Use Case: Vendor Email Compromise

Learn how Abnormal blocks attack emails originating from compromised vendors in your supply chain.

Watch the video to see how Abnormal detects compromised vendors and blocks emails from those accounts.

Video Transcript

Let's take a look at a more advanced attack. This is going to be an example of vendor compromise being leveraged to commit invoice fraud. In this case, we see that Prolia Systems is a trusted vendor of our organization, enterprise[.]com, and Lucia's account has actually become compromised by a threat actor. This threat actor then was able to find a previous thread of communications with our user, Renee West, and latch on with a new communication there, hijacking this thread, attempting to get some payment information change so that the next payment of the invoice is sent to the threat actor's bank account.

Since this is legitimately coming from this proliasystems[.]com domain, it is going to pass all the traditional sender authentication methods like SPF, DKIM, and DMARC. We can also take a look and see that there were no links in this email. However, there was one attachment, but the attachment was a simple PDF with some banking information. There is nothing from a threat intelligence or sandboxing perspective that would ever detect this as malicious.

So how is Abnormal able to uniquely detect this attack as being malicious?

Well, first of all, looking at the identity, we identify a possible vendor compromise. Out of over 1,300 emails we've previously seen from Prolia, none have originated from the Netherlands. Looking at the behavior we see in this sensitive conversation, the reply-to address has been changed to this lookalike domain. This is very common as they are trying to take the conversation offline. And lastly, looking at the content analysis, we see there is a suspicious financial request. We can see that in deeper detail, here with our text analysis, we see this financial request with urgent language and time sensitivity around it.

Based on all these indicators and many, many more, we were able to detect this email as being malicious. We would automatically remediate it so it's never accessible to the end user.

Just to give deeper details on exactly how we detected this email and how we're able to uniquely detect it, you may notice one thing in common with all these threat indicators: they all reference our vendor Prolia Systems. Our deep knowledge of each customer's vendor ecosystem is thanks to our unique Knowledge Base called VendorBase™.

VendorBase is a globally federated database of vendors that do business with Abnormal customers, and it allows us to track the reputation of an organization's vendors. You can think of this really as a crowdsourced threat intelligence database specific to Abnormal customers. Essentially, if we see a compromised account sending malicious emails to one organization, all Abnormal customers will gain insights from that detection and judge emails from that vendor with a higher level of scrutiny.

Want to know more? Request your personalized demo today.

Use Case: Vendor Email Compromise

See Abnormal in Action

Schedule a Demo

See the Abnormal Solution to the Email Security Problem

Protect your organization from the full spectrum of email attacks with Abnormal.

See a Demo
Integrates Insights Reporting 09 08 22

Related Resources

Abnormal Landscape
See how Abnormal is working to make the cloud a safer place for business by protecting against all types of attacks across all types of cloud applications.
Watch Now
B TAG Cyber
Download the white paper to discover how to better secure your cloud email environment and choose the right security solutions provider.
Read More
New survey reveals the latest trends shaping communication and collaboration application security.
Read More
B 1500x1500 Choice Hotels Bright Talk Demo Day L1 R1
Discover how Choice Hotels is simplifying their email security, streamlining their operations, and preventing email attacks with the highest efficacy.
Watch Now
B 05 01 23 MKT279 New Slack Data Sheet
Secure your messages and keep Slack from becoming an entry point for attackers.
Read More
B 05 02 23 MKT283 New Zoom Solution Brief
Protect your Zoom collaboration and prevent attackers from using the application to breach your business.
Read More
B Email Like SPM
Monitor high-impact changes to user privileges across collaboration apps with Email-Like Security Posture Management.
Read More
B Email Like Messaging Security
Detect malicious message content across collaboration apps with Email-Like Messaging Security.
Read More
B Email Like ATO
Detect compromised user accounts across your critical communication channels with Email-Like Account Takeover Protection.
Read More