environment while reducing the time required to triage those attacks.

Abnormal has some exciting product enhancements lined up to round out 2023, and even more exciting releases planned for 2024. To get a sneak peek at our roadmap, register for our product update webinar on December 5 at 1:00 pm ET. To learn more about what Abnormal can do for you today, request a demo below.