Deep Dive Into the Abnormal Platform

Gabriel Rebane, Group Technical Marketing Manager

Enterprises have moved to cloud email for business reasons, such as flexibility for every employee to access email from anywhere on any device, integration capabilities with third-party applications, and more. Modern threat actors are becoming increasingly skilled at bypassing traditional email security solutions with sophisticated attack methods. To combat this, Abnormal Inbound Email Security pairs advanced behavioral science with risk-adaptive detection to stop the full spectrum of attacks. Additionally, we are proactively expanding the Abnormal solution with a variety of product add-ons to improve detection efficacy and stay one step ahead of cybercriminals.

In this demonstration, I’ll show you how Inbound Email Security can detect and remediate malicious emails and how Abnormal stops advanced business email compromise attacks. We will also dive into Account Takeover, Abuse Mailbox Automation, Email Productivity, and more! Abnormal’s cloud-native API-based approach allows us to integrate with your cloud email tenant in minutes, with no interruption in email delivery, policy, or rule changes. All inspection and scanning are performed in memory, and Abnormal only stores the email header information if a malicious email is detected.

Abnormal ingest thousands of signals from your cloud email environment and uses behavioral analytics to build a baseline for every internal and external identity that interacts with your email platform. Through the Abnormal Portal, security teams can access several dashboards that provide insights and trending data across each product and add-on. You will see a breakdown of recent detection, attack trends, the number of reported phishing emails, how many hours were saved with email productivity, and much more. For now, let's focus on Attack Trends. As soon as you log in to the Abnormal Portal, you have access to several dashboards providing you with insights into recent detections and attack trends, the different strategies used, the origin of attacks, the most impersonated entities covering both your employees, and vendors, which employees have received the most attacks, and more.

Focusing on trending attacks, you can see the full breadth of attack types bypassing your existing security solutions and reaching your end-users' inboxes. These solutions typically rely on heuristics and pattern-based detection, and they are no longer sufficient to address the onslaught of advanced attacks, like invoice fraud, user or vendor impersonation, internal account compromise, and the many different socially engineered attacks used by threat actors. To demonstrate this, let’s dive into a couple of anonymized examples, which have been taken from actual customer environments. Threat log gives security teams access to every malicious email flagged by our behavior technology. Here we have an email from a Known Partner <Prolia Systems>, and this message was flagged by Abnormal as a vendor takeover. Abnormal analyses thousands of signals and identifies anomalies that deviate from the known baseline. In this example, we observed an unusual geo-location, it identified a reply-to-address change, and the email contained a financial request to update account information.

We can also see that the message was automatically remediated, eliminating the possibility of engagement from its recipients. Analyzing the actual email, we see that the attacker hijacked an email thread to take advantage of Renne West. The solution uses natural language processing to extract topics, sentiments, and entities from each email. In this case, it is a Finacial Request trying to convey a sense of urgency. Using computer vision, the solution extracts what is normal and unusual in attachments. For this email, the attachment contains unusual bank information never observed before for Prolia Systems. Our sender analysis shows us that the message passed all email authentication, supporting our analysis of a vendor takeover attack. And we can see the unusual geo-location and IP address not observed before for Prolia Systems. Using context and behavioral information, Abnormal creates a relationship graph between the sender, recipient, and organization. All of the vendor information is then consolidated in a knowledge base called VendorBase. VendorBase is a global, federated database that tracks the reputation of an organization’s vendors across all Abnormal customers, providing deeper insight and visibility into a vendor’s email activities. Abnormal automatically identifies the vendors from email communication, not requiring any manual inputs from administrators. The risk assessment of each vendor is computed using signals related to the vendor identity, behavior, and content and includes reports from all Abnormal customers.

I’ll dive into an example of a lateral or internal attack commonly associated with compromised accounts. Let’s look at how Abnormal can detect and protect the organization against this type of attack. In Abnormal Cases, I see that Renne West was flagged as a Potential Account Compromise. Abnormal identified this because it detected unusual sign-in events, a mail rule change, and the account was used to send an internal email containing suspicious information. The case timeline gives detailed information on the activities detected by Abnormal that together indicate a potentially compromised account. Abnormal analyzed sign-in signals and detected an impossible-to-travel event, a mail rule change to the end-user inbox, and internal communication sent from the compromised account. These signals are invisible to traditional security solutions, and the detection is only possible because of Abnormal’s API-based approach. Security teams have access to the internal message sent from the compromised account and the analysis performed by Abnormal. The message had an invoice from a never seen vendor, and it contained metadata associated with a free online invoice generator known to be used during fraud.

What makes this type of attack extremely dangerous is that Josh and Zachary have no reason to suspect this email. Not only is it coming from their bosses’ email account, but the threat actor having access to Renee’s account has found and attached existing business process documents for executing a wire transfer. Because this message was flagged as malicious by Abnormal it was automatically remediated and deleted from recipients’ inboxes, eliminating the possibility of engagement and further damage to the organization. With an average of 90% of reported messages deemed safe, Abuse Mailbox Automation streamlines operations for user-reported phishing emails. The solution will automatically triage, remediate, and respond to end-users, eliminating manual processes, and helping your security teams focus on the problems that matter most. The solution integrates with your existing reporting process, using a phishing mailbox or reporting phishing button. Security teams have the ability to personalize the follow-up messages to user-reported emails using an intuitive and flexible UI. Once Abuse Mailbox identifies the email as malicious, safe, or spam, it automatically reports the outcome of the email analysis back to the end-user, improving the employee experience and encouraging phishing reporting behavior.

Abnormal Email Productivity for Microsoft 365 uses advanced behavioral AI, natural language process models and thousands of detection signals to identify time-wasting graymail messages. When Abnormal categorizes a message as graymail, it automatically sends it to a promotions folder—eliminating the clutter and noise from users’ inboxes, making them more productive. The Email Productivity solution provides analytics and insights on how graymail impacts your users and their productivity. The dashboard displays graymail volume trends—which employees receive the highest volume of graymail, which vendors send the most, and the amount of time saved by keeping distracting graymail messages out of users’ inboxes. The open nature of cloud email platforms–coupled with the hundreds, if not thousands of integrated applications and users–across crowded mail tenants–increases the likelihood of misconfigured security policies or improperly managed app permissions and user privileges, creating new entry/exit points for attackers to carry out what we define as “email platform attacks,” new attacks that expand the cloud email threat landscape well beyond the inbox.

To provide better visibility into potential risks associated with these new entry and exit points, Abnormal consolidates core insights for people, applications, and cloud email tenants into PeopleBase, AppBase, and TenantBase, and operationalizes this data by surfacing high-impact changes to these entities through Security Posture Management. AppBase builds an inventory of all third-party applications that integrate directly into your M365 environment and surfaces a collection of attributes with key posture events providing an in-depth understanding of each application. With PeopleBase security, teams have a searchable database of every identity in their environment that summarizes behavior and identity patterns providing a timeline of posture events for each individual. Like PeopleBase and AppBase, TenantBase organizes information about the email tenants protected by Abnormal Security and consolidates monitored events into a single location. From the activity timeline, security teams can quickly navigate the different Knowledge Bases, collecting additional information about the specific identity, application, or tenant.

Abnormal’s Security Posture Management add-on module proactively improves the posture of cloud email environments by helping security teams increase their risk visibility and take action on configuration gaps. The solution will continuously monitor for configuration drifts that could open up new entry points to your email platform. With one click, security teams can see the context of the change, make a side-by-side comparison of “old vs. new,” and provide insights on the associated risks. Security teams are no longer required to track each posture manually. A built-in workflow helps analysts track what changes are still pending review and which ones are complete. This simplifies the review process and creates an audit record of all monitored changes.

Want to know more? Request your personalized demo today.