Announcing Email-Like Security for Slack, Zoom, and Microsoft Teams
Allows administrators to take action against malicious activity, monitoring Slack, Microsoft Teams and Zoom for messages that contain suspicious URLs and then flagging potential threats for further review. Malicious messages are surfaced regardless of whether the message is sent from an internal employee or an external contractor.
Email-Like Account Takeover Protection
Analyzes authentication activity in Slack, Teams and Zoom, alerting security teams to suspicious sign-in events—whether a user is signing in from a blocked browser, in a risky location or on a known-bad IP address. Each event is automatically flagged for immediate investigation, with single sign-on (SSO) activity from Okta and Azure Active Directory included for additional evidence.
Email-Like Security Posture Management
Gives security teams a complete view of user privilege changes in Slack, Microsoft Teams and Zoom to ensure only the appropriate users have admin rights. Email-Like Security Posture Management dynamically monitors for new changes, surfacing those that are considered high impact.
PeopleBase and TenantBase Now Available for Google Workspace
PeopleBase and TenantBase, two of Abnormal’s newest Knowledge Bases, are now available for Google Workspace.
Similar to VendorBase, PeopleBase and TenantBase provide visibility into behavior and activities of entities within a cloud email environment. PeopleBase catalogs active users and builds dynamic profiles with behavioral data, as well as activity timelines of recent events. TenantBase provides an inventory of all email tenants within the environment and associated activities within them.
These three Knowledge Bases offer security teams increased visibility into common entry points for email platform attacks.
Introducing Security Posture Management (Generally Available)
Often, security teams have limited visibility into configuration changes across users, integrated applications, and tenants, requiring time-consuming manual investigation efforts to identify and address risks. The Security Posture Management add-on improves the risk posture of cloud email environments by surfacing and centralizing visibility into changes to user privileges, application permissions, and mail tenant conditional access policies.
Security Posture Management uses the behavioral profiles built by three of the Abnormal Knowledge Bases - PeopleBase, AppBase, and TenantBase - to monitor for high-impact configuration changes. Once these changes are identified, teams can drill into contextual insights with a before-and-after view of each change, links to entities involved, relevant documentation, and suggested next steps.
Abnormal users can also schedule email notifications as changes occur, export to the SIEM, and denote when a change is or has been addressed via an acknowledgement workflow.
MFA Bypass Detection in Abnormal Account Takeover Protection
While properly configured multi-factor authentication (MFA) stops the majority of authentication/authorization attacks, simple misconfigurations or user missteps can lead to catastrophe. Attackers are exploiting these gaps to commandeer user accounts.
To combat this, Abnormal has enhanced its Account Takeover Protection add-on, analyzing thousands of signals to detect the hallmarks of an MFA Bypass attack, whether the attack takes the form of:
- Phishing-initiated MFA Bypass;
- Weakening MFA Authentication;
- Exploitation of Authorized MFA Exception; or
- Session Reuse/Hijacking
As with all detection types in Account Takeover Protection, an Abnormal Case will then immediately be opened when MFA Bypass is detected, so threats can be identified, investigated, and quickly remediated.
Lateral Burst Detection
A key distinction of Abnormal Security’s detection is its ability to detect lateral east-west traffic, messages that are sent between employees inside of their email platform.
Using this ability,
Abnormal can now detect bursty patterns of an anomalous number of messages being sent from an account in short periods of time. This signal will be used to help detect attacks coming from internally compromised accounts to others internally and externally.
Aggregate Detection Model Enhancements
Multiple enhancements that detect anomalies in the aggregate have been added to our detection model.
To better detect malicious use of third-party hosting services like OneDrive and DocuSign, Abnormal added aggregate signals on the sender and recipient level for file-sharing domains. Using frequency metrics, the new aggregate signals detect how often a user sends document-sharing links and how often recipients receive uncommon file-sharing domains to help identify suspicious file-sharing behavior.
As threat actors are constantly shifting that tactics to increase their success rate, we’ve seen the use of image anchors weaponized to contain malicious links. The updated detection model also better identifies images correlated with these types of hidden malicious payloads.
Hijacked Thread Detection
To assist with detecting hijacked thread attacks, Abnormal added text-based attributes that analyze email message body and headers to better identify malicious messages containing unrelated conversations. This enhancement is particularly powerful because hijacked conversations generate high engagement from email recipients based on the established trust from previous interactions with the email thread.
Introducing Security Posture Management (Beta)
The Security Posture Management add-on improves the risk posture of cloud email environments by helping security teams understand and take action on configuration gaps, while eliminating the need for manual efforts, spreadsheets, or PowerShell scripts that are typically needed to perform discovery and mitigation.
Security Posture Management uses the data within behavioral profiles built by three of the Abnormal Knowledge Bases - PeopleBase, AppBase, and TenantBase - to determine when a potentially harmful or unexpected configuration change has occurred. Armed with this knowledge, the platform monitors for high-risk configuration drifts, including privilege escalations, new third-party apps, and conditional access policy exceptions. Once these changes are identified, teams are notified and can action changes in a simple acknowledgement workflow.
New Sender IP Address and URL for Search & Respond
Search & Respond has new filters that make it faster and easier to locate email records.
You can now filter by:
- Sender IP Address
- URL in Body
Detection 360 Filters
Abnormal users can now quickly find submitted detection tickets in Detection 360. The new functionality enables users to filter all D360 cases by:
- Sender - name or email address
- Recipient - name or email address
- Subject - title of message
- Submitted by - name
- Case Number - D360 Case number
- Time - what is the necessary time span
- Status - Resolved/Submitted
- VIP - reports with VIPs and/or Non VIPs
To access filters, click on Investigate > Detection 360 and use the Filter By pop-up.
Customers can onboard and secure their new tenants faster using the new self-service multi-tenant management feature in Abnormal.
New SIEM Event Type: Audit Log
Expansion of both Abnormal's SIEM export schema and API functionality to include Abnormal Audit Logs. This added feature allows customers to ingest audit logs into their SIEM or SOAR integrations, extract relevant information, and create incident response workflows and alerts for suspicious user activity.
Introducing Knowledge Bases: AppBase, PeopleBase, TenantBase
The vendors, third-party applications, and employees that have access to data within your Microsoft 365 environment can serve as potential entry points for attackers to carry out account takeovers, privilege escalations, and third-party application abuse. Unfortunately, security teams often lack visibility into the risks to their cloud email environment, because information about the most business-critical configuration settings is scattered across multiple control panes. To help you and your team gain visibility to potential People, Application, and Tenant attack surface areas in Microsoft 365, we have added three new Knowledge Bases: TenantBase, AppBase, and PeopleBase. Each are available as no-cost Platform capabilities for all Abnormal customers.
New SIEM Event Fields
Added two new fields into the threats event type in the SIEM export schema to provide more granular detail to SOC teams:
- attack_score - The information is currently shown in the Threat Log > Threat Log Details page.
- folder_locations - This information is currently shown on the Threat Log > Threat Log Details in the Remediation Options card which says where the email was found.
Detection 360 Email Notifications
In addition to tracking updates directly in your D360 portal, customers can now receive email notifications when a D360 case is resolved.
API Endpoint Enhancement for Abuse Mailbox Automation
Abnormal has added a REST API endpoint to allow developers to programmatically extract more information from Abuse Mailbox Automation.
The new GET /abuse_mailbox/not_analyzed endpoint allows customers to view a list of end-user-submitted phishing reports, that Abuse Mailbox did not analyze, with the reasons why, and any corresponding details such as reporter, reporter email, reported time, and more.
This endpoint can be used immediately by any customers who have already integrated with the Abnormal API. For integration instructions, see Abnormal REST API Integration Guide.
Abuse Mailbox Automation Now Analyzes and Surface Multi-forwarded Email Threads
Improved extraction logic in Abuse Mailbox Automation to surface multi-forwarded and reply phishing reported messages.
Now, when employees submit multi-forwarded email threads to the Abuse Mailbox Automation for analysis, Abnormal will automatically triage and remediate them within seconds, adding to the 4x time savings SOC teams can achieve. The Email Summary view now includes context about forwards or replies within the message. Analysis details will show the origin of the email, i.e. “this email is the first in a thread with two replies.”
New Search and Respond Fields and Filters
Security analysts can locate specific emails more quickly with a new filter and search fields. Customers who have Email Productivity enabled can filter the search to only show Graymail messages. Additionally, customers can now use two new fields to quickly search by:
- Message ID
- Attachment name
Improved Spam Detection
Abnormal has enhanced Inbound Email Security's detection model by leveraging behavioral intelligence that identifies more known-good behaviors to identify anomalies in emails that indicate spam. For example, older domains are less likely than young domains to be carrying out this newer type of spam we are now filtering out of inboxes.
Inbound Email security now filters twice the volume of spam to a hidden folder, freeing security analysts from having to triage additional user-reported spam reported to their abuse mailbox.
BERT Large Language Model (LLM)
With the addition of the BERT LLM enhancement, Abnormal's detection models can more easily determine if two emails are similar and are part of the same polymorphic email campaign targeting an organization. Additionally, these pre-trained BERT LLMs give Abnormal the ability to understand content and text and the intention of a possible attacker in a highly scalable manner.
Here's an example of the differences a word's meaning can have depending on where it sits within a sentence.
Because BERT can understand the context of word placement in text, it will return different embeddings as vectors that encapsulate the meaning of the word to detect similar spam campaigns.
Detection 360 API Endpoint
New API endpoint for customers to fetch a list of Detection 360° reports that they have submitted and view corresponding details for each case, including report summaries, statuses, message analyses, and more.
Customers who have integrated with the Abnormal API can use this endpoint to extract their D360° information. For integration instructions, see the Abnormal REST API Integration Guide.
Threat Log Attachment Search
Threat log now supports the ability to search for attachment name, MD5, and SHA256.