Uncompromising: How Abnormal Detected and Stopped a Complex Case of Account Compromise

Discover how Abnormal helped one organization detect the sophisticated tactics an attacker used to compromise an employee's email account.
May 28, 2024

Recent research revealed that 83% of organizations have been impacted by an account takeover in the past year, so it comes as no surprise that security leaders note account compromise as their primary concern. As attack tactics used to compromise accounts increase in sophistication, this is a concern that will likely remain at the top of the priority list.

Abnormal aims to alleviate the anxiety that account takeovers invite by using human behavior AI to detect and stop instances of compromise by analyzing notable and suspicious user activity that deviates from “normal” behavior. These attacks may be novel, including no known indicators of compromise (IOCs), making them exceedingly difficult to detect.

To demonstrate the value of Abnormal’s account takeover protection, let’s unpack a recent attack that we detected in the environment of an organization currently running an Abnormal proof of concept. Had this organization already been an active customer, the initial attack tactic—a credential compromise phishing email—would have been instantly remediated. In proof of concepts, however, remediation is typically not configured, allowing us, in this case, to follow the attacker’s path through the entire breach attempt.

Scraping Credentials and Token Theft

Roughly 1 in 5 data breaches are caused by stolen or otherwise compromised credentials, and this attack falls squarely in that bucket. Like many account takeovers, the first step of this attacker was to send an ostensibly legitimate email from a partner organization. This email purported to include an attached funding proposal for the upcoming quarter.

ATO Attack Blog 1 Email E

In actuality, if the recipient were to click on the link to the attachment, they would be taken to a spoofed Microsoft login page. In this case, the email recipient was duped into visiting this page and entering their credentials, falling victim to the attack.

But this was not the only step the attacker took to compromise the account. While many threat actors in recent attacks have opted to purchase and deploy as-a-service phishing kits designed to proxy users to legitimate Microsoft login pages, capture credentials, and steal session tokens to help bypass MFA, this attack seemed more traditional—the Microsoft landing page was a fake page built on Webflow to appear real. This means the attacker likely did not have the ability to bypass MFA…at least not through this email.

ATO Attack Blog 2 Suspicious Sign in E

But if we take a look at one of the events analyzed in the Case automatically built by Abnormal’s Account Takeover Protection solution, we can see that the attacker used saved MFA credentials to gain access. This is indicative of session hijacking, meaning the attacker had been able to steal authentication tokens—likely through adversary-in-the-middle tactics or even purchasing tokens on the dark web for pennies on the dollar.

Internal Phishing and Malicious App Integration

The attacker then registered a new MFA device, cementing persistent access to the account.

ATO Attack Blog 3 Audit Log Activity E

The second phase of the attack then commenced: attempting to compromise additional employee accounts and exfiltrating sensitive data.

ATO Attack Blog 4 App Details E

This two-pronged goal played out through the Abnormal Case timeline and Abnormal’s AppBase Knowledge Base, which provides an inventory of all applications integrated into a customer’s cloud email environment—shedding light on shady applications. In this case, the shady application was PerfectData Software, an app that has been linked to a string of attacks beginning in 2023, all centered around email data exfiltration. This is not a great sign.

ATO Attack Blog 5 Case Timeline E

Worse still is what the attacker did next. As evidenced in the Case timeline, the attacker sent a massive internal email burst to 3,112 employees. This campaign implored recipients to click a link that would lead to another fake Microsoft login page hosted on Webflow, no doubt with the goal of compromising additional accounts.

At this point, Abnormal informed the organization of the attack as part of the proof of concept. While the email (or subsequent account takeover had it gotten this far in a live customer environment) would have been automatically remediated, we can see that this organization took manual action to stop the attack and delete a mail filter rule created by the attacker to obfuscate it.

ATO Attack Blog 6 Timeline E

How Abnormal Stops These Advanced Attacks

Aside from an unusual relationship between the sender and the recipient of the initial phishing email, there were very few clear, previously-known IOCs in this attack. In fact, if we consider that this was a large organization with a complex security stack, and they still could not detect and stop this account takeover without Abnormal, we’re left wondering one thing: why?

Simply put, there is a lack of behavioral analysis. Abnormal is uniquely able to stop these sophisticated email attacks and advanced account compromise tactics due to its Human Behavior AI. While Abnormal’s detection models are trained on known IOCs, they also build a bespoke behavioral baseline for every customer, understanding what “normal” behavior looks like. From here, by analyzing each deviation from this baseline and determining whether this is legitimate activity or a malicious anomaly, Abnormal knows when a threat is present—regardless of whether the attacker is known or never-before-seen.

This account takeover protection is not limited to email since neither are attackers. Abnormal can integrate with your day-to-day applications and cloud infrastructure platforms such as Okta, Salesforce, ServiceNow, AWS, Workday, and more, giving you greater visibility and control across the cloud environment.

Interested in learning how you can protect your organization from account takeovers? Schedule your demo today.

Schedule a Demo
Uncompromising: How Abnormal Detected and Stopped a Complex Case of Account Compromise

See Abnormal in Action

Get a Demo

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

Get AI Protection for Your Human Interactions

Protect your organization from socially-engineered email attacks that target human behavior.
Request a Demo
Request a Demo

Related Posts

B Sans Recap 7 11 24
Discover trends among modern SOC teams, including misaligned budgets, increased automation, unsatisfactory AI tools, staffing issues, and more.
Read More
B State and Local Government Attack Trends
Advanced attacks targeting state and local governments are increasing. Discover what our research revealed about this alarming trend.
Read More
B Examining Employee Engagement with Email Attacks
Cybercriminals know that humans are your enterprise's biggest vulnerability and are successfully engaging with your employees at an alarming rate.
Read More
Explore how Abnormal’s AI Security Mailbox enhances cybersecurity by engaging and educating employees with personalized GenAI responses. Improve security awareness and streamline operations.
Read More
B Q2 2024 Attacks
In the second installment of our quarterly look-back at malicious emails, we examine 5 more recent noteworthy attacks detected and stopped by Abnormal.
Read More