Hijacking existing email threads is a common method of leveraging compromised vendor accounts. Attacks of this type of highly successful because of the implicit trust of the emails from the vendor.
Solutions
Detect Vendor Account Compromise
Detect Vendor Account Compromise
Attack Breakdown
The framework that attackers use when launching email attacks starts with the Pretext. Attackers will impersonate a Brand, Internal Employee or a trusted External Partner/Vendor. In the case of a Vendor Account Compromise, the attackers will leverage a compromised vendor account to launch their attack. The delivery may contain a non-malicious attachment, but many successful attacks now only leverage simple requests in the email body.
How Abnormal Stops Vendor Account Compromise (BEC)
Abnormal Behavior Technology (ABX) is Abnormal Security’s unique triangulation of Identity, Relationship and Content. Any single analysis may not lead to a high confidence decision, but ABX’s combination of the three pillars results in high precision and accurate identification of targeted email attacks.
01
Abnormal Identity Model
Abnormal builds external entity profiles with dozens of attributes. Of all the emails previously observed, emails originating from anomalous geolocations are flagged as suspicious.
02
Abnormal Relationship Graph
Profiling of prior communications shows a prior observed relationship between the sender and recipient. However, a change in the reply-to address is commonly associated with vendor account takeover and flagged as suspicious.
03
Abnormal Content Analysis
Computer vision techniques analyze the attachment. Prior references to the vendor in the invoice are checked, in addition to the bank name and routing information. Natural Language Processing algorithms analyze the email content for Topic and Sentiment.
01
Abnormal Identity Model
Abnormal builds external entity profiles with dozens of attributes. Of all the emails previously observed, emails originating from anomalous geolocations are flagged as suspicious.
02
Abnormal Relationship Graph
Profiling of prior communications shows a prior observed relationship between the sender and recipient. However, a change in the reply-to address is commonly associated with vendor account takeover and flagged as suspicious.
03
Abnormal Content Analysis
Computer vision techniques analyze the attachment. Prior references to the vendor in the invoice are checked, in addition to the bank name and routing information. Natural Language Processing algorithms analyze the email content for Topic and Sentiment.
