Inbound Protection

Comprehensive Business Email Communication (BEC) Protection

Abnormal Security’s cloud-native architecture integrates directly into Microsoft Office 365 EOP and ATP, as well as G Suite, via APIs and requires no configuration or ongoing maintenance. Protect your organization from most advanced types of BEC attacks including:

  • Email Account Compromise
  • Vendor Account Compromise
  • VIP & Executive Impersonations
  • Internal Invoice/Payment Fraud
  • Payroll Fraud
  • Credential Phishing
  • Recon Emails
  • Extortion
  • Malware & Ransomware
  • Spam
  • Graymail
  • Reconnaissance
  • Phishing for Sensitive Data
  • Gift Card Fraud


Attack Insights

Abnormal evaluates thousands of signals for each message received by your organization to determine if and why the message is suspicious. If a message is suspicious, Abnormal provides detailed insights into the attack. Examples include:

  • Never-seen-before vendors to prevent supply chain fraud
  • Suspicious invoices
  • Suspicious mail filter rules
  • Suspicious links
  • Suspicious attachments
  • Impersonated email sign-offs 
  • Unusual senders
  • Redirect links
  • Links detected in cloud-sharing documents
  • Mismatched reply-to domains
  • Urgent financial requests
  • Executive impersonations
  • Unusual geolocation
  • Spoofed domains
  • Bitcoin topics
Automatic Remediation

Abnormal will automatically detect and move malicious emails to designated folders (junk folder, hidden folder, deleted folder, etc).

Unsafe Activity Intelligence

Abnormal automatically alerts on end users’ unsafe engagement activities. Engagement means the attack recipient has:

  • Opened the attack (enabled by internal/customer request)
  • Replied to the attacker
  • Forwarded the attack to another internal employee

Unsafe engagement activities appear in customer’s Portal, and via email notifications to Abnormal’s internal mailing lists.

Email Content Analysis

Abnormal detects and classifies key terms and language found in email communications to determine when a BEC attack is taking place, such as urgent financial requests or credential access. Details include:

  • Email subject
  • Email sender, including VIP senders or impersonated VIP senders
  • Email recipient(s), including VIP recipients
  • Original email header
  • Content analysis
  • Total count of links and attachments
  • Ability to download original email in .eml format
Email Account Compromise (EAC) Protection

Automatically correlates abnormal internal-to-internal behavior including identifying suspicious invoice details, mail filter rule changes, IP tracking for too-fast-to-travel logins to identify compromises.  Learn more

Vendor Account Compromise (VAC) Protection

Abnormal maps organizations and business processes in your supply chain for continuous analysis to stop invoice fraud from compromised vendors and customers. Learn more

VIP & Executive Protection

Abnormal identifies the presence of VIPs in email communications (email headers, as well as sign-off signatures) and protects these highly targeted members of an organization.

Alert Banners

Abnormal will be able to inject awareness banners into malicious emails that arrive in individual end user’s email inbox. Customer’s security team would be able to educate their end users to recognize malicious emails via these additional threat awareness content.

Suspicious Link Analysis

Using computer vision analysis, Abnormal can detect suspicious links used for credential phishing, as well as detect links that contain downloadable malware.

Attachment Analysis (Malware Detection & Sandbox)

Abnormal analyzes attachments for malware, and provides previews of attachments for deeper insights.

Intra-Organizational and Supply Chain Relationship Graph

Visibility into all of the people involved, both inside and out of your organization, involved in a BEC and account compromise attacks including recipients, senders as well as departments and groups affected.

Financial Invoice Analysis

Detects anomalies within invoice attachments including never-seen-before vendor names and bank account information, as well as unusual invoice amounts.

Sender Identity Analysis

Abnormal analyzes sender behavior, authentication and verifies user identity. Sender identity can detect suspicious signals such as never-seen-before geolocations, IP address, and email authentication alignment (SPF, DKIM, DMARC records) to aid in the assessment if the sender has been compromised.

Relationship Analysis

Abnormal can determine if a prior relationship between the sender and the recipient, the recipient department and company have previously existed, and flag suspicious relational activity from never-seen-before communication patterns.

Abuse Mailbox (Employee Reported Attacks)

Manage and analyze suspicious emails reported by employees into a central repository and take action on the emails by remediating them or moving them to a folder.

VendorBase (Supply Chain Protection & Intelligence)

Abnormal’s global, federated database of vendors and supply chain customers. VendorBase automatically maps all partners your organization communicates with over email, and assesses which vendors are high-risk to the organization. Provides detailed visibility into supply chain partner employees that interact with your organization’s employees, as well as visibility into vendor email accounts that may be compromised and related suspicious activities. Learn more


Seamless integration into your existing security stack: SIEM, SOAR, detection tools and ticketing systems. Connect into Microsoft Outlook, Microsoft Teams, G Suite, Slack, Splunk, Proofpoint TAP and others. Learn more

One-Click API Integration

Abnormal Security’s cloud-native architecture seamlessly integrates into dozens of enterprise platforms: Microsoft Office 365, G Suite, Slack and more. Integration takes seconds to complete and has no risk to mail flow, with no MX record, SMTP or mail routing changes required. Does not interfere with existing security tools.

No Ongoing Configuration or Manual Remediation

Abnornal’s AI-powered decision engine provides organizations with unparalleled effectiveness in stopping BEC attacks. As a result, SecOps gains valuable time back from not having to manually evaluate and remediate threats on a case-by-case basis. Learn more

Recon Email Protection

Abnormal protects against reconnaissance emails that include short snippets of text that targets employees for future attacks. Similar to cold-calls, these emails are often difficult to track. With Abnormal, organizations can automatically remediate them to the junk folder, so employees can verify whether the email is a recon email or not.

Graymail Sample Review

Organizations have the ability to review sample graymail messages to understand graymail attack definitions, remediation controls and detection details. This added control lowers the risk of graymail messages clogging employee’s inboxes.

Role-based Access Control for Multi-Tenancy

Abnormal gives organizations the ability to assign global admins, tenant admins, or tenant readers that have various privileges access options to the portal. This feature helps enterprises gain added control over user-role assignments and data-sharing.

Customer Report Portal

Abnormal has launched a centralized customer report dashboard that handles false negative reports submitted by an organization to Abnormal. SecOps can learn about the report status, investigation details, and improvements made from each report.

O365 Group Message Detection

Abnormal can detect malicious emails that exist within a Microsoft O365 Group mailbox. Get an instant alert notification when a group mailbox message is found and proceed to remediate the message in your own tenant. Reduces time to detection and response, increased protection coverage, and reduced risk from attacks within the O365 environment.

Attack Highlights

Attack Highlights allows customers to see attacks that the system has flagged as interesting or important directly from the Portal. These attacks are a small, targeted subset of attacks seen in the Threat Log. This is especially useful for an executive audience. Additionally, customers can download the highlights as a PDF to share with others in your organization.