Many recent, high-profile attacks have involved MFA bypass tactics such as session hijacking or MFA Fatigue. Attackers wanting to maintain a foothold in a compromised account will often bypass or manipulate MFA then socially engineer their way into registering a new MFA device. To help detect and combat these tactics, we have added new signals to our Account Takeover Protection solution. Abnormal can now detect suspicious device registration that could indicate an attacker has manipulated the account and may be attempting to establish persistence.

52% of organizations report experiencing multi-channel attacks that target not only email but move laterally across core collaboration applications. To combat these threats, Abnormal has extended the power of its email security platform to detect suspicious messages, remediate compromised accounts, and surface unusual changes to user privileges across Slack, Zoom, and Microsoft Teams.

PeopleBase and TenantBase are now available for Google Workspace users. Similar to VendorBase, PeopleBase and TenantBase provide visibility into behavior and activities of entities within a cloud email environment. PeopleBase catalogs active users and builds dynamic profiles with behavioral data, as well as activity timelines of recent events. TenantBase provides an inventory of all email tenants within the environment and associated activities within them.

Security Posture Management centralizes visibility into the integrated app permissions, user privileges, and security policies that constitute cloud email platforms. IT uses the behavioral profiles built by three of the Abnormal Knowledge Bases - PeopleBase, AppBase, and TenantBase - to monitor for high-impact configuration changes that could open the door for threat actors. Once these changes are identified, teams can drill into contextual insights with a before-and-after view of each change, links to entities involved, relevant documentation, and suggested next steps.

While properly configured multi-factor authentication (MFA) stops the majority of authentication/authorization attacks, simple misconfigurations or user missteps can lead to catastrophe. Attackers are exploiting these gaps to commandeer user accounts.

A key distinction of Abnormal Security’s detection is its ability to detect lateral east-west traffic, messages that are sent between employees inside of their email platform. Using this ability, Abnormal can now detect bursty patterns of an anomalous number of messages being sent from an account in short periods of time. This signal will be used to help detect attacks coming from internally compromised accounts to others internally and externally.

Multiple enhancements that detect anomalies in the aggregate have been added to our detection model.

To assist with detecting hijacked thread attacks, Abnormal added text-based attributes that analyze email message body and headers to better identify malicious messages containing unrelated conversations.

The Security Posture Management add-on improves the risk posture of cloud email environments by helping security teams understand and take action on configuration gaps, while eliminating the need for manual efforts, spreadsheets, or PowerShell scripts that are typically needed to perform discovery and mitigation.

Search & Respond has new filters that make it faster and easier to locate email records.

Abnormal users can now quickly find submitted detection tickets in Detection 360. The new functionality enables users to filter all D360 cases by...

Customers can onboard and secure their new tenants faster using the new self-service multi-tenant management feature in Abnormal.

Expansion of both Abnormal's SIEM export schema and API functionality to include Abnormal Audit Logs.

To help you and your team gain visibility to potential People, Application, and Tenant attack surface areas in Microsoft 365, we have added three new Knowledge Bases: TenantBase, AppBase, and PeopleBase. Each are available as no-cost Platform capabilities for all Abnormal customers.

Added two new fields into the threats event type in the SIEM export schema to provide more granular detail to SOC teams.

In addition to tracking updates directly in your D360 portal, customers can now receive email notifications when a D360 case is resolved.

Abnormal has added a REST API endpoint to allow developers to programmatically extract more information from Abuse Mailbox Automation.

Improved extraction logic in Abuse Mailbox Automation to surface multi-forwarded and reply phishing reported messages.

Security analysts can locate specific emails more quickly with a new filter and search fields. Customers who have Email Productivity enabled can filter the search to only show Graymail messages. Additionally, customers can now use two new fields to quickly search by...

Abnormal has enhanced Inbound Email Security's detection model by leveraging behavioral intelligence that identifies more known-good behaviors to identify anomalies in emails that indicate spam. For example, older domains are less likely than young domains to be carrying out this newer type of spam we are now filtering out of inboxes.

With the addition of the BERT LLM enhancement, Abnormal's detection models can more easily determine if two emails are similar and are part of the same polymorphic email campaign targeting an organization.

New API endpoint for customers to fetch a list of Detection 360° reports that they have submitted and view corresponding details for each case, including report summaries, statuses, message analyses, and more.

Threat log now supports the ability to search for attachment name, MD5, and SHA256.