Use Case: Lateral Phishing

See how Abnormal finds and blocks lateral phishing attacks emanating from compromised internal accounts.

Watch the video to see how Abnormal blocks attacks sent from compromised internal accounts.

Video Transcript

Let's take a look at how Abnormal is able to uniquely detect malicious internal-to-internal emails coming from compromised users.

In this case, our user Renee West has had her account become compromised, and the threat actor is leveraging this account to send out an internal email to two recipients. In this case, the request is to get a wire transfer sent out and prepared for immediate release.

Traditional security solutions are going to have a difficult time detecting this email because, for one, secure email gateways natively do not even scan internal-to-internal email. And secondly, if we look at this email, there's nothing from a sender reputation, threat intelligence, or even a sandboxing perspective that would detect this.

From a sender reputation perspective, this is an internal user leveraging a legitimate account. And from a threat intelligence and sandboxing perspective, we see our URLs are benign, legitimate URLs. And the attachment that we see here is just a purely text-based XLS file. This is a cash transfer request form and a PDF—again purely text-based. This is that wire transfer invoice that should be paid out.

So how was Abnormal able to uniquely detect this attack? Well, we saw some signs of Renee's account being compromised. We saw a too-fast-to-travel login from Hong Kong and beyond that, we saw that she had never actually sent emails from Hong Kong in the past. We also saw a mail filter rule being created. Threat actors will commonly create these mail filter rules so that the real Renee West would not go and look through her Sent folder and see the suspicious activity taking place.

Next, looking at the behavior, out of all these vendors that we're tracking via VendorBase, none have ever matched the name Orion Limited that we're seeing in the cash transfer and payment request form. Lastly, looking at the content of this email, we've seen a ton of invoices being delivered via email, but none have had this banking name and routing number and none have ever been used via this

So Abnormal was able to accurately detect this as an internal invoice/payment fraud. Here Abnormal would've actively remediated this before a user ever had access to this email.

Want to know more? Request your personalized demo today.

Use Case: Lateral Phishing

See Abnormal in Action

Schedule a Demo

See the Abnormal Solution to the Email Security Problem

Protect your organization from the full spectrum of email attacks with Abnormal.

See a Demo
Integrates Insights Reporting 09 08 22

Related Resources

Abnormal Landscape
See how Abnormal is working to make the cloud a safer place for business by protecting against all types of attacks across all types of cloud applications.
Watch Now
B TAG Cyber
Download the white paper to discover how to better secure your cloud email environment and choose the right security solutions provider.
Read More
New survey reveals the latest trends shaping communication and collaboration application security.
Read More
B 1500x1500 Choice Hotels Bright Talk Demo Day L1 R1
Discover how Choice Hotels is simplifying their email security, streamlining their operations, and preventing email attacks with the highest efficacy.
Watch Now
B 05 01 23 MKT279 New Slack Data Sheet
Secure your messages and keep Slack from becoming an entry point for attackers.
Read More
B 05 02 23 MKT283 New Zoom Solution Brief
Protect your Zoom collaboration and prevent attackers from using the application to breach your business.
Read More
B Email Like SPM
Monitor high-impact changes to user privileges across collaboration apps with Email-Like Security Posture Management.
Read More
B Email Like Messaging Security
Detect malicious message content across collaboration apps with Email-Like Messaging Security.
Read More
B Email Like ATO
Detect compromised user accounts across your critical communication channels with Email-Like Account Takeover Protection.
Read More