Attackers often use malicious URLs or attachments to steal credentials, access business information, and obtain funds.
In this example, we have a very simple request. A sender, perhaps using a compromised domain, is submitting a report to our user.
We can also see that this message contains two attachments - a basic HTML file, and a spreadsheet.
While the attachments may look benign, attackers often use a spreadsheet with macros as a means to compromise user endpoints.
When we preview the spreadsheet, we come across a message that looks like it is from Microsoft, asking the user to enable the spreadsheet's content. This actually means enabling the malicious macros that are concealed within the spreadsheet. If the user were to do so, the attacker could open ports, install malware, or any other malicious actions.
So how was Abnormal able to detect this type of attack?
Abnormal creates a behavior profile of every identity that interacts with your organization, and here we can see how it flagged the unusual sender.
After scanning the attachment, the solution flagged that this attachment contained macros, a typical pattern in malware attacks. This signal alone is not enough to block the email. However, our behavioral AI also knows that the recipient has rarely received emails containing this type of extension and detected that the spreadsheet has sheets with many empty cells, again a common pattern for excel based attacks.
Using these and other signals, the solution concluded that this message was malicious and automatically remediated it, eliminating the possibility of engagement by the recipient.
