Defense in Depth: Using Microsoft and Abnormal for Email Security

In mid-November, Abnormal hosted a webinar with Microsoft titled Securing Your Microsoft Environment from Socially-Engineered Attacks. During the webinar, Stefanie Jacobs from Microsoft spoke about identity and privacy, and how Microsoft works with Abnormal to provide a defense-in-depth approach to email security. You can view parts of the transcript below.

Stefanie: Before we jump into modern threats, I think it’s important to set the stage ​​since email has been around. Since email existed, threat actors targeted email users with malicious messages, general spam, and different ways to take advantage of the platform. Then of course, more dangerous attacks started to come up… things like malware and other viruses.

Business email compromise certainly is one of the ones that we see growing over time. At Microsoft, we started to look at them and block these unknown previously unseen threats. Unfortunately, those threat actors are innovating at a very similar pace to us and business email compromise remains sadly on the rise, even before we could have known the impact that the pandemic would have on remote working and security.

So when we then look at a BEC email, you can probably immediately spot what I'm talking about. Here in this particular email, a person that claims to be the CEO of this organization is asking the email recipient Patty to do something for him. There are no links or attachments to scan, but the goal of this email is very likely to get Patty to complete this wire transfer to a fake vendor, or perhaps provide access to an internal system or database. So threat actors are using the remote work environment and traditional elements like fear and urgency. Those tactics really encourage users to take those actions and send them money or provide access to those more sensitive resources or databases.

Dan: Stefanie, thank you so much for the input and that really aligns with what we have been seeing more broadly in the industry as a whole. If you take a look at the data from the FBI Internet Crime Complaint Center, what we've seen over time is that these attacks are becoming more and more prevalent and more and more organizations are falling for them. This alone cost $1.8 billion in 2020. People are responding directly to financial requests, they're updating bank account details, and things like that. But ultimately what we're seeing is that the threat landscape has definitely changed.

Attackers are more and more crafty and they're leveraging different techniques. And at the end of the day, these attacks are getting past other email security solutions. The reason why we work so well with Microsoft is that we have this really powerful ability to use complementary detection to deal with things like text-only social engineering attacks, threats that use never-before-seen URLs or attachments, or even those that abuse legitimate content platforms. From a broader trend perspective, a lot of these threats also originate from compromised vendors or partners that you do business with. And so we see a lot of fraud happening from an invoice perspective that would originate from third-parties that have been compromised, and aren't necessarily internal to your organization.

Stefanie: These numbers are shocking and I think it’s important to remember that not everything is reported and not everything is made known to the wider market. And this doesn’t take into account the loss of trust and reputation that occurs when a large attack like this is successful.

Stefanie: Let's be honest, we all have good and bad days—days where we are more switched on or alert or present with what we're doing and how we're doing it. And we all have bad days. And I think it's really important again, to highlight that there's absolutely a way for us all to get together and stop these attacks, but it does take a multi-layered approach. And I used to make this joke about Swiss cheese, right? One slice will have holes in it, but as you keep adding more slices to your sandwich, you stop seeing the bread underneath. And this is really where we want to get to in your security.

First of all, organizations should implement security awareness training. So your users are always looking for those attacks. Our Defender for Office 365, for example, has a very mature attack simulation functionality, to help with targeted training and control, so that’s one way to ensure that your users are aware of the threat. And secondly, internal processes need to be adjusted for remote work scenarios and the handling of specific high-impact business transactions. Like you have to make this mandatory phone call before you kick off a wire transfer, right? Absolutely make these things mandatory.

But neither one of things alone will stop all the attacks. And I think it's really important that organizations are always prepared to block these attacks by looking for the next best thing, but implementing further measures in addition to what you may already be doing today, no matter which on-premises or cloud service productivity toolset you may be using. And I really don't judge you, we are all in this together to make sure that we're all working towards a better word for us, for our family, for our children, our customers and partners, like I'm a firm believer, and this is my tagline, more is more when it comes to security.

When you think about what Microsoft is doing, innovation is at the heart of it. We recently renamed our Advanced Threat Protection capabilities to Defender for Office 365 (MDO), which is conceived to complement Exchange Online Protection. When we see suspicious email signatures that use known threats, we block them. And MDO brings more advanced machine learning capabilities to it within a sandbox environment so we know what is happening before we release it to the end user. But again, if there’s nothing to scan—no link or attachment—this becomes really difficult. Microsoft sees about 8.3 trillion signals every day… and just think about that for a moment: 8.3 trillion signals. Most organizations out there talk in the millions, maybe the billions.

But the trillion is just so much more than anyone else sees and we see that not just from Office 365 or Azure or someone modifying a file or uploading something into SharePoint. We also see our consumer activities like Hotmail and Outlook.com and of course our gamers with Xbox. What Defender for Office 365 does in addition to protecting these types of things from email is to also continuously validate content in SharePoint and OneDrive and also instant messages through Teams for retroactive and continuous protection.

But as we're looking at the Swiss cheese model, one more time—as you're thinking about adding additional layers to your sandwich, such as the ones that are provided by Abnormal Security—this can only be beneficial to you.

Dan: Thank you so much, Stephanie. As we dig into more of the Abnormal area here, it’s important to really understand that we really complement Microsoft security to better protect the Microsoft environment. We sit at the mailbox and we provide this level of anomaly detection, but applied strictly to the email channel.

What we're doing is coming in behind the scenes and we're deeply understanding organizational context, both individual and organization wide, to understand the message context. Would we expect this particular person to reach out to this person at your organization? Would we expect this type of request? Does this person typically work from that location? And so ultimately what we see is that while Microsoft does a great job at protecting against a number of types of unwanted and malicious email use cases, we bring this additional capability to protect against the hardest-to-detect attacks.

That's detailed on the right hand side here, where first we're starting with profiling and understanding what is good and normal about an organization. We deeply understand organizational and individual context so that we can deliver behavioral based spam and graymail protection, and especially focusing on those areas that would probably be called business email compromise, but that would include all of its various flavors.

Like Stefanie mentioned, the whole name of the game here is to deliver defense in depth. We want to complement what is already being delivered by Microsoft and the great solutions that they offer. And then layer on the capability that we have to deeply understand organizational context, and then identify anomalies and email communications that are indicative of attack. And so what we end up seeing here is that as Abnormal Security performs its analysis, the first thing that we do upon integration is first and foremost, we're going to start profiling and modeling known good behaviors. We start a lookback and the whole point of this is really to identify who are the internal employees and ask questions like: Are they a VIP? What department do they work in? Who do they report to? Who are they typically communicating with? What is the typical communication cadence among those relationships?

And then we go from there and also understand the content of the message. So not just that identity and that relationship, but then also the content of the message. And that's when we talk about that idea of understanding what types of messages are being sent, and the whole point is to understand, again, what does normal look like? We go through and look at the messages and identify deviations from normal behavior. What we do is as we profile and understand what is normal and what is good, we are able to identify anomalies.

So as we kind of continue on and talk about how we stop these social engineering attacks, it's really again about baselining and understanding what is normal, and then applying this behavioral technology to identify anomalies where, with an update of signals that we get access to from Microsoft, we have the ability to identify these anomalies that would indicate attack and explain those in a way that becomes very, very confident. That avoids false positives and we actually have a very low false-positive rate. But most importantly this also avoids a lot of false negatives.

We do a great job at identifying threats, but because we are not perfect, we want to make sure that we can also help with and understand what happens when a false negative sits in the user's inbox, they identify it as suspicious, and they report it. We want to make sure that we can automatically investigate and remediate those. Anytime we come across an event, we want to make that very explainable and digestible for any security analysts. And even for end users, depending on the way that you want us to set up and deal with threats that we detect.

And then finally, we want to make sure that we can integrate our solutions and our insights with other capabilities that exist from the security team. We do a lot of work not only to serve as a source of alerts, a source of threat intelligence in many cases to other security platforms, but we also make sure that our platform is entirely manageable and usable within other third-party programs and applications. As a result, we can provide this very holistic story that is very low touch and low maintenance from an administrative perspective, but at the end of the day to a great degree of precision identifies and remediates real threats and avoids risk for the organization.

As the webinar continued, Stefanie and Dan provided additional insight into how Abnormal works directly with Microsoft to provide advanced protection against business email compromise and other socially-engineered attacks. Dan also explained how with native Microsoft security and Abnormal, customers have the option to remove the secure email gateway layer, since SEGs remove native Microsoft capabilities in order to work.

Regardless of the way Abnormal customers configure their environments, with Microsoft or Google, with or without a secure email gateway, for one hundred users or one hundred thousand, Abnormal is here to provide an additional layer of protection against those most dangerous attacks. As Stefanie mentioned, security is truly like Swiss cheese—we must all have multiple layers to prevent any holes from being exploited.

To learn more about how Abnormal works with Microsoft environments, watch the full webinar, featuring a product overview by Dan.