Product FAQ: Detection Signals - Abnormal Security
Product FAQs  Detection Signals

Product FAQ: Detection Signals

Detection Signals

Abnormal detects various malicious signals and generates dynamic and unique insights based on the content, sender, and recipient behavior of each email and their unique context. Signals and explanations are broken down into the following categories:

Signal

Suspicious Link(s)

Description

The email content is unusual due to one of the following:

  • Message body contains a newly-created domain, a common pattern when attackers register brand-new domains for cyberattacks.
  • Message body contains a shortened URL that redirects to potentially malicious websites.
  • Message content is attempting to ask the recipient to click on a suspicious link/attachment.
  • Message contains suspicious URLs that include the email address(es), a common pattern in Credential Theft attacks.
  • Message contains links in the body that resemble legitimate URLs but are links to malicious websites.

Link(s) Detected in Attachment

The email attachment contains a URL link to an external website that may be malicious.

Redirect Link(s) Detected

The original link in the email appears to redirect to alternative links that may be malicious.

Link(s) Detected in Cloud-sharing Document

The link appears to be a cloud-sharing document that contains embedded links to external sites.

Unusual Sender

The email exhibits suspicious sending behavior:

  • Sender’s email signature (display name/email address) matches an executive and the email may be asking the recipient to engage in unsafe action
  • Sender’s email signature (display name/email address) matches/resembles/is associated with an executive or an administrator account
  • Sender’s display name is attempting to impersonate a VIP
  • Sender’s email signature (display name/email address) matches/resembles/is associated with a known brand or a known vendor.
  • Sender has never sent an email from this email address. They usually send from a different email address.
  • Recipient has never received an email from the sender’s email address/domain
  • Sender uses language to engage in suspicious activities
  • Sender’s account recently showed signs of suspicious activity.
  • Sender email address has never previously been used by this sender, or have sent to our organization before
  • Sender email address does not match the sender’s display name, a common pattern in impersonation attempts
  • Sender email authentication statuses are unusual for this sender domain, a pattern commonly observed in email attacks.
  • Sender email was sent from a malformed IP address, which seldom occurs in legitimate emails.

Unusual IP Geolocation

The email’s IP address indicates a combination of:

  • Never-before-seen country for the email domain
  • Recipient has never received an email from this IP address country
  • Emails rarely originate from this IP address country
  • We have observed many email attacks originating from this country.
  • We have previously observed many email attacks originating from this IP address.

Potential Spoof

Email Authentication (DMARC, DKIM, SPF) fails even though email is sent from a legitimate company domain. The email account is potentially spoofed.

Invisible Character(s) Found in Email

The email body contains invisible Unicode characters, a common pattern that we have observed in email attacks.

Abnormal Recipient Pattern

All email recipients were BCC’d, a common pattern when attackers send similar attacks to many recipients.

Suspicious Attachment

The attachment’s extension type is suspicious and potentially contains malware.

Unusual Sender Domain

The email’s sender domain is suspicious:

  • The sender’s domain is young and was registered < 1 year before the email was sent.
  • The sender’s domain does not match any domains found in body links.

Unusual Reply To

The Reply-to address exhibits a suspicious pattern:

  • No “Reply-To” domains match the sender’s domain.
  • Reply-To domains do not match any domains found in body links.

Potential Gift Card Fraud

The email subject/body contains language commonly found in Gift Card Fraud attacks.

Potential Payroll Fraud

The email subject/body contains language commonly found in email Payroll Fraud attacks.

Suspicious Fax or Voicemail notification

The message resembles an automated system such as fax or voicemail notification with malicious content, a common method of email attack

Bitcoin Topics

The email may be a bitcoin extortion attack, as the message body contains the bitcoin phrases commonly found in bitcoin extortion attacks.

Commonly Asked Questions:

Does Abnormal immediately remediate when a single signal is detected, such as a mail rule change?

No, individual signals are not typically deterministic. Threats such as credential phishing or account takeovers are typically accompanied by numerous malicious and abnormal actions outlined above. Abnormal accounts for thousands of signals in it’s models before making a determination if the message is safe or malicious.

Want to learn more?

Schedule a personalized product demo to see:

  • Threat analytics, insights and reporting
  • Automated Triage, Investigation and response tools
  • Platform integrations into SIEM, SOAR
  • …and more
Automated Triage, Investigation and response tools

Want to learn more?

Schedule a personalized product demo to see:

  • Threat analytics, insights and reporting
  • Automated Triage, Investigation and response tools
  • Platform integrations into SIEM, SOAR
  • …and more