Winter 2023 Detection Enhancement Recap: Clearing the Way for Safer Cloud Email

This winter, Abnormal has turned up the heat on those chilling email threats lurking in and around your email platform. Our latest detection improvements are like a giant snowplow clearing the way for safer and more secure email platforms. To improve detection efficacy and flush those threats out, we’ve enhanced our email parsing to detect and block calendar spam bombing campaigns, leveraged more aggregate signals to detect anomalies, and provided customers better visibility on reported D360 tickets.

As we wrap up our quarter, here’s a quick review of all the ways we improved the platform for our customers over the past three months.

During the past quarter, we shipped multiple enhancements that help detect anomalies and improve our detection models in the aggregate.

To better detect malicious use of third-party hosting services like OneDrive and DocuSign, Abnormal added aggregate signals on the sender and recipient level for file-sharing domains. Using frequency metrics, the new aggregate signals detect how often a user sends document-sharing links and how often recipients receive uncommon file-sharing domains to help identify suspicious file-sharing behavior.

But this isn’t the only improvement, as threat actors are constantly shifting their tactics to increase their success rate. To that end, we’ve seen the usage of image anchors to contain malicious links. The updated detection model better identifies images correlated with these types of hidden malicious payloads.

To assist with detecting hijacked thread attacks, Abnormal enhanced the text-based attributes that analyze email message body and headers to better identify malicious messages containing unrelated conversations. These hijacked conversations are particularly dangerous because they generate high engagement from email recipients based on the established trust from previous interactions with the email thread.

To carry out this type of attack, the attacker typically gains access to one of the email accounts, which then enables them to view all emails in the inbox. From there, they can identify high-value conversations and insert at the appropriate moment. The hijacker may attempt invoice or financial fraud, or add a malicious link, potentially containing malware such as QakBot, as shown here.

With this new attribute, Abnormal is better able to detect and remediate hijacked conversations in the email platform. This greatly reduces engagement with hijacked threads that customers would encounter and often interact with prior to this update.

A key distinction of Abnormal Security’s detection efficacy is the ability to detect lateral east-west traffic, or messages that are sent between internal employees inside of their email platform. With new lateral burst detection, Abnormal can now detect bursty patterns where an anomalous number of messages are sent from an account in a short period of time. This signal is used to help detect attacks sent from internally compromised accounts to others—both internally and externally.

Another attack type increasing in frequency is the calendar spam bombing campaign, characterized by unwanted meeting invitations and appointments that appear on customer calendars through the use of ICS file attachments. By updating our email parsing capabilities to more accurately identify calendar invites with the signals commonly associated with these attacks, Abnormal can quickly remediate the email invites from existing campaigns and prevent similar future campaigns.

The updated detection model incorporates signals that indicate unusual behavior like adult vocabulary, irregular sender frequency, free email service origins, and atypical domain age, typically within one week. These improved signals have prevented hundreds of attacks from appearing on customer calendars.

Recent activity shows that attacks are using multiple new pathways to compromise or bypass multi-factor authentication (MFA) and commandeer user accounts. What is often considered the most effective security tactic is now, being cracked by increasingly sophisticated threat groups at a rate never seen before.

While properly configured MFA stops the majority of authentication/authorization attacks, simple misconfigurations or user missteps can lead to catastrophe. For example, existing authentication sessions can be hijacked or users with compromised credentials can be bombarded with MFA requests until they exhaustedly approve one, like what happened in the recent Uber attack.

To combat this, Abnormal enhanced detection within the Account Takeover Protection product, analyzing thousands of behavioral signals to determine whether a user has fallen victim to an attack that bypassed their MFA protocols.

Specifically, Abnormal can now detect not only that MFA has been bypassed, but also how it occurred. New data shown within the Portal now indicates if a compromised account was the result of:

• Phishing-Initiated MFA Bypass

• Weakening MFA Authentication

• Exploitation of Authorized MFA Exception

• Session Reuse

As with all compromised account detections, when MFA is bypassed, an Abnormal case is immediately opened so that threats can be identified, investigated, and quickly remediated.

And finally, Abnormal added enhancements to improve visibility into D360 tickets that feed improvements to our detection models. Users can now quickly find submitted detection tickets in Detection 360 with additional filters. The new functionality enables users to filter all D360 cases by:

• Sender - Name or Email Address

• Recipient - Name or Email Address

• Subject - Title of Message

• Submitted By - Name

• Case Number - D360 Case Number

• Time - Necessary Time Span

• Status - Resolved/Submitted

• VIP - Reports with VIPs and/or Non-VIPs

Filters are accessible by clicking ‘Investigate’, ‘Detection 360’, and then using the ‘Filter By’ pop-up module.

We also launched functionality to configure and send email notifications for D360 Case resolutions. These notifications give Abnormal admins visibility into resolved D360 Cases, without having to log into the Portal.

Our detection improvements from this past quarter have helped our customers stay one step ahead of email threats. In 2023, we are continuing our march to ensure you are protected by the best threat detection in the business. If you aren’t a customer yet, what are you waiting for?

Schedule a personalized demo and see for yourself how Abnormal stops the advanced socially-engineered attacks that other solutions miss.