Release Notes
April 2021
New
- Palo Alto Networks Cortex XSOAR Integration: Abnormal has made our integration with Palo Alto Networks Cortex XSOAR, previously Demisto, generally available. Customers can now send threats and other information generated by Abnormal to Cortex XSOAR where they may have custom orchestration and automation workflows that simplify security operations or tie into other products, including EDR tools. To set up the Cortex XSOAR integration, go to the Settings link in the upper right corner of the portal. Next, navigate to the Integrations tab within the Abnormal Security Settings Page. From there, you can download the Cortex XSOAR Integration Guide that provides a brief set of steps to follow for setup.
- Recipient Engagements Threat Log Functionality: We've introduced a new feature called Recipient Engagements, which gives customers visibility into risk from employees opening, forwarding, and replying to malicious messages. Located in the Threat Log, customers can click and see information about each engagement, including what time messages were opened, who they were forwarded to, and the exact reply email sent back.
- New Abnormal Security Trust Center: Abnormal has introduced a new Trust Center that outlines our principles and practices with respect to data privacy, security, and compliance—topics we take seriously and continue to invest heavily in. The Trust Center contains content such as our Information Security Program (ISP), SOC 2, and compliance policy frameworks, which are meant to be accessible to everyone in your organization—not just lawyers or privacy experts. We plan to enhance visibility into our best practices with additional updates in the next few months. The Trust Center is located here.
- New Developer Tools and Mock Data: We've introduced the ability for developers to get mock data from all REST API endpoints. This functionality will make it easier for developers to test and verify workflows before building them out. The “mock data” string-type header parameter can be specified as True or False with a default of False for any API call. If the mock data parameter is set to True, Abnormal returns a JSON object with synthetic data in the same format as expected for the given endpoint’s response. This ability to easily access test data will enhance the developer experience by making it simpler to test workflows and debug in a lightweight way. For more information, please visit our Abnormal Security Client API documentation.
Updated
- Expanded Link Crawling Policy for Uncommon Domains: Abnormal has expanded our link crawling policies to better protect against hard-to-detect attacks. We are now crawling uncommon domains from rare senders. If a link is found to be uncommon in an email sent from someone rarely seen in a customer's environment, we intend to crawl this link and perform in-depth analysis on the result. The two signals we'll use are defined as such:
- Uncommon Domains: We utilize several open source intelligence tools (e.g. Alexa’s Top 1M Domains) that track the most common domains seen across the Internet. We consider domains not included in these lists as uncommon and a signal that the domain can be leveraged for malicious use.
- Rare Senders: Using our behavioral signals, we determine if the sender is someone who is rarely seen within your environment.
- Expanded Link Crawling Policy for File Extensions: We are also expanding our link crawling policy to crawl links that have file extensions within its path (e.g. [url pattern].[file extension]). As Abnormal has improved our phishing and malware detection capabilities, we have observed an increasing number of advanced malware and phishing attacks obfuscating malicious content behind links leading to unknown websites. In order for us to detect these attacks and detect malicious intent, we have to crawl these links to analyze the landing page or malicious file. As we increase this link crawling policy, we have also increased safeguards to prevent our systems from crawling one-time click links, such as event and calendar invites, or subscription links, in customers’ environments.
March 2021
New
Updated
- Improved Proof of Value (POV) Integration Experience: We've enhanced our Proof of Value (POV) integration experience by introducing an Integration Status page that lets potential customers track progress of our findings before displaying results. After the initial one-click API integration, Abnormal takes on average 5-7 days to create customer-specific detection models and locate retroactive email threats. In the Integration Status page, potential customers can follow the integration progression as Abnormal learns about their environment, benefiting from increased transparency and visibility in how Abnormal processes organizational data, accessing additional controls to get tenants up and running, and gaining educational content to help understand the Abnormal product during the POV period.
- New Genome Identity Analysis: Abnormal has introduced a new feature, Genome Identity Analysis, which shows each individual employee’s activity history, including sign-in locations, browsers, devices used, and more. The information represents a subset of data signals Abnormal uses to identify unusual activity in account takeover detections, and gives customers improved visibility into employee behavior. We've also added a Relevant Login Patterns section to the Employee Detail page for added visibility.
Updated
- Updated Abnormal Security Client API: Abnormal has updated the Abnormal Security Client API to allow customers to specify a start and end date and time. Existing API functionality remains unchanged and will not impact existing integrations. Customers benefit from added flexibility to integrate more easily with SOAR tools like the Palo Alto Networks XSOAR.
- Improved Explainability of Account Takeovers: We've improved our explainability of detection signals for our account takeover protection. We're now surfacing more information related to sign-ins and highlighting signals that are rare or malicious. Additionally, we now surface more information about the frequency of sign-in attributes so customers can understand the normal behaviors and patterns of employees.
- Spoof Model Improvements: Abnormal has made improvements to our understanding of the methods external attackers use to spoof messages. We are parsing more headers and stopping more attacks that use distribution lists as a way to forward and attack internally.
- Phone Scam Enhancements: We've seen an increase in messages that use a scam phone number to escalate attacks. We have improved the models and features that our system uses to catch such attacks.
February 2021
New
- New Threat Log Filter: There is a new Threat Log filter in the portal called Attack Topics, which will sort threats by predefined subjects within an email message. Customers benefit from more accurate search capabilities and increased visibility into attacks. Certain messages may contain several topics and Attack Type subjects include:
- Cryptocurrency: Contains business insights or language related to cryptocurrency.
- Invoices: Contains links, attachments, or language related to invoices.
- Billing Account Update: Message requests to update billing account details.
- COVID-19 Related Attack: Contains language pertaining to the COVID-19 pandemic.
- Invoice Inquiry: Contains language inquiring about an invoice.
- Detection 360°: We've launched a new interface to handle missed attacks and false positives (FP/FN) called Detection 360°, which streamlines the process for submitting or reviewing these messages. Detection 360° is accessed via a tab at the top navigation in the Portal, making it easier to report and keep track of investigations. Note that the form for reporting messages is now a button called “Submit Detection Enhancements.” The new interface also provides a quick glimpse of review volume, Abnormal’s platform efficacy, and filtering of reports based on status or date.
January 2021
New
- New Internal Spoof Filter: Abnormal has improved its authentication parsing logic and anomaly detection to determine if an email is truly internal or an external email in disguise. The new filter catches more internal spoof attacks, meaning that customers will benefit from improved detection accuracy.
Updated
- Account Takeover Detection Improvements: We've made the following account takeover improvements:
- ATO Detection Speed Improvement: Significantly improved detection speed on ATO cases for users with heavy login activity from hours to minutes.
- Impossible Travel Model: Rolled out a higher precision impossible travel model. We expect this to improve the precision of ATO cases and ultimately to catch more attacks.
- Improved Location Risk Model: Abnormal has improved its ability to detect account takeover attacks based on malicious signals from location login behavior. This enhanced model catches 18% more attacks than previously. Customers benefit from more accurate ATO detections via the model improvement.
- Improved Google Workspace Support: Abnormal improved our ability to remediate mass mailing-list campaigns and improved onboarding support to reduce time to POV integration. Customers benefit from lowered risk for mailing-list type of attack campaigns from residing in their email environment. New Abnormal customers also benefit from reduced time to integrate their G Suite tenant.
- Improved Splunk Integration: Abnormal added sender display name for each attack and attachment name for each attack containing an attachment payload. Customers benefit from increased visibility for each attack via Splunk integration.
- Improved Malicious Spoof Model: Abnormal has improved its ability to detect internal spoof messages with a forged sender address. This model catches an order of magnitude more internal spoofs than previous models. Customers benefit from improved detection of catching these types of attacks.
- Improved Attack Facet Model: Abnormal has improved its ability to correctly classify emails into different types of attacks. Customers benefit from more precise classification of payment fraud, credential phishing, gift card fraud, and more.
December 2020
New
- Privileged User Protection: Abnormal now supports privileged user protection for selected customers. Within the Threat Log tab, by selecting ‘Recipient Group’ filter dropdown, analysts can focus on attacks specifically sent to special recipient groups such as VIPs and privileged users as defined by the customer. Customers benefit from increased monitoring control and reduced alerting time.
- Attack Highlights: We've introduced a new Attack Highlights feature that allows customers to see attacks that the system has flagged as interesting or important, directly from the Portal. These attacks refresh weekly and are intended to be a small, targeted subset of attacks seen in the Threat Log. This is especially useful for an executive audience. Additionally, customers can download the highlights as a PDF to share with others, rather than manually creating reports.
- Proofpoint TAP Integration: For Proofpoint TAP customers, we have integrated into TAP to show reports that have been ingested and processed by Abnormal, giving analysts another look at how Abnormal would handle such events.
Updated
- Improved Abuse Mailbox: We’ve updated Abuse Mailbox to include new reporting features and functionality. In the Dashboard, there is a new Abuse Mailbox tab where customers can see charts and graphs with configurable time periods for various metrics such as Phishing Emails Reported and Reporting Trends. These reports are also downloadable via PDF. New dashboard features include:
- Phishing Emails Reported: Total number of phishing emails reported by employees and processed by Abuse Mailbox over the selected time period.
- Abuse Mailbox Remediation: Total number of emails remediated by Abnormal over the selected time period.
- Total Reporters: Total number of employees who reported messages to Abuse Mailbox
- Inbound Attack Detection Improvements: We've made the following inbound attack detection improvements:
- Weighted Ensemble Model: Focused our models to ensure we catch more advanced phishing and BEC attacks as compared to spam.
- Credential Phishing Attacks via Attachments: We now use signals within attachments to detect credential phishing attacks.
- Link-Parsing: Improved parsing of obfuscated links used by attackers.
- Customer Report Portal Improvements: Abnormal now sends automated email notifications when resolving a potential missed attack reported by the customer. The Customer Report Portal now supports false positive analysis in addition to missed attack analysis. Every message manually moved back to the user’s inbox will receive an in-depth analysis. This analysis will lead to detection improvements to prevent similar future misjudgments. Customers benefit from increased visibility for false positive and missed attacks, as well as increased automation for receiving Abnormal alerts.
- VendorBase Improvements: VendorBase improvements include increased vendor visibility and improved investigation experience to locate vendor impersonation attempts and potential vendor takeover incidents.
- Tenant Search Dropdown Fix: Users in Portal are now able to search their tenants within the tenant selector.
- Email Account Compromise Mail Rule Display Fix: The Email Account Compromise mail rule filter now displays a non-truncated version of mail rule within the Abnormal Cases page.
November 2020
New
- Role-based Access Control Improvements: New UI capabilities to add users, assign user roles, and add/remove privileges for Portal Access. Customers benefit from complete self-serve control when granting Portal provisioning and increased options to ensure security and data access.
- Cross-Tenant Abuse Mailbox Support: We now support multi-tenant Abuse Mailbox setups. Customers with multiple tenants who leverage a unified phishing mailbox can set up Abuse Mailbox without altering their workflow. Abnormal can extract abuse reports regardless of their tenant origination, as well as search and remediate message campaigns across all tenants.
- VIP Notifications: We now provide the ability to send SOC team email notifications when an email attack campaign involves VIP recipients. Customers benefit from added visibility and control with proactive alerting for high-risk individuals.
- Duo Integration: Abnormal now supports the ability to integrate with Duo to monitor and detect potential suspicious account activities, such as suspicious authentication events. Customers benefit from increased account protection and reduced risks in account compromise attacks.
- Customer Best Practices Guide: We've released our Customer Best Guide for post-sale customer onboarding and product walk-through. Customers can benefit from improved documentation and understanding of Abnormal platform functionalities and feature offerings.
Updated
- Safelisting Improvements: Added support for safelisting email addresses, domains, and IPs in the settings page. Customers benefit from improved control when configuring Abnormal settings.
- Abuse Mailbox Improvements: Abuse Mailbox now supports the ability to quarantine messages upon user-reporting. In addition, we can attach original reported messages as .eml attachments in end-user auto-response notifications. The result is improved control in responding to the end user and set-up security workflow.
- General Detection Improvements: We’ve improved detection precision for targeted advanced email attacks:
- Billing account update model improvements: Vendor fraud models now use a more sophisticated text understanding in an effort to catch more invoice fraud attacks
- Spam detection improvements: Increase precision of our models to catch spam
- Election interference themed protection: Deployed models to identify election interference emails that threatened voters
- Text-based tech support scam detection: Using fast-text retraining models, we are now catching more tech support scams where the body contains no malicious links or attachments, and where it has a call-to-action to call a scam phone number
- Internal-to-internal monitoring: Abnormal now provides support to detect internal-to-internal attacks across multiple customer tenants and flags suspicious email communications that failed to be caught by the secure email gateway
October 2020
New
- New Facet Model to Improve Attack Type Accuracy: We've released a new facet model to improve attack facet classification, improving Attack Type accuracy by 20%. Customers can benefit from more accurate Attack Type mapping for each attack caught by Abnormal and showcased in Portal.
- Microsoft O365 Group Messages Detection and Alerting: We can now detect malicious emails that exist within a Microsoft Office 365 Group mailbox. Get an instant alert notification when a group mailbox message is found and proceed to remediate the message in your own tenant. Benefits include reduced time to detection and response, increased protection coverage, and reduced risk from attacks getting interacted within the O365 environment.
Updated
- Faster Account Compromise Detection from Legacy App Sign-Ins: We've improved account compromise detection speed for takeovers triggered by legacy app sign-ins. Customers can benefit from faster compromise detection and case alerting, as well reduced mean time to respond speed for customers to start incident response workflow.
- Russian Malware Protection: New improvements to strengthen detection around stopping Russian-based attackers using Emotet trojans to drop Ryuk ransomware and BazarLoader targeting U.S.-based industries. These attacks were seen bypassing traditional secure email gateways and are embedded within cloud-based Google Docs and Microsoft word files. Customers can benefit from lowered risk from malware/ransomware-based attacks.
- General Detection Improvements: Abnormal has shipped several detection improvements listed below. Customers can benefit from improved detection precision for BEC, impersonation, and text-based attacks.
- Message model improvements
- Recon detection improvements
- Spoof model recall improvements
- Phishing model recall improvements based on reported FN