What's New

Custom RBAC roles are now available, replacing the Per-Product Admin option. The update allows for more granular per-tenant permission controls to be set: to allow no access, read-only, or read+write access. No action is needed: Any roles using Per-Product Admin were automatically updated to Custom Roles persisting the same permission settings you previously designated.

In addition, customers using SPM will be able to specify which specific user accounts are allowed to:

1. View the Security Posture Management tabs in Portal
2. Acknowledge posture changes

This is the first application to implement Abnormal’s new RBAC platform, which is designed to improve the Abnormal user experience and meet customer needs. Additional access control options will continue to be added to various features based on customer feedback.

Abnormal has added a new native integration with Google Chronicle. The integration allows customers to ingest a variety of different log events provided by Abnormal, such as Email Threats, Account Takeover Activity, Abuse Mailbox Events, Audit Log Events, and Security Posture Management Events.

Abuse Mailbox Automation customers can now configure templated auto-response messages for user-reported phishing emails that Abnormal determines to be phishing simulations.

The new “Phishing Simulation Response” category will strengthen security awareness and promote healthy reporting habits by automatically closing the feedback loop to reporters of phishing simulation campaigns.

Regular Expression (Regex) is widely-used for leveraged across programming and security for its strengths in finding patterns in text.

Abnormal’s Search and Respond now supports Regex for Sender Email Address and Recipient Email Address searches. This enhancement will help you investigate or remediate messages with greater ease by finding more accurate results.

Click the “Use Recipient/Sender Regex” button in Search and Respond to try it. The update is being rolled out from March 4-7, 2024.

Attackers are increasingly crafting emails that contain an image attachment of a malicious QR code. To combat this threat, Abnormal released a QR code detector which works in tandem with behavioral AI to detect and remediate emails containing a malicious QR code.

Customers can now filter Threat Log to view all attacks remediated by the QR code detector. This enhancement provides valuable insights into the frequency of QR code attacks and allows for a more targeted analysis of security threats.

In this latest enhancement of Abnormal Email Account Takeover Protection, Abnormal Cases have been enriched with contextual insights detailing why an event triggered a case and which signals helped determine that event was suspicious. Abnormal Cases will now highlight how frequently a user (and in certain cases, the company itself) was associated with analyzed signals such as IP addresses, ISPs, browsers, locations, etc.

Additionally, Cases will now be assigned a Confidence Score: A High score requires immediate attention, a Medium score indicates a “potential risk” that should be investigated, and a Low score is attributed to notable or suspicious events that may be unusual but are not anomalous enough to label as an urgent threat.

To reduce noise, Cases in the Account Takeover Protection list view will be segmented based on confidence to give immediate visibility into the highest priority Cases, while still providing quick access to the other suspicious user cases that are not considered active account takeovers.

Employees waste nearly two business days per year sorting through promotional emails. Legacy approaches to filtering this graymail often result in increased user frustration and more IT support tickets.

Email Productivity is now available to Google Customers. Email Productivity deploys natural language processing (NLP) and machine learning (ML) models to detect and automatically remove time-wasting graymail from employee inboxes. Email Productivity customers also receive access to the graymail dashboard which shows trends in daily volume, most targeted users/executives, and top graymail senders, plus the amount of time your employees are saving.

When deployed in a Google environment, Email Productivity will automatically remove promotional messages from the inbox and place them into a graymail label in Gmail. This results in measurable time savings and removes the need for end-user digest emails and quarantine portals.

Security analysts can now trigger or enhance their XDR workflows with email events, user-reported phishing emails, and vendor events detected by Abnormal Security. This allows security teams to surface, enhance, correlate, and automatically take actions on signals from the Abnormal platform.

Many recent, high-profile attacks have involved MFA bypass tactics such as session hijacking or MFA Fatigue. Attackers wanting to maintain a foothold in a compromised account will often bypass or manipulate MFA then socially engineer their way into registering a new MFA device.

To help detect and combat these tactics, we have added new signals to our Account Takeover Protection solution. Abnormal can now detect suspicious device registration that could indicate an attacker has manipulated the account and may be attempting to establish persistence.

Email Account Takeover Protection Cases have been upgraded, delivering greater explainability and key insights into each anomalous event related to a potentially compromised user.

This includes:

• Detection confidence scores
• Detailed description of why an event triggered a case
• How rare an activity is for the associated user
• Enhanced identity details and breakdown (location, IP, client app, browser, etc.)

The past few years have seen the rise of consent phishing attacks—that is, those email attacks that implore a recipient to grant OAuth access to a malicious application.

To combat this, Email Security Posture Management will now surface when a new application has been granted access permissions, when a new user has been added to a mail tenant, and when users are assigned to an application.

While all of these events can appear legitimate, when coupled with suspicions of account compromise, internal threat, or in the wake of a phishing campaign, being able to detect these changes can help uncover malicious activity that may have otherwise gone unnoticed.

Abnormal has updated its defense strategies and added the capability to detect QR codes and parse links from them in attachments. The link-based signals from the images are ingested by the Abnormal AI-native detection engine and strengthens its ability to detect malicious activity.

The combination of behavioral AI detection, with the ability to further process images to detect QR codes and parse the corresponding information, provides a powerfully complete solution to the rise of QR code phishing attacks.

The QR code-based links are surfaced in the content analysis section within Threat Log as seen in the example below.

Read this blog to learn more about our malicious QR code detection.

Email Productivity has been enhanced by two updates to improve the effectiveness and the detection efficacy of the product:

• Email Productivity now recognizes end user movements for mailboxes managed by delegates. The recognition of end user movements between the inbox and promotions folder allows users to personalize their preferences with regards to graymail. This update improves the effectiveness of Email Productivity at removing graymail for its most common target– executives.

• Improved detection efficacy of graymail with the addition of a new detector that extends the signals and attributes used for detecting graymail based on message folder movements, engagement with email, and inbound statistics of mass mail. This enhancement improved detection efficacy by 15%.

Learn more about Email Productivity here.

New API endpoints allow analysts to summon dashboard metrics, like total attack count and attack type breakdown, and see the latest status of a message if the judgment changes, for example, when a seemingly safe message is submitted to Abuse Mailbox Automation and post-remediated after being judged malicious.

Email Account Takeover Protection can now ingest posture events*—specifically high-impact changes to user privileges and when a user changed mail tenant conditional access policies. These changes can indicate an attacker attempting to establish persistence and expand the attack surface area. Ingesting these signals and aggregating them in Account Takeover Cases further aids investigation and gives security teams greater visibility into the downstream impact of account compromise.

*Requires Email Security Posture Management to use.

Email Account Takeover Protection cases can now aggregate collaboration app events from applications such as Slack, Zoom, and Okta*. This provides a consolidated timeline of activity across platforms to better investigate account compromise and determine with greater confidence when account takeover has occurred.

*Requires Email-Like Account Takeover Protection for Slack or Zoom.

Email Security Posture Management now surfaces more configuration changes, including mail rule filter changes and additional third-party application permissions. This will trigger alerts about new and notable changes like, for example, when a user adjusts mail filter rules to delete all incoming messages or a third-party app is granted permission to join video calls or directly create and send email.

Abuse Mailbox Automation has improved analysis coverage of user reported malicious emails, particularly for customers using Infosec IQ's security awareness training platform.

Allows administrators to take action against malicious activity, monitoring Slack, Microsoft Teams and Zoom for messages that contain suspicious URLs and then flagging potential threats for further review. Malicious messages are surfaced regardless of whether the message is sent from an internal employee or an external contractor.

Analyzes authentication activity in Slack, Teams and Zoom, alerting security teams to suspicious sign-in events—whether a user is signing in from a blocked browser, in a risky location or on a known-bad IP address. Each event is automatically flagged for immediate investigation, with single sign-on (SSO) activity from Okta and Azure Active Directory included for additional evidence.

Gives security teams a complete view of user privilege changes in Slack, Microsoft Teams and Zoom to ensure only the appropriate users have admin rights. Email-Like Security Posture Management dynamically monitors for new changes, surfacing those that are considered high impact.

Abnormal has enhanced its deployment, integration, and data ingestion capabilities, making it easier than ever to integrate, ingest from, and protect additional applications, starting with Slack, Zoom, Microsoft Teams, Azure Active Directory, and Okta.

The Abnormal App Store allows customers to browse and learn about Abnormal products, as well as initiate the purchase of Abnormal products, directly through the Portal.

The Deployment Overview allows customers to easily visualize all the data sources being ingested in the Abnormal platform, the applications being protected, and the Abnormal products they have activated in one single view.

The Platform Integrations feature allows customers to ingest data from new data sources in addition to Microsoft 365 and Google Workspace through our API integration.

Abuse Mailbox Automation data is now available within our existing SIEM integrations with Splunk, SumoLogic, and IBM QRadar. This data further enhances security teams' ability to analyze user-reported email threats and send contextualized security intelligence to the SIEM.

PeopleBase and TenantBase, two of Abnormal’s newest Knowledge Bases, are now available for Google Workspace.

Similar to VendorBase, PeopleBase and TenantBase provide visibility into behavior and activities of entities within a cloud email environment. PeopleBase catalogs active users and builds dynamic profiles with behavioral data, as well as activity timelines of recent events. TenantBase provides an inventory of all email tenants within the environment and associated activities within them.

These three Knowledge Bases offer security teams increased visibility into common entry points for email platform attacks.

Often, security teams have limited visibility into configuration changes across users, integrated applications, and tenants, requiring time-consuming manual investigation efforts to identify and address risks. The Security Posture Management add-on improves the risk posture of cloud email environments by surfacing and centralizing visibility into changes to user privileges, application permissions, and mail tenant conditional access policies.

Security Posture Management uses the behavioral profiles built by three of the Abnormal Knowledge Bases - PeopleBase, AppBase, and TenantBase - to monitor for high-impact configuration changes. Once these changes are identified, teams can drill into contextual insights with a before-and-after view of each change, links to entities involved, relevant documentation, and suggested next steps.

Abnormal users can also schedule email notifications as changes occur, export to the SIEM, and denote when a change is or has been addressed via an acknowledgement workflow.

While properly configured multi-factor authentication (MFA) stops the majority of authentication/authorization attacks, simple misconfigurations or user missteps can lead to catastrophe. Attackers are exploiting these gaps to commandeer user accounts.

To combat this, Abnormal has enhanced its Account Takeover Protection add-on, analyzing thousands of signals to detect the hallmarks of an MFA Bypass attack, whether the attack takes the form of:

• Phishing-initiated MFA Bypass;
• Weakening MFA Authentication;
• Exploitation of Authorized MFA Exception; or
• Session Reuse/Hijacking

As with all detection types in Account Takeover Protection, an Abnormal Case will then immediately be opened when MFA Bypass is detected, so threats can be identified, investigated, and quickly remediated.

A key distinction of Abnormal Security’s detection is its ability to detect lateral east-west traffic, messages that are sent between employees inside of their email platform.

Using this ability,

Abnormal can now detect bursty patterns of an anomalous number of messages being sent from an account in short periods of time. This signal will be used to help detect attacks coming from internally compromised accounts to others internally and externally.

Multiple enhancements that detect anomalies in the aggregate have been added to our detection model.

To better detect malicious use of third-party hosting services like OneDrive and DocuSign, Abnormal added aggregate signals on the sender and recipient level for file-sharing domains. Using frequency metrics, the new aggregate signals detect how often a user sends document-sharing links and how often recipients receive uncommon file-sharing domains to help identify suspicious file-sharing behavior.

As threat actors are constantly shifting that tactics to increase their success rate, we’ve seen the use of image anchors weaponized to contain malicious links. The updated detection model also better identifies images correlated with these types of hidden malicious payloads.

To assist with detecting hijacked thread attacks, Abnormal added text-based attributes that analyze email message body and headers to better identify malicious messages containing unrelated conversations. This enhancement is particularly powerful because hijacked conversations generate high engagement from email recipients based on the established trust from previous interactions with the email thread.

The Security Posture Management add-on improves the risk posture of cloud email environments by helping security teams understand and take action on configuration gaps, while eliminating the need for manual efforts, spreadsheets, or PowerShell scripts that are typically needed to perform discovery and mitigation.

Security Posture Management uses the data within behavioral profiles built by three of the Abnormal Knowledge Bases - PeopleBase, AppBase, and TenantBase - to determine when a potentially harmful or unexpected configuration change has occurred. Armed with this knowledge, the platform monitors for high-risk configuration drifts, including privilege escalations, new third-party apps, and conditional access policy exceptions. Once these changes are identified, teams are notified and can action changes in a simple acknowledgement workflow.

Search & Respond has new filters that make it faster and easier to locate email records.

You can now filter by:

• Sender IP Address
• URL in Body

Abnormal users can now quickly find submitted detection tickets in Detection 360. The new functionality enables users to filter all D360 cases by:

• Sender - name or email address
• Recipient - name or email address
• Subject - title of message
• Submitted by - name
• Case Number - D360 Case number
• Time - what is the necessary time span
• Status - Resolved/Submitted
• VIP - reports with VIPs and/or Non VIPs

To access filters, click on Investigate > Detection 360 and use the Filter By pop-up.

Customers can onboard and secure their new tenants faster using the new self-service multi-tenant management feature in Abnormal.

Expansion of both Abnormal's SIEM export schema and API functionality to include Abnormal Audit Logs. This added feature allows customers to ingest audit logs into their SIEM or SOAR integrations, extract relevant information, and create incident response workflows and alerts for suspicious user activity.

The vendors, third-party applications, and employees that have access to data within your Microsoft 365 environment can serve as potential entry points for attackers to carry out account takeovers, privilege escalations, and third-party application abuse. Unfortunately, security teams often lack visibility into the risks to their cloud email environment, because information about the most business-critical configuration settings is scattered across multiple control panes. To help you and your team gain visibility to potential People, Application, and Tenant attack surface areas in Microsoft 365, we have added three new Knowledge Bases: TenantBase, AppBase, and PeopleBase. Each are available as no-cost Platform capabilities for all Abnormal customers.

Added two new fields into the threats event type in the SIEM export schema to provide more granular detail to SOC teams:

1. attack_score - The information is currently shown in the Threat Log > Threat Log Details page.
2. folder_locations - This information is currently shown on the Threat Log > Threat Log Details in the Remediation Options card which says where the email was found.

In addition to tracking updates directly in your D360 portal, customers can now receive email notifications when a D360 case is resolved.

Abnormal has added a REST API endpoint to allow developers to programmatically extract more information from Abuse Mailbox Automation.

The new GET /abuse_mailbox/not_analyzed endpoint allows customers to view a list of end-user-submitted phishing reports, that Abuse Mailbox did not analyze, with the reasons why, and any corresponding details such as reporter, reporter email, reported time, and more.

This endpoint can be used immediately by any customers who have already integrated with the Abnormal API. For integration instructions, see Abnormal REST API Integration Guide.

Improved extraction logic in Abuse Mailbox Automation to surface multi-forwarded and reply phishing reported messages.

Now, when employees submit multi-forwarded email threads to the Abuse Mailbox Automation for analysis, Abnormal will automatically triage and remediate them within seconds, adding to the 4x time savings SOC teams can achieve. The Email Summary view now includes context about forwards or replies within the message. Analysis details will show the origin of the email, i.e. “this email is the first in a thread with two replies.”

Security analysts can locate specific emails more quickly with a new filter and search fields. Customers who have Email Productivity enabled can filter the search to only show Graymail messages. Additionally, customers can now use two new fields to quickly search by:

• Message ID
• Attachment name

Abnormal has enhanced Inbound Email Security's detection model by leveraging behavioral intelligence that identifies more known-good behaviors to identify anomalies in emails that indicate spam. For example, older domains are less likely than young domains to be carrying out this newer type of spam we are now filtering out of inboxes.

Inbound Email security now filters twice the volume of spam to a hidden folder, freeing security analysts from having to triage additional user-reported spam reported to their abuse mailbox.

With the addition of the BERT LLM enhancement, Abnormal's detection models can more easily determine if two emails are similar and are part of the same polymorphic email campaign targeting an organization. Additionally, these pre-trained BERT LLMs give Abnormal the ability to understand content and text and the intention of a possible attacker in a highly scalable manner.

Here's an example of the differences a word's meaning can have depending on where it sits within a sentence.

Because BERT can understand the context of word placement in text, it will return different embeddings as vectors that encapsulate the meaning of the word to detect similar spam campaigns.

New API endpoint for customers to fetch a list of Detection 360° reports that they have submitted and view corresponding details for each case, including report summaries, statuses, message analyses, and more.

Customers who have integrated with the Abnormal API can use this endpoint to extract their D360° information. For integration instructions, see the Abnormal REST API Integration Guide.

Threat log now supports the ability to search for attachment name, MD5, and SHA256.