Use Case: Vendor Email Compromise

Learn how Abnormal blocks attack emails originating from compromised vendors in your supply chain.
Use Case: Vendor Email Compromise

Watch the video to see how Abnormal detects compromised vendors and blocks emails from those accounts.

Video Transcript

Let's take a look at a more advanced attack. This is going to be an example of vendor compromise being leveraged to commit invoice fraud. In this case, we see that Prolia Systems is a trusted vendor of our organization, enterprise[.]com, and Lucia's account has actually become compromised by a threat actor. This threat actor then was able to find a previous thread of communications with our user, Renee West, and latch on with a new communication there, hijacking this thread, attempting to get some payment information change so that the next payment of the invoice is sent to the threat actor's bank account.

Since this is legitimately coming from this proliasystems[.]com domain, it is going to pass all the traditional sender authentication methods like SPF, DKIM, and DMARC. We can also take a look and see that there were no links in this email. However, there was one attachment, but the attachment was a simple PDF with some banking information. There is nothing from a threat intelligence or sandboxing perspective that would ever detect this as malicious.

So how is Abnormal able to uniquely detect this attack as being malicious?

Well, first of all, looking at the identity, we identify a possible vendor compromise. Out of over 1,300 emails we've previously seen from Prolia, none have originated from the Netherlands. Looking at the behavior we see in this sensitive conversation, the reply-to address has been changed to this lookalike domain. This is very common as they are trying to take the conversation offline. And lastly, looking at the content analysis, we see there is a suspicious financial request. We can see that in deeper detail, here with our text analysis, we see this financial request with urgent language and time sensitivity around it.

Based on all these indicators and many, many more, we were able to detect this email as being malicious. We would automatically remediate it so it's never accessible to the end user.

Just to give deeper details on exactly how we detected this email and how we're able to uniquely detect it, you may notice one thing in common with all these threat indicators: they all reference our vendor Prolia Systems. Our deep knowledge of each customer's vendor ecosystem is thanks to our unique Knowledge Base called VendorBase™.

VendorBase is a globally federated database of vendors that do business with Abnormal customers, and it allows us to track the reputation of an organization's vendors. You can think of this really as a crowdsourced threat intelligence database specific to Abnormal customers. Essentially, if we see a compromised account sending malicious emails to one organization, all Abnormal customers will gain insights from that detection and judge emails from that vendor with a higher level of scrutiny.

Want to know more? Request your personalized demo today.

See the Abnormal Solution to the Email Security Problem

Protect your organization from the full spectrum of email and collaboration application attacks with Abnormal.
See a Demo

Related Resources

B Seg WS
Explore how your security team can simplify email security by eliminating legacy secure email gateways (SEGs).
Watch Now
B 08 30 23 Avery Dennison Vid
Materials science and digital identification leader saves time and protects vendor relationships with Abnormal for Google Workspace.
Read More
Discover how EAB modernized their email security stack and blocked advanced attacks by saying goodbye to their SEG.
Watch Now
B 08 23 23 BRD03 Evan Asheem Video v2
Abnormal CEO and Co-Founder Evan Reiser sits down with Asheem Chandna, Greylock Partner and Investor to talk about the email security landscape and how Abnormal continues to protect its customers.
Watch Now
B 8 4 23 Integrations DS
Integrate with your security tools to centralize insights and speed up remediation.
Read More
B 7 27 23 SEG Webinar
Discover how DexKo Global modernized their email security stack and blocked advanced attacks by removing their legacy SEG.
Watch Now
B 07 07 22 Noname Vid
Fast-growing API protection provider protects its email ecosystem from advanced impersonation threats.
Read More
B 07 10 23 MKT338 CISO Roadshow One Pager
Discover how to protect your cloud email from the most advanced attacks.
Read More
B 08 25 23 MKT006 08 28 23 Updated cover graphics for Evan Changing Landscape Video
See how Abnormal is working to make the cloud a safer place for business by protecting against all types of attacks across all types of cloud applications.
Watch Now