Winter 2023 Detection Enhancement Recap: Clearing the Way for Safer Cloud Email

This winter, Abnormal improved its detection efficacy by leveraging aggregate signals, providing better visibility in D360, blocking calendar spam, and more.
February 3, 2023

This winter, Abnormal has turned up the heat on those chilling email threats lurking in and around your email platform. Our latest detection improvements are like a giant snowplow clearing the way for safer and more secure email platforms. To improve detection efficacy and flush those threats out, we’ve enhanced our email parsing to detect and block calendar spam bombing campaigns, leveraged more aggregate signals to detect anomalies, and provided customers better visibility on reported D360 tickets.

As we wrap up our quarter, here’s a quick review of all the ways we improved the platform for our customers over the past three months.

Aggregate Detection Signals

During the past quarter, we shipped multiple enhancements that help detect anomalies and improve our detection models in the aggregate.

To better detect malicious use of third-party hosting services like OneDrive and DocuSign, Abnormal added aggregate signals on the sender and recipient level for file-sharing domains. Using frequency metrics, the new aggregate signals detect how often a user sends document-sharing links and how often recipients receive uncommon file-sharing domains to help identify suspicious file-sharing behavior.

But this isn’t the only improvement, as threat actors are constantly shifting their tactics to increase their success rate. To that end, we’ve seen the usage of image anchors to contain malicious links. The updated detection model better identifies images correlated with these types of hidden malicious payloads.

Hijacked Thread Detection

To assist with detecting hijacked thread attacks, Abnormal enhanced the text-based attributes that analyze email message body and headers to better identify malicious messages containing unrelated conversations. These hijacked conversations are particularly dangerous because they generate high engagement from email recipients based on the established trust from previous interactions with the email thread.

To carry out this type of attack, the attacker typically gains access to one of the email accounts, which then enables them to view all emails in the inbox. From there, they can identify high-value conversations and insert at the appropriate moment. The hijacker may attempt invoice or financial fraud, or add a malicious link, potentially containing malware such as QakBot, as shown here.


With this new attribute, Abnormal is better able to detect and remediate hijacked conversations in the email platform. This greatly reduces engagement with hijacked threads that customers would encounter and often interact with prior to this update.

Lateral Burst Detection

A key distinction of Abnormal Security’s detection efficacy is the ability to detect lateral east-west traffic, or messages that are sent between internal employees inside of their email platform. With new lateral burst detection, Abnormal can now detect bursty patterns where an anomalous number of messages are sent from an account in a short period of time. This signal is used to help detect attacks sent from internally compromised accounts to others—both internally and externally.

Spam Calendar Bombing Campaigns

Another attack type increasing in frequency is the calendar spam bombing campaign, characterized by unwanted meeting invitations and appointments that appear on customer calendars through the use of ICS file attachments. By updating our email parsing capabilities to more accurately identify calendar invites with the signals commonly associated with these attacks, Abnormal can quickly remediate the email invites from existing campaigns and prevent similar future campaigns.

The updated detection model incorporates signals that indicate unusual behavior like adult vocabulary, irregular sender frequency, free email service origins, and atypical domain age, typically within one week. These improved signals have prevented hundreds of attacks from appearing on customer calendars.

MFA Bypass Detection

Recent activity shows that attacks are using multiple new pathways to compromise or bypass multi-factor authentication (MFA) and commandeer user accounts. What is often considered the most effective security tactic is now, being cracked by increasingly sophisticated threat groups at a rate never seen before.

While properly configured MFA stops the majority of authentication/authorization attacks, simple misconfigurations or user missteps can lead to catastrophe. For example, existing authentication sessions can be hijacked or users with compromised credentials can be bombarded with MFA requests until they exhaustedly approve one, like what happened in the recent Uber attack.

To combat this, Abnormal enhanced detection within the Account Takeover Protection product, analyzing thousands of behavioral signals to determine whether a user has fallen victim to an attack that bypassed their MFA protocols.

Specifically, Abnormal can now detect not only that MFA has been bypassed, but also how it occurred. New data shown within the Portal now indicates if a compromised account was the result of:

  • Phishing-Initiated MFA Bypass

  • Weakening MFA Authentication

  • Exploitation of Authorized MFA Exception

  • Session Reuse

As with all compromised account detections, when MFA is bypassed, an Abnormal case is immediately opened so that threats can be identified, investigated, and quickly remediated.

Detection 360: How the Best Detection Keeps Getting Better

And finally, Abnormal added enhancements to improve visibility into D360 tickets that feed improvements to our detection models. Users can now quickly find submitted detection tickets in Detection 360 with additional filters. The new functionality enables users to filter all D360 cases by:

  • Sender - Name or Email Address

  • Recipient - Name or Email Address

  • Subject - Title of Message

  • Submitted By - Name

  • Case Number - D360 Case Number

  • Time - Necessary Time Span

  • Status - Resolved/Submitted

  • VIP - Reports with VIPs and/or Non-VIPs

Filters are accessible by clicking ‘Investigate’, ‘Detection 360’, and then using the ‘Filter By’ pop-up module.


We also launched functionality to configure and send email notifications for D360 Case resolutions. These notifications give Abnormal admins visibility into resolved D360 Cases, without having to log into the Portal.

What’s Coming This Spring

Our detection improvements from this past quarter have helped our customers stay one step ahead of email threats. In 2023, we are continuing our march to ensure you are protected by the best threat detection in the business. If you aren’t a customer yet, what are you waiting for?

Schedule a personalized demo and see for yourself how Abnormal stops the advanced socially-engineered attacks that other solutions miss.

Schedule a Demo
Winter 2023 Detection Enhancement Recap: Clearing the Way for Safer Cloud Email

See Abnormal in Action

Get a Demo

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.


See the Abnormal Solution to the Email Security Problem

Protect your organization from the full spectrum of email attacks with Abnormal.

Integrates Insights Reporting 09 08 22

Related Posts

B 1500x1500 MKT468a Open Graph Images for Phishing Subjects Blog
Discover the most engaging phishing email subjects, according to Abnormal data, and how to protect your organization from these scams.
Read More
B Threat Report BEC VEC Blog
Our H1 2024 Email Threat Report revealed significant year-over-year increases in both business email compromise and vendor email compromise. Learn more.
Read More
B 2 7 24 Product Update
Abnormal product enhancements improve detection efficacy, reporting on QR code attacks, productivity, and protection from account takeover.
Read More
B 1500x1500 Quishing Stats Blog 02 05 24
Today we released our H1 2024 Email Threat Report, which examines the threat landscape and dives into the latest evolution in phishing: QR code attacks.
Read More
B 1 30 23 Microsoft ATO
A recent nation-state actor attack by the Russian-backed threat group Midnight Blizzard infiltrated Microsoft. Discover how Abnormal can protect you from account takeovers in real time.
Read More
B Look alike Domain Tactics
Learn 6 common look-alike domain tactics, some of the ways attackers use look-alike domains, and steps you can take to reduce your risk.
Read More