Use Case: Vendor Email Compromise

Let's take a look at a more advanced attack. This is going to be an example of vendor compromise being leveraged to commit invoice fraud. In this case, we see that Prolia Systems is a trusted vendor of our organization, enterprise[.]com, and Lucia's account has actually become compromised by a threat actor. This threat actor then was able to find a previous thread of communications with our user, Renee West, and latch on with a new communication there, hijacking this thread, attempting to get some payment information change so that the next payment of the invoice is sent to the threat actor's bank account.

Since this is legitimately coming from this proliasystems[.]com domain, it is going to pass all the traditional sender authentication methods like SPF, DKIM, and DMARC. We can also take a look and see that there were no links in this email. However, there was one attachment, but the attachment was a simple PDF with some banking information. There is nothing from a threat intelligence or sandboxing perspective that would ever detect this as malicious.

So how is Abnormal able to uniquely detect this attack as being malicious?

Well, first of all, looking at the identity, we identify a possible vendor compromise. Out of over 1,300 emails we've previously seen from Prolia, none have originated from the Netherlands. Looking at the behavior we see in this sensitive conversation, the reply-to address has been changed to this lookalike domain. This is very common as they are trying to take the conversation offline. And lastly, looking at the content analysis, we see there is a suspicious financial request. We can see that in deeper detail, here with our text analysis, we see this financial request with urgent language and time sensitivity around it.

Based on all these indicators and many, many more, we were able to detect this email as being malicious. We would automatically remediate it so it's never accessible to the end user.

Just to give deeper details on exactly how we detected this email and how we're able to uniquely detect it, you may notice one thing in common with all these threat indicators: they all reference our vendor Prolia Systems. Our deep knowledge of each customer's vendor ecosystem is thanks to our unique Knowledge Base called VendorBase™.

VendorBase is a globally federated database of vendors that do business with Abnormal customers, and it allows us to track the reputation of an organization's vendors. You can think of this really as a crowdsourced threat intelligence database specific to Abnormal customers. Essentially, if we see a compromised account sending malicious emails to one organization, all Abnormal customers will gain insights from that detection and judge emails from that vendor with a higher level of scrutiny.