Home > Research > Spoofing Be Gone: Abnormal Security Says Hasta la Vista, Baby, to Business and Vendor Email Compromise Scams

Spoofing Be Gone: Abnormal Security Says Hasta la Vista, Baby, to Business and Vendor Email Compromise Scams

Info-Tech has a vast member network with over 30,000 accounts. I am fortunate to be able to meet a diverse global community of security professionals and learn about the problems they are trying to solve, challenges they have faced, and wars they have won along the way.

The conversation has changed in the past year with respect to security awareness training, phishing simulations, and dealing with repeat offenders. Let me explain: The training and tools we have used with some success in the past simply aren’t working today. Attackers are getting more sophisticated, and we have seen the rise of a pervasive set of attacks that are debilitating many industries. These attackers operate on the premise of fear, urgency, and context; they prey on unsuspecting users with socially engineered tactics and often carry no payloads.

Two of the most prominent attacks in this category are business email compromise (BEC) and vendor email compromise (VEC). BEC attackers target employees within an organization, tricking them into transferring money or revealing sensitive information by impersonating trusted individuals like CEOs or colleagues. VEC attackers take it a step further, posing as trusted vendors to exploit established vendor-client relationships. They leverage intimate knowledge of existing partnerships and payment structures to target financial transactions or steal data from the vendors’ customers. VEC adds an extra layer of trust and complexity, making it even more crucial to implement robust email security measures. These attacks impact organizations’ financials and supply chains. We have seen credential phishing increase 34% year over year, and VEC is at an all-time high with organizations at an 89% chance of receiving a vendor attack every week.

Abnormal Security has an answer for these attacks and can mitigate an assortment of the most common types of VEC and BEC: invoice fraud, payroll redirection, extortion, lures and tasks, gift card requests, and advanced fee fraud. It’s a long list of techniques, but that’s the climate we’re in and why traditional secure email gateways (SEG) and exchange online protection (EOP) from Microsoft don’t cut it anymore. Employees at all levels of an organization, not just those in finance, can fall prey to email compromise.

Source: Abnormal Security, H1 2023 Email Security Trends Report

Founded in 2018 by Evan Reiser and Sanjay Jeyakumar, Abnormal Security emerged from a shared vision: tackling the burgeoning threat of advanced email attacks with automated, AI-native detection and response. Recognizing the limitations of traditional email gateways, Abnormal Security pioneered a unique AI-powered solution that goes beyond traditional sender verification and indicators of compromise (IoC) to analyze email behavior and relationships and detect anomalous activity.

Abnormal Security's rise paralleled the growing sophistication of email threats. While the company’s early years saw steady growth and customer acquisition, a pivotal moment arrived in 2020 with its Series B funding, which included investments from Greylock Partners and Menlo Ventures. This influx of capital fueled rapid expansion, allowing the company to refine its technology and attract marquee clients like ADT and Boohoo.

In 2022, Abnormal Security reached new heights, securing a massive Series C round from Greylock Partners, Insight Partners, and Menlo Ventures at a $4 billion valuation. This validation, in tandem with its success in thwarting high-profile BEC attacks, cemented its position as a leader in the cybersecurity landscape.

So how does Abnormal Security accomplish the seemingly impossible mission of stopping malicious messages, often without payload? While organizations today primarily rely on security awareness training as the last line of defense, Abnormal Security takes a fundamentally different approach to email security. It has created a cloud-native, API-based platform that protects email accounts and infrastructure from the full spectrum of attacks – from spam to phishing to BEC. The product is designed to be turnkey, but robust. The architecture is designed to:

  • Integrate with existing systems and can be installed in seconds with no tuning, setup, or operational overhead. It also integrates with Active Directory and collaboration apps like Slack, Microsoft Teams, and Zoom.
  • Detect and contextualize risks by ingesting signals from email messages, Active Directory, collaboration apps, and more. This data is also used to build per-user and per-organization behavioral models.
  • Identify behavioral anomalies by using known baselines to stop attacks and impersonation attempts. It integrates with a variety of data sources, including email messages, Active Directory, and collaboration apps (unique integration) and allows the solution to build a comprehensive picture of user behavior and identify anomalies that may indicate a compromised user account (unique data).
  • Protect the email platform across internal email, email accounts, and email infrastructure. It can also be extended to email-like collaboration channels such as Slack, Teams, and Zoom.

Source: Abnormal Security Info-Tech Briefing Deck, 2023

Something that resonated with me during my analyst demo with Abnormal was its email security posture management (ESPM). This add-on product tackles a crucial but often overlooked aspect of email security: preventing vulnerabilities within your email environment itself. It continuously monitors your cloud email platform for high-risk configuration changes, potential misconfigurations, and suspicious activities.

Below are some of ESPM’s key offerings:

  • Proactive Risk Detection: It identifies critical changes in user privileges, administrative roles, mail tenant settings, and third-party app integrations.
  • Contextual Insights: For each detected change, the platform provides a detailed before-and-after view, showing what was modified and who made the change.
  • Alerting and Response Tools: It sends immediate alerts for high-risk changes, allowing your security team to react quickly and efficiently. This contextual data can then be exported to your SIEM.
  • Continuous Monitoring: Unlike traditional security tools that rely on static configurations, ESPM continuously monitors your evolving email environment to detect configuration drift as privileges, permissions, and policies change over time.


Source: Abnormal Security Info-Tech Briefing Deck, 2023

VendorBase is a key component within Abnormal Security's cloud-based email security platform. It operates as a global, federated database collecting intelligence and vendor reputation data from all Abnormal customers. This centralized, anonymized vendor intelligence creates a rich understanding of how reputable vendors typically interact with your organization.

How VendorBase Works

  1. Global Vendor Profiling: When Abnormal Security is integrated with your email environment, it analyzes vast amounts of data from your communications with vendors. This includes:
    • Metadata: Headers, IP addresses, routing data, sending domains, and more
    • Content: Email body analysis, attachment analysis
    • Behavior: Frequency of communication, reply-to address changes, etc.
  2. Vendor Risk Assessment: VendorBase aggregates this data and applies machine learning models to determine a risk score for each vendor. Key factors influencing the score include:
    • Authenticity: Verification of correct domains, DomainKeys identified mail (DKIM) and sender policy framework (SPF) authentication, domain-based message authentication and conformance (DMARC) status
    • Behavior: Detecting unusual communication patterns or deviations from established baselines
    • Threat Intelligence: Cross-referencing with external threat feeds and Abnormal's knowledge of active attack campaigns
  3. Threat Detection Enhancement: With vendor risk scores at hand, the Abnormal Security platform leverages VendorBase in the following ways:
    • BEC Protection: Identifies anomalies in established vendor communication patterns that might indicate BEC, even if the vendor's account may be compromised
    • Supply Chain Attacks: Pinpoints suspicious emails that seem to come from trusted vendors but may not be authentic
    • Targeted Threat Protection: Prioritizes the analysis of emails from vendors deemed higher risk by VendorBase

VendorBase doesn't wait for a known attack; it preemptively identifies vendors susceptible to BEC and flags unusual vendor behavior. It also provides contextual risk assessment; by analyzing vendor interactions based on established relationships it gains more insight than traditional email security tools. The federated nature of VendorBase creates a network effect of shared intelligence, benefiting all Abnormal Security customers, as evolving knowledge of vendor-related attacks informs broader protection.

Our Take

There are a number of SEG solutions that do a decent job with malware protection and phishing defense. There are very few, however, that effectively mitigate BEC/VEC the way Abnormal does. Because many organizations rely on traditional email security and training, they do not have agile, repeatable, and effective mitigation techniques against these attacks. Instead, they manually validate payment requests using two- and three-factor authentication, which often introduces considerable delays and confusion with urgent requests that could impact operations. It’s a task similar to Sisyphus rolling the giant boulder up the hill only for it to roll back down every time he nears the summit.

In the treacherous landscape of email security, Abnormal Security stands tall as a champion against the rising tide of BEC/VEC. Its unique blend of AI-powered behavioral analysis, comprehensive data integration, and proactive defense tools sets it apart, making it a leader in mitigating email compromise.

Unlike traditional solutions that solely rely on rules and signatures, Abnormal delves deeper. Its behavioral AI models dissect email patterns, relationships, and anomalies, sniffing out even the most sophisticated BEC/VEC attempts disguised as familiar senders or urgent requests. VendorBase, its global reputation database, adds another layer of protection, revealing potential red flags lurking within your supply chain.

Furthermore, Abnormal goes beyond detection. Its ESPM add-on actively strengthens your email hygiene, identifying the misconfigurations and vulnerabilities that BEC/VEC attackers exploit. This proactive approach shrinks the attack surface and leaves fewer cracks for attackers to take advantage of. Ultimately, Abnormal empowers organizations to confidently navigate the complex world of email security. Its holistic approach, backed by cutting-edge technology and continuous innovation, makes it the weapon of choice for businesses seeking to secure their inboxes and safeguard their bottom lines from the ever-evolving threat of email compromise.

With Abnormal Security as their armor, organizations gain significant confidence that their emails are in safe hands, allowing them to focus on what matters most: their core business.

Want to Know More?