Fall 2022 Detection Enhancements: BERT, Spam, and D360° Visibility

With the increasing sophistication and uniqueness of inbound email threats, Abnormal's efforts to improve detection efficacy have taken many different paths. During this past quarter, Abnormal integrated BERT, the large language model (LLM) that improves our ability to assess context; and behavioral learning models that leverage more known-good behaviors to combat burgeoning forms of unwanted mail into Inbound Email Security. In addition, Detection 360°'s ability to communicate remediation and insights into reported emails has improved with faster response times and more transparency.

At our core, Abnormal baselines what normal email interaction looks like in our customer environments by learning the normal behavior of every identity, understanding context, and assessing the risk of every email. Our models work to understand the context within which these identities normally interact, including the frequency and location of typical communication or events. When emails arrive, Abnormal assesses their risk by applying behavioral insight and content and intent analysis that can detect specific threats in our customer email ecosystems.

Here, we take a deeper dive into the most recent enhancements in the Abnormal detection engine which continue to improve our ability to identify and block threats from landing in customer inboxes.

BERT, the high-performance large language model (LLM) from Google, applies deep learning to interpret and evaluate text based on context. This model has the capability to assess and learn words which Abnormal has applied to our detection toolset, training and fine-tuning it on our own unique data sets with additional models built on top of it.

With payloadless (text-only)-schemes being used in BEC attacks more frequently, extracting the context of the email itself helps us reduce false positives (FPs) and understand how permutations of the content may be used to get past email filters.

In the socially engineered email attack example below, a bad actor uses brand impersonation to trick people into giving up personal information via email or phone. Computers and humans often see things quite differently. By making small changes to the spelling of Geek Squad, like Geeks Protect 360, and by including false information, like a randomly generated subscription number and renewal date, this type of email may pass through less robust detection models that don’t recognize these types of permutations as a threat.

Incorporating the BERT model has made Abnormal’s industry-leading detection faster, more accurate, and more efficient. By improving our detection models’ ability to identify permutations and combinations and better understanding the context and intent of these types of inbound text-based emails, customers will benefit from not having to engage with as many of these malicious emails.

To battle the 91% year-over-year increase in the volume of unwanted email we've seen across our customer base, Abnormal's Inbound Email Security now detects twice as many spam messages.

Below is a screenshot showing the type of modern spam our enhanced model will detect and remediate. In this case, an email promoting a fake job opportunity targeting college students is not the type of email that a “University Student” is likely to respond to, but it’s still a nuisance.

Our enhanced detection model leverages behavioral intelligence that identifies more known-good behaviors to suss out abnormalities that indicate spam. Existing customers are already benefiting from enhanced spam detection and will find additional spam emails in the Threat Log. While preventing modern forms of spam from landing in your primary inbox continues to be a challenge, leveraging advanced behavioral AI to effectively filter out this proliferation of newer spam can help you and your team gain back productivity.

Abnormal’s Detection 360° also received many improvements this past quarter. In addition to the new REST API endpoint, allowing developers to extract case report information from Detection 360°and corresponding details for each submitted case (including report summaries, statuses, message analyses, and more), customers will now enjoy improved visibility helping reduce the time and the transparency of the response to case reports.

In the new interface, customers can now see more in-depth insights and information on a submitted case.

The new UI provides a more detailed Analysis and Insights, updated timeline view, and also adds campaign and remediation status updates.

As cases are tagged with the attack type identified, our attack catalogue can provide more information about the type of attack, why it was missed, and what steps were taken to remediate it, and additional steps that will be taken to remediate them in the future.

This improved visibility and transparency helps customers get cases addressed and resolved more quickly while also accelerating our ability to patch our detection models.

To learn more about Inbound Email Security and our unique approach to threat detection, visit our solutions page.

Want to see Abnormal in-action? Request a personalized demo today.