Spring 2022 Product Release: Enhanced AI, RBAC, and Lateral Attack Detection

Attackers never stop innovating their techniques, but Abnormal is just as relentless about preventing the attacks that matter most. That’s why every quarter, we introduce numerous enhancements to Abnormal Inbound Email Security.

The new features are broad and far-reaching, but they are all focused on helping the organizations that use Abnormal achieve three big outcomes:

1. Preventing all email attacks with the highest efficacy.

2. Simplifying email security.

3. Streamlining operations to increase productivity.

• We improved our detection models for a set of lateral attacks impacting the education sector by 27% and reduced false positives in our graymail detection models by 22.5%.

• This quarter, Abnormal enhanced Role-Based Access Control (RBAC) within the portal. Now, organizations can limit which Abnormal users have access to view email content, and all user activities are detailed in an audit log, which provides a detailed record of any action taken by any Abnormal user.

• And in the spirit of Explainable AI, we added more attributes and details to the attack descriptions of the emails that Abnormal categorizes as malware, giving analysts quick and simple visibility into why our detection engine flagged them as malicious.

Keep reading to learn more about what’s new in this product release!

The Abnormal platform uses behavioral AI to block business email compromise attacks, supply chain fraud, ransomware, spam, and more. Our API-based solution directly integrates with your cloud email platform, where it instantly begins baselining known good behavior and detecting anomalies. By understanding what is normal, Abnormal can block the malicious and unwanted emails that are text-based, lack attack signatures, and originate from the inside of your organization which often bypass legacy secure email gateways (SEGs) and cloud email providers.

This includes hard-to-detect attacks like lateral attacks, which have been cropping up more often in the education sector.

In this environment, students don't usually receive corporate security training, and there are often tens of thousands of dormant accounts. Once an attacker secures a set of credentials they can use the compromised account to scam hundreds or thousands of other students or employees. SEGs usually can't detect these attacks at all.

Common lateral attacks we’ve observed lately in the education sector include fake job postings and spoofed administrator requests. Here’s an example:

This quarter, we enhanced our natural language processing (NLP)/natural language understanding (NLU) models to better detect lateral, internal-to-internal attacks and improved detection efficacy by 27%.

Graymail is a distraction and time-drain on employees, and it takes an estimated five seconds per email to review and categorize. But everyone’s preferences for which emails they want to receive are different—"One man's spam is another's ham." When an organization deploys Abnormal, the solution observes and learns how employees interact with email messages, including which folders they sort email into. It then creates personal safelists and blocklists for each user that customize spam and graymail protection per user.

This quarter, we used signals from user interactions (e.g., folder moves) to tune our graymail detection model, with a focus on common automated emails that users were dragging back into their inboxes, like event confirmations and receipts. In doing so, we reduced false positives in our graymail detection models by 22.5%.

The average organization now has 76 different security-focused tools to manage. SEGs are hard to use, operationally burdensome, and built for the on-premise era, not the cloud. To put it plainly, security teams are dealing with way too much complexity, and SEGs should be the first legacy tool to go.

Abnormal aims to help our customers simplify email security architecture and eliminate the need for a SEG by making Abnormal simple to deploy and integrate with your existing infrastructure. To that end, in addition to introducing SSO support for OneLogin users, we expanded RBAC capabilities so administrators can better control who has access to view email message content in the dashboard. Email content is now hidden by default, and users must explicitly acknowledge that they are viewing email content every time they click on a message.

Also, we enhanced the portal audit log to provide visibility into Abnormal user activity, so you’ll have a record of the actions that any users took inside the dashboard—including viewing emails.

Abnormal helps security teams, messaging teams, and employees save time on inbox management and focus on work that matters.

It should be fast and easy to understand why Abnormal flags any given email as an attack. So this quarter, we added more attributes to the information we offer on attachments in the Threat Log. Now analysts can quickly see why an email was flagged as malicious with details like MD5 hash, SHA1, file name, and file format surfaced directly on the attack card.

Abuse Mailbox allows analysts to review and remediate user-reported emails 80% faster than traditional solutions. Those efficiencies have only increased with one exciting new, highly requested capability: automated responses to Abuse Mailbox reports.

Customers can now go into Abuse Mailbox settings, customize sender information and email templates as well as test and enable responses—directly within the portal. Customers can benefit from improved control and customization for their Abuse Mailbox templates at any time and without submitting a support ticket

Finally, Detection 360 is the primary way customers interact with Abnormal on false positives and false negatives, helping Abnormal’s detection get better every day. When you submit missed attacks or false positives, a dedicated team of experts investigates them to fix the incident, improve detection efficacy, and provide you with a summary of the steps taken. The faster our team responds to you and corrects the issue, the faster your security team can move on to proactively stop the next attack.

This quarter, we made internal process improvements, allowing us to automate 50% of responses to customer-reported false positives.

We hope you and your teams find value in the latest enhancements to Abnormal Inbound Email Security! Our team is committed to continuously improving and constantly innovating to strengthen our detection capabilities and expand our product features. Working together with our customers, we can provide the highest level of protection against all email threats and prevent the attacks that matter most.

If you’re a current customer who would like to request a new feature or provide feedback, please reach out to your Abnormal customer success representative.

Not yet an Abnormal customer? Request a demo today to learn how Abnormal can enhance your email security capabilities and provide visibility into email threats that other solutions miss.