Abnormal Security expands threat protection to Slack, Teams and Zoom

Cloud-based email security provider Abnormal Security has announced three new capabilities focusing on threat detection for Slack, Microsoft Teams, and Zoom.

The company — focused on protecting enterprises from targeted email attacks, such as phishing, social engineering, and business email compromise — is also adding data ingestion from new sources to better its AI model, which maps user identity behavior.

“Abnormal’s platform uses an anomaly detection engine that ingests and correlates 45,000 plus behavioral signals from email platforms (Microsoft 365, Google Workplace), EDR platforms (CrowdStrike), authentication platforms (Okta), and email-like applications such as Slack, Microsoft Teams, and Zoom,” said Evan Reiser, chief executive officer at Abnormal Security. “Signals include sign-in events, geo-location, compromised identities, and communication patterns in messaging.”

The new capabilities are included as add-on products to the Abnormal Inbound Email Security offering and are generally available at launch.

Abnormal now secures three new cloud communication services

Abnormal has introduced three new products designed to detect suspicious messages, remediate compromised accounts, and provide insights into security posture across three cloud communication applications — Slack, Microsoft Teams, and Zoom.

The products include “Email-like messaging security”, “Email-like account takeover protection”, and “Email-like security posture management.”

Email-like messaging security allows administrators to monitor and take action against suspicious activities in Slack, Teams, and Zoom, by scanning messages for suspicious URLs and flagging potential threats for further review. This support covers messages sent from internal employees as well as external contractors.

Email-like account takeover protection will analyze authentication activity in Slack, Teams, and Zoom, alerting security teams to suspicious sign-in events, including sign-ins from a blocked browser, from a risky location, or from a known bad IP address.

Each event is automatically flagged for immediate investigation, with single sign-on activity from Okta and Azure Active Directory included for additional evidence.

Email-like security posture management provides a central view of user privilege changes in Slack, Microsoft Teams, and Zoom to ensure only the appropriate users have admin rights.

“We have been seeing a growing level of concern about email-like phishing and data breach attacks in channels beyond email,” said Michael Sampson, senior analyst at Osterman Research. “Monitoring additional platforms extends the protections that users have come to rely on which is ensuring email is a safe environment for work. With threat actors pivoting their attacks to extend into new channels, failing to ensure equivalent protections is short-sighted.”

Alongside new products, Abnormal has added new data ingestion capabilities available at no cost that will collect signals from CrowdStrike, Okta, Slack, Teams, and Zoom.

“Combining discrete small signals of potential compromise into higher level situations with unified visibility reduces the disconnected noise that is easy for security analysts to overlook. It gives security analysts early warnings of potential problems,” Sampson said.

The core technology is an AI capability

Abnormal Inbound Email Security is the company’s core offering, leveraging a cloud-native API architecture that helps the platform integrate with cloud email platforms, EDR, authentication services, and cloud collaboration applications via API.

This allows Abnormal to ingest a huge number of useful signals that help identify suspicious activities across users and tenants.

“Advanced AI and ML models, including natural language processing and natural language understanding leverage these signals to baseline user behavior and better understand identity and relationships across the organization,” Reiser said. “By understanding what is normal for each employee, vendor, application, and email tenant, Abnormal can detect and prevent the malicious and unwanted emails or email-like messages that bypass traditional solutions.”

While scanning suspicious URLs and domains for phishes, the AI model tries to detect if a link is using too many redirects when clicked, the identity of the redirecting service providers, whether the eventual landing page presents webform indicators potentially attempting to steal information, age and Alexa ranking of the domain used, and the reputation of the registrar.