Picture this: Someone signs into Okta. The identity provider flags it, forces step-up authentication. For most attacks, that's enough. But the attacks that get through don't stop at the sign-in—and for those, the identity provider goes quiet.

One of our Design Partners—customers we work with closely to shape new products—witnessed this firsthand: someone signs-in to Okta with an unusual pattern. Five minutes later, Workday sends a notification email that direct deposit details were changed.

The identity tool saw the sign-in, Workday saw the payroll change, but neither talked to the other. The SOC analyst reviewing the Okta alert had no indication the attacker had already moved into Workday and modified financial data. Meanwhile, payroll fraud was happening and the signal chain was sitting in the inbox the entire time.

SaaS apps broadcast activity through notification emails—Workday flags direct deposit changes, Salesforce flags export permission changes. Simple user notifications, but also a log of post-authentication activity that no identity tool is reading.

Abnormal already processes every email in an organization, and PeopleBase maintains a behavioral profile for every identity—who touches what systems, when, and how often. When a Workday notification arrives for someone who's never modified payroll data, minutes after a flagged Okta sign-in, those signals are correlated and contextualized. The sign-in alone was ambiguous. The notification email made it definitive. The data was always there—arriving in a channel no one thought to treat as telemetry.

See the latest from Abnormal's product and engineering teams.