Product FAQ: Detection Signals
Detection Signals
Abnormal detects various malicious signals and generates dynamic and unique insights based on the content, sender, and recipient behavior of each email and their unique context. Signals and explanations are broken down into the following categories:
Signal
Suspicious Link(s)
Description
The email content is unusual due to one of the following:
- Message body contains a newly-created domain, a common pattern when attackers register brand-new domains for cyberattacks.
- Message body contains a shortened URL that redirects to potentially malicious websites.
- Message content is attempting to ask the recipient to click on a suspicious link/attachment.
- Message contains suspicious URLs that include the email address(es), a common pattern in Credential Theft attacks.
- Message contains links in the body that resemble legitimate URLs but are links to malicious websites.
Link(s) Detected in Attachment
The email attachment contains a URL link to an external website that may be malicious.
Redirect Link(s) Detected
The original link in the email appears to redirect to alternative links that may be malicious.
Link(s) Detected in Cloud-sharing Document
The link appears to be a cloud-sharing document that contains embedded links to external sites.
Unusual Sender
The email exhibits suspicious sending behavior:
- Sender’s email signature (display name/email address) matches an executive and the email may be asking the recipient to engage in unsafe action
- Sender’s email signature (display name/email address) matches/resembles/is associated with an executive or an administrator account
- Sender’s display name is attempting to impersonate a VIP
- Sender’s email signature (display name/email address) matches/resembles/is associated with a known brand or a known vendor.
- Sender has never sent an email from this email address. They usually send from a different email address.
- Recipient has never received an email from the sender’s email address/domain
- Sender uses language to engage in suspicious activities
- Sender’s account recently showed signs of suspicious activity.
- Sender email address has never previously been used by this sender, or have sent to our organization before
- Sender email address does not match the sender’s display name, a common pattern in impersonation attempts
- Sender email authentication statuses are unusual for this sender domain, a pattern commonly observed in email attacks.
- Sender email was sent from a malformed IP address, which seldom occurs in legitimate emails.
Unusual IP Geolocation
The email’s IP address indicates a combination of:
- Never-before-seen country for the email domain
- Recipient has never received an email from this IP address country
- Emails rarely originate from this IP address country
- We have observed many email attacks originating from this country.
- We have previously observed many email attacks originating from this IP address.
Potential Spoof
Email Authentication (DMARC, DKIM, SPF) fails even though email is sent from a legitimate company domain. The email account is potentially spoofed.
Invisible Character(s) Found in Email
The email body contains invisible Unicode characters, a common pattern that we have observed in email attacks.
Abnormal Recipient Pattern
All email recipients were BCC’d, a common pattern when attackers send similar attacks to many recipients.
Suspicious Attachment
The attachment’s extension type is suspicious and potentially contains malware.
Unusual Sender Domain
The email’s sender domain is suspicious:
- The sender’s domain is young and was registered < 1 year before the email was sent.
- The sender’s domain does not match any domains found in body links.
Unusual Reply To
The Reply-to address exhibits a suspicious pattern:
- No “Reply-To” domains match the sender’s domain.
- Reply-To domains do not match any domains found in body links.
Potential Gift Card Fraud
The email subject/body contains language commonly found in Gift Card Fraud attacks.
Potential Payroll Fraud
The email subject/body contains language commonly found in email Payroll Fraud attacks.
Suspicious Fax or Voicemail notification
The message resembles an automated system such as fax or voicemail notification with malicious content, a common method of email attack
Bitcoin Topics
The email may be a bitcoin extortion attack, as the message body contains the bitcoin phrases commonly found in bitcoin extortion attacks.
Commonly Asked Questions:
Does Abnormal immediately remediate when a single signal is detected, such as a mail rule change?
No, individual signals are not typically deterministic. Threats such as credential phishing or account takeovers are typically accompanied by numerous malicious and abnormal actions outlined above. Abnormal accounts for thousands of signals in it’s models before making a determination if the message is safe or malicious.
Want to learn more?
Schedule a personalized product demo to see:
- Threat analytics, insights and reporting
- Automated Triage, Investigation and response tools
- Platform integrations into SIEM, SOAR
- …and more
Want to learn more?
Schedule a personalized product demo to see:
- Threat analytics, insights and reporting
- Automated Triage, Investigation and response tools
- Platform integrations into SIEM, SOAR
- …and more
Abnormal is the email security company that stands for trust.
© 2020 Abnormal Security Corporation.
All rights reserved.