Inbound Protection - Abnormal Security

Inbound Protection


Abnormal Security protects organizations from the full range of targeted email attacks by combining data science technologies with the unique visibility and data provided by a cloud-native API architecture.



ABX analyzes Email, Organization Structure, Event Information, Threat Intelligence and more to profile communications across:
∙ Identity Model
∙ Relationship Graph
∙ Content Analysis
which are consolidated by an ensemble of machine learning algorithms to stop the full range of email attacks.

Malware Sandbox

Consolidate the email security solution stack with comprehensive coverage for both advanced social engineering attacks and traditional malware protection. The Malware Sandbox identifies and blocks emails with malware-infected attachments or link to malware-infected files.


Global, federated database of an organization’s vendor reputation. By aggregating and incorporating a vendor’s risk score, Vendorbase provides customers with insight around each legitimate and illegitimate vendors by providing visibility to a vendor’s reputation and transactions.

Explainable Insights

ABX will explain and summarize the automated analysis into human readable and understandable insights.

Data Integrations

Abnormal integrates into a number of different sources, including Office 365, GSuite, Microsoft Teams, Proofpoint TAP, and Okta. The full list of integrations can be found on our Integrations page.


Abnormal will automatically detect and move malicious emails to designated folders (Junk folder, hidden folder, etc).

Banners Injection

Abnormal will be able to inject awareness banners into malicious emails that arrive in individual end user’s email inbox. Customer’s security team would be able to educate their end users to recognize malicious emails via these additional threat awareness content.

Passive Mode

In Passive Mode, Abnormal does not remediate/move any malicious emails. All emails detected by Abnormal will have remediation status ‘Would Remediate’, meaning that Abnormal would remediate this email if customer were in Active mode.

Manual Remediation

Manual Mode is an integration mode where users can manually remediate malicious emails within Abnormal’s interface. In Manual mode, no email is automatically moved by Abnormal; the move is only initiated by our customers. Manual mode also allows users to manually notify their employees of their abuse mailbox submission result.

Unsafe Enagement

Abnormal automatically alerts on end users’ unsafe engagement activities. Engagement means the attack recipient has:
∙ Opened the attack (enabled by internal/customer request)
∙ Replied to the attacker
∙ Forwarded the attack to another internal employee
Unsafe engagement activities appear in customer’s Portal, and via email notifications to Abnormal’s internal mailing lists.

Email Notifications

Abnormal now supports automated email notifications within Abuse Mailbox and Abnormal Cases. In Abuse Mailbox, Security Analysts can be auto-alerted when a user-reported email campaign is detected malicious. When an account takeover case is detected, designated security team recipients will also be alerted via email notification. Please reach out to your account manager if would like to start receiving email notifications.

Remediation Status

Remediation statues appear for each email/email campaign Abnormal finds and displays in Client Portal. The remediation status is based on a variety of factors:
∙ Abnormal first detected the email, or not
∙ Email judgement (safe, spam, malicious)
∙ Customer mode (Passive view only vs. Active)
∙ End-user interaction
Remediation status reflects current state of email campaigns and informs end users if any additional action is required (to further remediate, mark false positive, etc).