Use Case: Lateral Phishing

Watch the video to see how Abnormal blocks attacks sent from compromised internal accounts.

Let's take a look at how Abnormal is able to uniquely detect malicious internal-to-internal emails coming from compromised users.

In this case, our user Renee West has had her account become compromised, and the threat actor is leveraging this account to send out an internal email to two recipients. In this case, the request is to get a wire transfer sent out and prepared for immediate release.

Traditional security solutions are going to have a difficult time detecting this email because, for one, secure email gateways natively do not even scan internal-to-internal email. And secondly, if we look at this email, there's nothing from a sender reputation, threat intelligence, or even a sandboxing perspective that would detect this.

From a sender reputation perspective, this is an internal user leveraging a legitimate account. And from a threat intelligence and sandboxing perspective, we see our URLs are benign, legitimate URLs. And the attachment that we see here is just a purely text-based XLS file. This is a cash transfer request form and a PDF—again purely text-based. This is that wire transfer invoice that should be paid out.

So how was Abnormal able to uniquely detect this attack? Well, we saw some signs of Renee's account being compromised. We saw a too-fast-to-travel login from Hong Kong and beyond that, we saw that she had never actually sent emails from Hong Kong in the past. We also saw a mail filter rule being created. Threat actors will commonly create these mail filter rules so that the real Renee West would not go and look through her Sent folder and see the suspicious activity taking place.

Next, looking at the behavior, out of all these vendors that we're tracking via VendorBase, none have ever matched the name Orion Limited that we're seeing in the cash transfer and payment request form. Lastly, looking at the content of this email, we've seen a ton of invoices being delivered via email, but none have had this banking name and routing number and none have ever been used via this invoicegenerator.com.

So Abnormal was able to accurately detect this as an internal invoice/payment fraud. Here Abnormal would've actively remediated this before a user ever had access to this email.

Want to know more? Request your personalized demo today.