Uncompromising: How Abnormal Detected and Stopped a Complex Case of Account Compromise

Recent research revealed that 83% of organizations have been impacted by an account takeover in the past year, so it comes as no surprise that security leaders note account compromise as their primary concern. As attack tactics used to compromise accounts increase in sophistication, this is a concern that will likely remain at the top of the priority list.

Abnormal aims to alleviate the anxiety that account takeovers invite by using human behavior AI to detect and stop instances of compromise by analyzing notable and suspicious user activity that deviates from “normal” behavior. These attacks may be novel, including no known indicators of compromise (IOCs), making them exceedingly difficult to detect.

To demonstrate the value of Abnormal’s account takeover protection, let’s unpack a recent attack that we detected in the environment of an organization currently running an Abnormal proof of concept. Had this organization already been an active customer, the initial attack tactic—a credential compromise phishing email—would have been instantly remediated. In proof of concepts, however, remediation is typically not configured, allowing us, in this case, to follow the attacker’s path through the entire breach attempt.

Roughly 1 in 5 data breaches are caused by stolen or otherwise compromised credentials, and this attack falls squarely in that bucket. Like many account takeovers, the first step of this attacker was to send an ostensibly legitimate email from a partner organization. This email purported to include an attached funding proposal for the upcoming quarter.

In actuality, if the recipient were to click on the link to the attachment, they would be taken to a spoofed Microsoft login page. In this case, the email recipient was duped into visiting this page and entering their credentials, falling victim to the attack.

But this was not the only step the attacker took to compromise the account. While many threat actors in recent attacks have opted to purchase and deploy as-a-service phishing kits designed to proxy users to legitimate Microsoft login pages, capture credentials, and steal session tokens to help bypass MFA, this attack seemed more traditional—the Microsoft landing page was a fake page built on Webflow to appear real. This means the attacker likely did not have the ability to bypass MFA…at least not through this email.

But if we take a look at one of the events analyzed in the Case automatically built by Abnormal’s Account Takeover Protection solution, we can see that the attacker used saved MFA credentials to gain access. This is indicative of session hijacking, meaning the attacker had been able to steal authentication tokens—likely through adversary-in-the-middle tactics or even purchasing tokens on the dark web for pennies on the dollar.

The attacker then registered a new MFA device, cementing persistent access to the account.

The second phase of the attack then commenced: attempting to compromise additional employee accounts and exfiltrating sensitive data.

This two-pronged goal played out through the Abnormal Case timeline and Abnormal’s AppBase Knowledge Base, which provides an inventory of all applications integrated into a customer’s cloud email environment—shedding light on shady applications. In this case, the shady application was PerfectData Software, an app that has been linked to a string of attacks beginning in 2023, all centered around email data exfiltration. This is not a great sign.

Worse still is what the attacker did next. As evidenced in the Case timeline, the attacker sent a massive internal email burst to 3,112 employees. This campaign implored recipients to click a link that would lead to another fake Microsoft login page hosted on Webflow, no doubt with the goal of compromising additional accounts.

At this point, Abnormal informed the organization of the attack as part of the proof of concept. While the email (or subsequent account takeover had it gotten this far in a live customer environment) would have been automatically remediated, we can see that this organization took manual action to stop the attack and delete a mail filter rule created by the attacker to obfuscate it.

Aside from an unusual relationship between the sender and the recipient of the initial phishing email, there were very few clear, previously-known IOCs in this attack. In fact, if we consider that this was a large organization with a complex security stack, and they still could not detect and stop this account takeover without Abnormal, we’re left wondering one thing: why?

Simply put, there is a lack of behavioral analysis. Abnormal is uniquely able to stop these sophisticated email attacks and advanced account compromise tactics due to its Human Behavior AI. While Abnormal’s detection models are trained on known IOCs, they also build a bespoke behavioral baseline for every customer, understanding what “normal” behavior looks like. From here, by analyzing each deviation from this baseline and determining whether this is legitimate activity or a malicious anomaly, Abnormal knows when a threat is present—regardless of whether the attacker is known or never-before-seen.

This account takeover protection is not limited to email since neither are attackers. Abnormal can integrate with your day-to-day applications and cloud infrastructure platforms such as Okta, Salesforce, ServiceNow, AWS, Workday, and more, giving you greater visibility and control across the cloud environment.

Interested in learning how you can protect your organization from account takeovers? Schedule your demo today.