Winter 2023 Detection Enhancement Recap: Clearing the Way for Safer Cloud Email

This winter, Abnormal improved its detection efficacy by leveraging aggregate signals, providing better visibility in D360, blocking calendar spam, and more.
February 3, 2023

This winter, Abnormal has turned up the heat on those chilling email threats lurking in and around your email platform. Our latest detection improvements are like a giant snowplow clearing the way for safer and more secure email platforms. To improve detection efficacy and flush those threats out, we’ve enhanced our email parsing to detect and block calendar spam bombing campaigns, leveraged more aggregate signals to detect anomalies, and provided customers better visibility on reported D360 tickets.

As we wrap up our quarter, here’s a quick review of all the ways we improved the platform for our customers over the past three months.

Aggregate Detection Signals

During the past quarter, we shipped multiple enhancements that help detect anomalies and improve our detection models in the aggregate.

To better detect malicious use of third-party hosting services like OneDrive and DocuSign, Abnormal added aggregate signals on the sender and recipient level for file-sharing domains. Using frequency metrics, the new aggregate signals detect how often a user sends document-sharing links and how often recipients receive uncommon file-sharing domains to help identify suspicious file-sharing behavior.

But this isn’t the only improvement, as threat actors are constantly shifting their tactics to increase their success rate. To that end, we’ve seen the usage of image anchors to contain malicious links. The updated detection model better identifies images correlated with these types of hidden malicious payloads.

Hijacked Thread Detection

To assist with detecting hijacked thread attacks, Abnormal enhanced the text-based attributes that analyze email message body and headers to better identify malicious messages containing unrelated conversations. These hijacked conversations are particularly dangerous because they generate high engagement from email recipients based on the established trust from previous interactions with the email thread.

To carry out this type of attack, the attacker typically gains access to one of the email accounts, which then enables them to view all emails in the inbox. From there, they can identify high-value conversations and insert at the appropriate moment. The hijacker may attempt invoice or financial fraud, or add a malicious link, potentially containing malware such as QakBot, as shown here.


With this new attribute, Abnormal is better able to detect and remediate hijacked conversations in the email platform. This greatly reduces engagement with hijacked threads that customers would encounter and often interact with prior to this update.

Lateral Burst Detection

A key distinction of Abnormal Security’s detection efficacy is the ability to detect lateral east-west traffic, or messages that are sent between internal employees inside of their email platform. With new lateral burst detection, Abnormal can now detect bursty patterns where an anomalous number of messages are sent from an account in a short period of time. This signal is used to help detect attacks sent from internally compromised accounts to others—both internally and externally.

Spam Calendar Bombing Campaigns

Another attack type increasing in frequency is the calendar spam bombing campaign, characterized by unwanted meeting invitations and appointments that appear on customer calendars through the use of ICS file attachments. By updating our email parsing capabilities to more accurately identify calendar invites with the signals commonly associated with these attacks, Abnormal can quickly remediate the email invites from existing campaigns and prevent similar future campaigns.

The updated detection model incorporates signals that indicate unusual behavior like adult vocabulary, irregular sender frequency, free email service origins, and atypical domain age, typically within one week. These improved signals have prevented hundreds of attacks from appearing on customer calendars.

MFA Bypass Detection

Recent activity shows that attacks are using multiple new pathways to compromise or bypass multi-factor authentication (MFA) and commandeer user accounts. What is often considered the most effective security tactic is now, being cracked by increasingly sophisticated threat groups at a rate never seen before.

While properly configured MFA stops the majority of authentication/authorization attacks, simple misconfigurations or user missteps can lead to catastrophe. For example, existing authentication sessions can be hijacked or users with compromised credentials can be bombarded with MFA requests until they exhaustedly approve one, like what happened in the recent Uber attack.

To combat this, Abnormal enhanced detection within the Account Takeover Protection product, analyzing thousands of behavioral signals to determine whether a user has fallen victim to an attack that bypassed their MFA protocols.

Specifically, Abnormal can now detect not only that MFA has been bypassed, but also how it occurred. New data shown within the Portal now indicates if a compromised account was the result of:

  • Phishing-Initiated MFA Bypass

  • Weakening MFA Authentication

  • Exploitation of Authorized MFA Exception

  • Session Reuse

As with all compromised account detections, when MFA is bypassed, an Abnormal case is immediately opened so that threats can be identified, investigated, and quickly remediated.

Detection 360: How the Best Detection Keeps Getting Better

And finally, Abnormal added enhancements to improve visibility into D360 tickets that feed improvements to our detection models. Users can now quickly find submitted detection tickets in Detection 360 with additional filters. The new functionality enables users to filter all D360 cases by:

  • Sender - Name or Email Address

  • Recipient - Name or Email Address

  • Subject - Title of Message

  • Submitted By - Name

  • Case Number - D360 Case Number

  • Time - Necessary Time Span

  • Status - Resolved/Submitted

  • VIP - Reports with VIPs and/or Non-VIPs

Filters are accessible by clicking ‘Investigate’, ‘Detection 360’, and then using the ‘Filter By’ pop-up module.


We also launched functionality to configure and send email notifications for D360 Case resolutions. These notifications give Abnormal admins visibility into resolved D360 Cases, without having to log into the Portal.

What’s Coming This Spring

Our detection improvements from this past quarter have helped our customers stay one step ahead of email threats. In 2023, we are continuing our march to ensure you are protected by the best threat detection in the business. If you aren’t a customer yet, what are you waiting for?

Schedule a personalized demo and see for yourself how Abnormal stops the advanced socially-engineered attacks that other solutions miss.

Schedule a Demo
Winter 2023 Detection Enhancement Recap: Clearing the Way for Safer Cloud Email

See Abnormal in Action

Get a Demo

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

Get AI Protection for Your Human Interactions

Protect your organization from socially-engineered email attacks that target human behavior.
Request a Demo
Request a Demo

Related Posts

B 07 22 24 MKT624 Images for Paris Olympics Blog
Threat actors are targeting French businesses ahead of the Paris 2024 Olympics. Learn how they're capitalizing on the event and how to protect your organization.
Read More
B Cross Platform ATO
Cross-platform account takeover is an attack where one compromised account is used to access other accounts. Learn about four real-world examples: compromised email passwords, hijacked GitHub accounts, stolen AWS credentials, and leaked Slack logins.
Read More
B Why MFA Alone Will No Longer Suffice
Explore why account takeover attacks pose a major threat to enterprises and why multi-factor authentication (MFA) alone isn't enough to prevent them.
Read More
Learn how Abnormal uses natural language processing or NLP to protect organizations from phishing, account takeovers, and more.
Read More
B DK Compromise 7 11 24
Discover the top five ways hackers compromise accounts, from exploiting leaked API credentials to SIM swapping partnerships, and more. Learn how these techniques enable account takeover (ATO) and pose risks to enterprises.
Read More
B Sans Recap 7 11 24
Discover trends among modern SOC teams, including misaligned budgets, increased automation, unsatisfactory AI tools, staffing issues, and more.
Read More