Hijacking existing email threads is a common method of leveraging compromised vendor accounts. Attacks of this type of highly successful because of the implicit trust of the emails from the vendor.
The framework that attackers use when launching email attacks starts with the Pretext. Attackers will impersonate a Brand, Internal Employee or a trusted External Partner/Vendor. In the case of a Vendor Account Compromise, the attackers will leverage a compromised vendor account to launch their attack. The delivery may contain a non-malicious attachment, but many succcessful attacks now only leverage simple requests in the email body.
Abnormal Behavior Technology (ABX) is Abnormal Security’s unique triangulation of Identity, Relationship and Content. Any single analysis may not lead to a high confidence decision, but ABX’s combination of the three pillars results in high precision and accurate identification of targeted email attacks.
Abnormal builds external entity profiles with dozens of attributes. Of all the emails previously observed, emails originating from anomalous geolocations are flagged as suspicious.
Profiling of prior communications shows a prior observed relationship between the sender and recipient. However, a change in the reply-to address is commonly associated with vendor account takeover and flagged as suspicious.
Computer vision techniques analyze the attachment. Prior references to the vendor in the invoice are checked, in addition to the bank name and routing information. Natural Language Processing algorithms analyze the email content for Topic and Sentiment.
Schedule a personalized product demo to see:
Threat analytics, insights and reporting Automated Triage, Investigation and response tools Platform integrations into SIEM, SOAR …and more
