You can now mark Safe messages as Spam directly from the AI Security Mailbox for more accurate message classification and improved threat reporting.
To use this feature:
Select a Safe message in AI Security Mailbox
Click ‘Spam’ → Remediate
The message will be marked as Spam across the portal
This update gives security teams greater control over how reported messages are categorized.
Abnormal’s behavioral AI now protects Microsoft Teams messages in EU environments, detecting malicious links in both chats and channels with the same precision it brings to email.
All flagged messages surface in the Threat Log, giving your team a unified view across communication channels and accelerating response times.
Note: Available only on StratOS. Not supported on Gyre.
Learn more about our Microsoft Teams Messagings Security here.
You now have enhanced control over URL Rewriting deployment by enabling the feature for specific user groups instead of applying it tenant-wide.
To use this feature:
Note: This feature is currently available for M365 only. Google Workspace is not supported at this time.
You can now add images or logos to the header or footer of your GenAI responses in AI Security Mailbox. This enhancement supports branding requirements and helps end users identify legitimate emails.
To add an image:
Navigate to Step 1: Configure your AI Security Analyst and select Insert Images
Upload your desired image or logo
Preview the result in Step 3: Deploy to Your Security Mailbox
Note: Images can only be placed in the header or footer due to the dynamic nature of GenAI responses.
Several new features will be enabled to all Inbound Email Security customers on a rolling basis the week of May 12. These features include:
These features are intended to increase efficiency and streamline user workflows, while continuing to offer visibility for Abnormal users.
You can now upload a .CSV file to contribute misclassification feedback.
To upload a file:
AI Phishing Coach (New Add-On Module)
Security awareness training gets an AI overhaul. AI Phishing Coach is a fully autonomous, agentic security awareness training platform delivering hyper-personalized phishing simulations based on real attacks, just-in-time generative AI coaching when employees report or fail a simulation, and AI-generated video training content tailored to your organization.
AI Data Analyst (Free for All Customers)
Meet your always-on AI analyst. This new generative AI agent is easily asked through the “Reports” section of our Portal, allowing you to ask questions like “What were our top threats this quarter?” or “How many phishing attacks did we stop last month?” and quickly receive executive-ready reports and clear security insights bespoke to your organization.
Three Core Platform Upgrades (Free for All Customers)
False positives that follow repeat patterns create repeat work. With Automated Repeat False Positive Prevention, you can now provide targeted feedback when reporting false positives to automatically prevent similar alerts from recurring.
When marking an ATO case as "Incorrect Detection" or "Undetermined Cause," you'll now see options to safelist specific indicators of compromise (IOCs) associated with that user. These options include:
Location: Safelist activity from specific countries or, for US activity, specific states
IP Address: Safelist specific IP addresses for known legitimate access points
VPN Usage: Safelist VPN connections for users who legitimately require them
Each safelist is applied at the user level for a period of several months to prevent alert recurrence while maintaining security. This customization is particularly valuable for organizations with global workforces or unique access patterns that might otherwise trigger false positives
In the rare instance that an employee does interact with a phishing email and falls victim to an account compromise, ATO now helps surface those emails directly in the Case timeline—highlighting up to five messages that likely contributed to the breach.
This enhancement provides deeper context for investigations, giving security teams a clearer understanding of how access was gained and when. It also helps uncover potential patterns that may indicate a larger campaign targeting other employees.
We’ve made two changes to the GenAI responses configuration page to make it easier to customize your GenAI email responses for AI Security Mailbox.
Subject Line Variables Now Visible in the UI
You can now customize your GenAI email subject lines using supported variables—clearly displayed in the UI. Just click and choose from the “Available Variables” provided.
AI Disclaimer Now Customizable
The disclaimer at the bottom of GenAI emails is now editable—with one key requirement: the line “This and the following content is powered by AI” is required and fixed. Everything else is fully editable (up to 500 characters) and text updates auto-save when customers click out of the box.
Investigating account compromise requires a precise understanding of attacker behaviors and tactics. With GenAI Case Summaries, you now get a clear, plain-language explanation of every ATO Case—automatically.
Out with the old descriptions that could often lack clarity of language and in with the new, AI-powered paradigm. Each Case includes a concise headline detailing attacker activity, a bulleted summary of tactics and key signals used in determining compromise, and user-specific context highlighting how this pattern of activity deviates from typical user behaviors.
Whether it’s high, medium, or low confidence, the summary helps you understand what happened and why it matters—fast.
There’s nothing to enable—GenAI Case Summaries are available in the portal today, so you can start making sense of suspicious activity without the guesswork.
Adopting new technology can feel like a leap, but we’ve made it seamless with our phased rollout for GenAI auto-responses. What’s changed?
You can now enable GenAI auto-responses for up to 50 users, giving you the opportunity to test, familiarize yourself with the functionality, and meet change control requirements before transitioning your entire organization. This intentional subsetting approach ensures a smooth rollout and helps build confidence in the power of GenAI responses.
Ready to take the first step toward full-scale adoption? With Abnormal’s AI Security Mailbox settings, enabling GenAI Responses for select users has never been easier.
We’ve introduced a powerful new filter for Account Takeover Protection Cases: the ability to sort by trigger signal.
This feature allows you to quickly organize and prioritize Cases based on the specific attack tactic detected. It’s designed to help you better respond to threats and identify Cases of compromise that may be part of the same attack, building on recent updates to filtering and search capabilities for even greater precision in managing account takeover risks.
When an account is compromised, there is no time to waste. Knowing this, we have evolved the listview in our Account Takeover Protection solution from a simple log to a dynamic incident queue. What does this mean?
To help quickly sort for the most critical identity incidents, the list view will now highlight high and medium confidence cases by default and allow you to filter the listview by Remediation status.
Additionally, Account Takeover Protection’s search functionality now allows for partial search terms rather than exact match, making it easier to find and investigate specific Cases.
New tactics like session hijacking have made it easier than ever for attackers to compromise cloud email accounts, and Abnormal’s Core Account Takeover solution has long been effective at stopping such threats in Microsoft environments.
While Abnormal could detect compromised users in Google Workspace, it lacked the ability to remediate those accounts—a key step in the response process.
Today, we are pleased to announce the release of identity remediation for Google Workspace. Abnormal customers can now:
Automatically suspend Google access and force password resets for high-severity account takeover incidents.
Block account access with a single click through PeopleBase for users who appear suspicious but haven’t been confirmed as compromised over the course of typical threat-hunting activities.
According to Okta, 34% of authentication traffic is malicious. Alarmingly, attackers are targeting Okta with highly sophisticated tactics and with increasing frequency.
Abnormal has been detecting suspicious and compromised users in Okta for two years, helping hundreds of customers gain greater visibility into threats to their cloud identities. Today, we are excited to announce Okta identity remediation to bolster threat hunting and streamline incident response.
Abnormal customers using the Okta API key integration can now:
Automatically suspend Okta access and force password resets for high-severity account takeover incidents.
Block account access with a single click through PeopleBase for users who appear suspicious but haven’t been confirmed as compromised over the course of typical threat-hunting activities.
When it comes to graymail, every organization is different and requires unique configurations. Abnormal has enhanced its Email Productivity solution to reflect this requirement.
Abnormal has introduced self-service configuration to give organizations (and end users) greater control over their inboxes and the graymail that often clutters it. These new self-service options allow you to:
Configure between modes: Passive mode allows you to specify an AD or Google Group that will use Email Productivity and Active mode enables for all email end users but allows you to specify exclusions
Grant or revoke the ability of end-users to create graymail safelists or blocklists
In the rare instance that Abnormal misses an attack, most customers use Search & Respond to remediate and mark that email as a miss. The typical next step was to submit a separate ticket to Detection360 to report a False Negative to train and enhance Abnormal’s AI models.
Abnormal has now eliminated this extra step while expanding the value of Search & Respond for not only hunting stray emails but strengthening the Abnormal product. Starting today, any email marked as a “missed attack” in Search & Respond will give the option to automatically create a Detection360 case, instantly enriching the bespoke AI detection models developed for each customer.
With multiple IT and Security teams and functions within a single organization using Abnormal—and often various subsidiaries with Abnormal sub-tenants managed by the parent organization—it is required that user management privileges be available to users beyond Portal administrators. In order to assign User Management capabilities to Custom Role users we have introduced two new permissions in a new User Management section:
Now, when a new custom role, non-admin user is created in Abnormal, administrators will have the option to grant user management privileges for a Portal feature or set of features—extending user provisioning and permissioning power but still maintaining appropriate access controls and adherence to organizational compliance requirements.
PeopleBase and Account Takeover Protection now support the import and analysis of guest users across your connected mail, identity, and SaaS tenants, surfacing Notable Events that deviate from those users’ behavioral baselines—bolstering discovery and investigation of third-party threats to your cloud environment.
Quickly determine when a third-party user has administrative access to a critical platform and enhance your threat hunting with deep behavioral insights.
Abnormal has added a new native integration with Rapid7 InsightIDR. The integration helps customers streamline threat analysis, reporting, and compliance needs by sending a variety of log events from Abnormal, including Email Threats, Account Takeover Activity, Abuse Mailbox Events, Audit Log Events, and Security Posture Management Events.
As Abnormal continues to fortify cloud identity protections, the next step is enhancing threat hunting workflows and ongoing investigations.
While Abnormal can automate the hunt for compromised users with Account Takeover Protection, there are many reasons why a Microsoft 365 account should be disabled or user access revoked that do not fall into the realm of identity takeover by an external attacker (a known malicious insider or user who had left the organization but somehow maintained access, for instance).
Now, directly through a user’s PeopleBase entry, all customers have the ability to manually suspend Microsoft 365 access:
Revoking active sessions
Disabling user accounts
Forcing password resets
When an employee reports an email as a phishing email, AI Security Mailbox leverages the AI detection engine to inspect and judge that message. If GenAI Responses are enabled, the AI Security Analyst will then respond to the reporter letting them know the classification of the reported message. Customers can now configure the AI Security Analyst to attach analyzed safe messages to the initial GenAI response email, allowing the reporter to interact with the determined safe email.
Google Workspace does not support configuring labels (folders) that are inaccessible to end-users. This includes the Trash label, which Abnormal currently remediates malicious emails to. Google customers can opt-in to a feature that remediates malicious messages to an inaccessible location by purging the initial email and storing a copy of it in internal data sources in case it needs to be restored.
When Abnormal processes messages, we perform a set of sender authentication checks based on the protocols SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail) and DMARC (Domain-based Message Authentication, Reporting, and Conformance). The results of these checks are displayed on the Email Details Page. Customers can now access this information as a new field in the Email Threats event type, allowing for ingestion into their SIEM integrations to extract relevant information to create incident response workflows. All this will be possible without having to manually access the Portal.
Customers can already view Audit Logs in the Abnormal Portal and access data through our SIEM export events, but this information has historically not been available through our REST API.
We are excited to expand our API functionality to include Abnormal Audit Logs. With this new Audit Log REST API endpoint, customers can ingest Abnormal Portal audit logs through the REST API and extract relevant information to create incident response workflows and alerts of suspicious user activity. All this will be possible without having to access audit logs in the Portal manually.
Continuing the trend of new enhancements for Security Posture Management, status updates are now available for each posture change. While this may sound like a minor enhancement, this is an answer to a major customer need as Security Posture Management now allows security teams to coordinate a response to risky posture changes and ensure the entire team is appropriately notified of progress.
Security teams can now track investigatory and remediation processes by labeling each risky posture change as:
“Needs review” for new or unread events
“In progress” if the team is currently investigating the change
“Acknowledged (resolved)” when a change has been corrected
“Acknowledged (not important)” for a change that was deemed to not be a risk
Further, any changes noted as “Acknowledged (not important)” will serve to enrich Abnormal’s AI models, refining future detections.
An in-portal view of customer Success Criteria provides continuous insight into the value customers derive from the Abnormal platform. Using this feature, you can now communicate to us the value you derive from the Abnormal platform, grade what is most important to your organization, evaluate current performance, and leave any notes.
Success Criteria: Portal admins can consider and capture how important each value statement is for your organization, and evaluate Abnormal’s current performance.
Feedback: Portal admins can share feedback based on success criteria evaluation with their Abnormal team.
In-Portal User Experience: Portal admins receive a personalized, in-product experience that represents the unique value of their Abnormal investment.
AI Security Mailbox is a transformational AI upgrade to our former Abuse Mailbox Automation product. AI Security Mailbox leverages AI to automatically triage, remediate, and respond to user-reported phishing emails to enhance security operations and improve security awareness.
AI Security Mailbox has two distinct but related AI capabilities:
Personal AI Cyber Assistant for Every Employee
AI Security Mailbox introduces a new way to respond to reporters of phishing emails with more detailed and insightful responses. Customers can quickly enable GenAI Responses and configure the AI Security Analyst with a custom name and instructions. Customers can also chat with the AI Security Analyst to see how it performs based on the custom instructions provided. Once the configuration is complete, the AI Security Mailbox will respond with the classification of the reported message and provide additional context to educate the reporter.
If employees have a follow-up question about the reported email or another security-related topic they can reply to the response message with their question and receive a prompt response in their inbox.
AI Coworker for the Security Operations Team
AI Security Mailbox leverages AI to autonomously inspect and judge every reported phishing email and automatically bulk remediate unreported malicious and spam messages in the same campaign. All of the messages analyzed by AI Security Mailbox are collated into a single dashboard for customers, providing better reporting and measurement of the effectiveness of the security mailbox.
AI Security Mailbox will be generally available on July 1. Any existing customer of Abuse Mailbox Automation will automatically receive a free upgrade to AI Security Mailbox at that time. For more information, read the AI Security Mailbox announcement blog.
ThreatIntelBase surfaces and aggregates behaviorally derived cross-customer and cross-platform threat intelligence to improve threat hunting and incident response efforts, streamlining SOC processes.
This intelligence is designed to provide critical insights related to unexpected or known bad IP addresses. You can query ThreatIntelBase for an IP address to view an Abnormal threat report, which includes: IoC metadata, associated APTs, common attacks, behavioral patterns, and any malicious activity within a customer’s environment or Abnormal’s federated network.
Knowledge Bases share Abnormal’s understanding of a company’s people, tenants, vendors, and applications.
SPM has been refreshed with several enhancements to help SOC teams more easily triage events for review, understand the significance of changes, and coordinate their response.
Portal users now have a way to enforce least privileged access to users and apps without disrupting business processes by auditing their current environment for unused applications that are still integrated with sensitive permissions or user accounts.
To accomplish this, the directory view can be filtered across the following key columns:
Risk Level
Actor
Event Type (added, changed, deleted)
Posture Category
Acknowledged
Additionally, SPM event details now show an explanation for why a change is deemed High Risk, along with suggested next steps for remediation. Portal users who are responding to an SPM notification can:
Pivot directly to the new event.
Quickly understand why Abnormal detected this anomalous or risky change.
Act on Abnormal’s recommended next steps.
Custom RBAC roles are now available, replacing the Per-Product Admin option. The update allows for more granular per-tenant permission controls to be set: to allow no access, read-only, or read+write access. No action is needed: Any roles using Per-Product Admin were automatically updated to Custom Roles persisting the same permission settings you previously designated.
In addition, customers using SPM will be able to specify which specific user accounts are allowed to:
This is the first application to implement Abnormal’s new RBAC platform, which is designed to improve the Abnormal user experience and meet customer needs. Additional access control options will continue to be added to various features based on customer feedback.
Abnormal has added a new native integration with Google Chronicle. The integration allows customers to ingest a variety of different log events provided by Abnormal, such as Email Threats, Account Takeover Activity, Abuse Mailbox Events, Audit Log Events, and Security Posture Management Events.
Abuse Mailbox Automation customers can now configure templated auto-response messages for user-reported phishing emails that Abnormal determines to be phishing simulations.
The new “Phishing Simulation Response” category will strengthen security awareness and promote healthy reporting habits by automatically closing the feedback loop to reporters of phishing simulation campaigns.
Regular Expression (Regex) is widely-used for leveraged across programming and security for its strengths in finding patterns in text.
Abnormal’s Search and Respond now supports Regex for Sender Email Address and Recipient Email Address searches. This enhancement will help you investigate or remediate messages with greater ease by finding more accurate results.
Click the “Use Recipient/Sender Regex” button in Search and Respond to try it. The update is being rolled out from March 4-7, 2024.
Attackers are increasingly crafting emails that contain an image attachment of a malicious QR code. To combat this threat, Abnormal released a QR code detector which works in tandem with behavioral AI to detect and remediate emails containing a malicious QR code.
Customers can now filter Threat Log to view all attacks remediated by the QR code detector. This enhancement provides valuable insights into the frequency of QR code attacks and allows for a more targeted analysis of security threats.
In this latest enhancement of Abnormal Email Account Takeover Protection, Abnormal Cases have been enriched with contextual insights detailing why an event triggered a case and which signals helped determine that event was suspicious. Abnormal Cases will now highlight how frequently a user (and in certain cases, the company itself) was associated with analyzed signals such as IP addresses, ISPs, browsers, locations, etc.
Additionally, Cases will now be assigned a Confidence Score: A High score requires immediate attention, a Medium score indicates a “potential risk” that should be investigated, and a Low score is attributed to notable or suspicious events that may be unusual but are not anomalous enough to label as an urgent threat.
To reduce noise, Cases in the Account Takeover Protection list view will be segmented based on confidence to give immediate visibility into the highest priority Cases, while still providing quick access to the other suspicious user cases that are not considered active account takeovers.
Employees waste nearly two business days per year sorting through promotional emails. Legacy approaches to filtering this graymail often result in increased user frustration and more IT support tickets.
Email Productivity is now available to Google Customers. Email Productivity deploys natural language processing (NLP) and machine learning (ML) models to detect and automatically remove time-wasting graymail from employee inboxes. Email Productivity customers also receive access to the graymail dashboard which shows trends in daily volume, most targeted users/executives, and top graymail senders, plus the amount of time your employees are saving.
When deployed in a Google environment, Email Productivity will automatically remove promotional messages from the inbox and place them into a graymail label in Gmail. This results in measurable time savings and removes the need for end-user digest emails and quarantine portals.
Security analysts can now trigger or enhance their XDR workflows with email events, user-reported phishing emails, and vendor events detected by Abnormal Security. This allows security teams to surface, enhance, correlate, and automatically take actions on signals from the Abnormal platform.
Many recent, high-profile attacks have involved MFA bypass tactics such as session hijacking or MFA Fatigue. Attackers wanting to maintain a foothold in a compromised account will often bypass or manipulate MFA then socially engineer their way into registering a new MFA device.
To help detect and combat these tactics, we have added new signals to our Account Takeover Protection solution. Abnormal can now detect suspicious device registration that could indicate an attacker has manipulated the account and may be attempting to establish persistence.
Email Account Takeover Protection Cases have been upgraded, delivering greater explainability and key insights into each anomalous event related to a potentially compromised user.
This includes:
The past few years have seen the rise of consent phishing attacks—that is, those email attacks that implore a recipient to grant OAuth access to a malicious application.
To combat this, Email Security Posture Management will now surface when a new application has been granted access permissions, when a new user has been added to a mail tenant, and when users are assigned to an application.
While all of these events can appear legitimate, when coupled with suspicions of account compromise, internal threat, or in the wake of a phishing campaign, being able to detect these changes can help uncover malicious activity that may have otherwise gone unnoticed.
Abnormal has updated its defense strategies and added the capability to detect QR codes and parse links from them in attachments. The link-based signals from the images are ingested by the Abnormal AI-native detection engine and strengthens its ability to detect malicious activity.
The combination of behavioral AI detection, with the ability to further process images to detect QR codes and parse the corresponding information, provides a powerfully complete solution to the rise of QR code phishing attacks.
The QR code-based links are surfaced in the content analysis section within Threat Log as seen in the example below.
Read this blog to learn more about our malicious QR code detection.
Email Productivity has been enhanced by two updates to improve the effectiveness and the detection efficacy of the product:
Email Productivity now recognizes end user movements for mailboxes managed by delegates. The recognition of end user movements between the inbox and promotions folder allows users to personalize their preferences with regards to graymail. This update improves the effectiveness of Email Productivity at removing graymail for its most common target– executives.
Improved detection efficacy of graymail with the addition of a new detector that extends the signals and attributes used for detecting graymail based on message folder movements, engagement with email, and inbound statistics of mass mail. This enhancement improved detection efficacy by 15%.
Learn more about Email Productivity here.
New API endpoints allow analysts to summon dashboard metrics, like total attack count and attack type breakdown, and see the latest status of a message if the judgment changes, for example, when a seemingly safe message is submitted to Abuse Mailbox Automation and post-remediated after being judged malicious.
Email Account Takeover Protection can now ingest posture events*—specifically high-impact changes to user privileges and when a user changed mail tenant conditional access policies. These changes can indicate an attacker attempting to establish persistence and expand the attack surface area. Ingesting these signals and aggregating them in Account Takeover Cases further aids investigation and gives security teams greater visibility into the downstream impact of account compromise.
*Requires Email Security Posture Management to use.
Email Account Takeover Protection cases can now aggregate collaboration app events from applications such as Slack, Zoom, and Okta*. This provides a consolidated timeline of activity across platforms to better investigate account compromise and determine with greater confidence when account takeover has occurred.
*Requires Email-Like Account Takeover Protection for Slack or Zoom.
Email Security Posture Management now surfaces more configuration changes, including mail rule filter changes and additional third-party application permissions. This will trigger alerts about new and notable changes like, for example, when a user adjusts mail filter rules to delete all incoming messages or a third-party app is granted permission to join video calls or directly create and send email.
Abuse Mailbox Automation has improved analysis coverage of user reported malicious emails, particularly for customers using Infosec IQ's security awareness training platform.
Allows administrators to take action against malicious activity, monitoring Slack, Microsoft Teams and Zoom for messages that contain suspicious URLs and then flagging potential threats for further review. Malicious messages are surfaced regardless of whether the message is sent from an internal employee or an external contractor.
Analyzes authentication activity in Slack, Teams and Zoom, alerting security teams to suspicious sign-in events—whether a user is signing in from a blocked browser, in a risky location or on a known-bad IP address. Each event is automatically flagged for immediate investigation, with single sign-on (SSO) activity from Okta and Azure Active Directory included for additional evidence.
Gives security teams a complete view of user privilege changes in Slack, Microsoft Teams and Zoom to ensure only the appropriate users have admin rights. Email-Like Security Posture Management dynamically monitors for new changes, surfacing those that are considered high impact.
Abnormal has enhanced its deployment, integration, and data ingestion capabilities, making it easier than ever to integrate, ingest from, and protect additional applications, starting with Slack, Zoom, Microsoft Teams, Azure Active Directory, and Okta.
The Abnormal App Store allows customers to browse and learn about Abnormal products, as well as initiate the purchase of Abnormal products, directly through the Portal.
The Deployment Overview allows customers to easily visualize all the data sources being ingested in the Abnormal platform, the applications being protected, and the Abnormal products they have activated in one single view.
The Platform Integrations feature allows customers to ingest data from new data sources in addition to Microsoft 365 and Google Workspace through our API integration.
Abuse Mailbox Automation data is now available within our existing SIEM integrations with Splunk, SumoLogic, and IBM QRadar. This data further enhances security teams' ability to analyze user-reported email threats and send contextualized security intelligence to the SIEM.
PeopleBase and TenantBase, two of Abnormal’s newest Knowledge Bases, are now available for Google Workspace.
Similar to VendorBase, PeopleBase and TenantBase provide visibility into behavior and activities of entities within a cloud email environment. PeopleBase catalogs active users and builds dynamic profiles with behavioral data, as well as activity timelines of recent events. TenantBase provides an inventory of all email tenants within the environment and associated activities within them.
These three Knowledge Bases offer security teams increased visibility into common entry points for email platform attacks.
Often, security teams have limited visibility into configuration changes across users, integrated applications, and tenants, requiring time-consuming manual investigation efforts to identify and address risks. The Security Posture Management add-on improves the risk posture of cloud email environments by surfacing and centralizing visibility into changes to user privileges, application permissions, and mail tenant conditional access policies.
Security Posture Management uses the behavioral profiles built by three of the Abnormal Knowledge Bases - PeopleBase, AppBase, and TenantBase - to monitor for high-impact configuration changes. Once these changes are identified, teams can drill into contextual insights with a before-and-after view of each change, links to entities involved, relevant documentation, and suggested next steps.
Abnormal users can also schedule email notifications as changes occur, export to the SIEM, and denote when a change is or has been addressed via an acknowledgement workflow.
While properly configured multi-factor authentication (MFA) stops the majority of authentication/authorization attacks, simple misconfigurations or user missteps can lead to catastrophe. Attackers are exploiting these gaps to commandeer user accounts.
To combat this, Abnormal has enhanced its Account Takeover Protection add-on, analyzing thousands of signals to detect the hallmarks of an MFA Bypass attack, whether the attack takes the form of:
As with all detection types in Account Takeover Protection, an Abnormal Case will then immediately be opened when MFA Bypass is detected, so threats can be identified, investigated, and quickly remediated.
A key distinction of Abnormal Security’s detection is its ability to detect lateral east-west traffic, messages that are sent between employees inside of their email platform.
Using this ability,
Abnormal can now detect bursty patterns of an anomalous number of messages being sent from an account in short periods of time. This signal will be used to help detect attacks coming from internally compromised accounts to others internally and externally.
Multiple enhancements that detect anomalies in the aggregate have been added to our detection model.
To better detect malicious use of third-party hosting services like OneDrive and DocuSign, Abnormal added aggregate signals on the sender and recipient level for file-sharing domains. Using frequency metrics, the new aggregate signals detect how often a user sends document-sharing links and how often recipients receive uncommon file-sharing domains to help identify suspicious file-sharing behavior.
As threat actors are constantly shifting that tactics to increase their success rate, we’ve seen the use of image anchors weaponized to contain malicious links. The updated detection model also better identifies images correlated with these types of hidden malicious payloads.
To assist with detecting hijacked thread attacks, Abnormal added text-based attributes that analyze email message body and headers to better identify malicious messages containing unrelated conversations. This enhancement is particularly powerful because hijacked conversations generate high engagement from email recipients based on the established trust from previous interactions with the email thread.
The Security Posture Management add-on improves the risk posture of cloud email environments by helping security teams understand and take action on configuration gaps, while eliminating the need for manual efforts, spreadsheets, or PowerShell scripts that are typically needed to perform discovery and mitigation.
Security Posture Management uses the data within behavioral profiles built by three of the Abnormal Knowledge Bases - PeopleBase, AppBase, and TenantBase - to determine when a potentially harmful or unexpected configuration change has occurred. Armed with this knowledge, the platform monitors for high-risk configuration drifts, including privilege escalations, new third-party apps, and conditional access policy exceptions. Once these changes are identified, teams are notified and can action changes in a simple acknowledgement workflow.
Search & Respond has new filters that make it faster and easier to locate email records.
You can now filter by:
Abnormal users can now quickly find submitted detection tickets in Detection 360. The new functionality enables users to filter all D360 cases by:
To access filters, click on Investigate > Detection 360 and use the Filter By pop-up.
Customers can onboard and secure their new tenants faster using the new self-service multi-tenant management feature in Abnormal.
Expansion of both Abnormal's SIEM export schema and API functionality to include Abnormal Audit Logs. This added feature allows customers to ingest audit logs into their SIEM or SOAR integrations, extract relevant information, and create incident response workflows and alerts for suspicious user activity.
The vendors, third-party applications, and employees that have access to data within your Microsoft 365 environment can serve as potential entry points for attackers to carry out account takeovers, privilege escalations, and third-party application abuse. Unfortunately, security teams often lack visibility into the risks to their cloud email environment, because information about the most business-critical configuration settings is scattered across multiple control panes. To help you and your team gain visibility to potential People, Application, and Tenant attack surface areas in Microsoft 365, we have added three new Knowledge Bases: TenantBase, AppBase, and PeopleBase. Each are available as no-cost Platform capabilities for all Abnormal customers.
Added two new fields into the threats event type in the SIEM export schema to provide more granular detail to SOC teams:
In addition to tracking updates directly in your D360 portal, customers can now receive email notifications when a D360 case is resolved.
Abnormal has added a REST API endpoint to allow developers to programmatically extract more information from Abuse Mailbox Automation.
The new GET /abuse_mailbox/not_analyzed endpoint allows customers to view a list of end-user-submitted phishing reports, that Abuse Mailbox did not analyze, with the reasons why, and any corresponding details such as reporter, reporter email, reported time, and more.
This endpoint can be used immediately by any customers who have already integrated with the Abnormal API. For integration instructions, see Abnormal REST API Integration Guide.
Improved extraction logic in Abuse Mailbox Automation to surface multi-forwarded and reply phishing reported messages.
Now, when employees submit multi-forwarded email threads to the Abuse Mailbox Automation for analysis, Abnormal will automatically triage and remediate them within seconds, adding to the 4x time savings SOC teams can achieve. The Email Summary view now includes context about forwards or replies within the message. Analysis details will show the origin of the email, i.e. “this email is the first in a thread with two replies.”
Security analysts can locate specific emails more quickly with a new filter and search fields. Customers who have Email Productivity enabled can filter the search to only show Graymail messages. Additionally, customers can now use two new fields to quickly search by:
Abnormal has enhanced Inbound Email Security's detection model by leveraging behavioral intelligence that identifies more known-good behaviors to identify anomalies in emails that indicate spam. For example, older domains are less likely than young domains to be carrying out this newer type of spam we are now filtering out of inboxes.
Inbound Email security now filters twice the volume of spam to a hidden folder, freeing security analysts from having to triage additional user-reported spam reported to their abuse mailbox.
With the addition of the BERT LLM enhancement, Abnormal's detection models can more easily determine if two emails are similar and are part of the same polymorphic email campaign targeting an organization. Additionally, these pre-trained BERT LLMs give Abnormal the ability to understand content and text and the intention of a possible attacker in a highly scalable manner.
Here's an example of the differences a word's meaning can have depending on where it sits within a sentence.
Because BERT can understand the context of word placement in text, it will return different embeddings as vectors that encapsulate the meaning of the word to detect similar spam campaigns.
New API endpoint for customers to fetch a list of Detection 360° reports that they have submitted and view corresponding details for each case, including report summaries, statuses, message analyses, and more.
Customers who have integrated with the Abnormal API can use this endpoint to extract their D360° information. For integration instructions, see the Abnormal REST API Integration Guide.
Threat log now supports the ability to search for attachment name, MD5, and SHA256.
