Use Case: Lateral Phishing

Abnormal can uniquely identify and block lateral phishing attacks from compromised internal accounts, and stop account takeovers from causing additional harm inside the organization.

This is an email from Renne West, an employee in our fictional organization. Unlike impersonation attacks, this message is coming from Renne’s legitimate email account to two internal recipients requesting payment of an invoice.

This message is complex for secure email gateways to detect because, natively, SEGs do not scan internal-to-internal communication. Additionally, there are no indicators based on the sender's reputation, threat intelligence, or sandboxing that would help flag this message as malicious. To make matters worse, attackers found legitimate information from previous invoice payments and are using this in the attack by referencing information available in this email thread.

So how was Abnormal able to detect this type of attack?

Our API integration with the email platform gives us access to signals invisible to secure email gateways. Sign-in information across different locations helps to detect a too-fast-to-travel event from a login in Hong Kong, and out of thousands of emails sent by Renne, none originated from this location, making this even more suspicious.

We also observed that a new mail filter rule was created to hide incoming messages. Threat actors typically use mail filters to hide communication from legitimate users. The solution identifies every entity that communicates with the organization. This puts Abnormal in a unique position to identify suspicious communication related to a never-before-seen vendor.

Using natural language processing to extract signals from email content, Abnormal identified that this message involved a financial request using an urgent tone. Given all of these signals, Abnormal flagged this message as malicious and automatically remediated it. At the same time, our Email Account Takeover Protection add-on automatically identified the compromised account and alerted the SOC team with the capability to auto-remediate compromised accounts.